Solution brief Contrast Secure
Code Platform

The Contrast Application Security Platform uses instrumentation to observe, analyze, and protect software from within the application. In doing so, Contrast makes security continuous and integrates seamlessly with modern software—from development into production throughout the whole development lifecycle.



Security must also be able to effortlessly scale with applications across all stages of the software development life cycle (SDLC)—without adding support staff or requiring any specialized security training resources. For example, many perimeter-based solutions flag every potential threat, requiring teams to spend valuable cycles on triage and verification.

A Unified Foundation for Modern Application Security

The Contrast Application Security Platform is designed to integrate with Agile and DevOps processes by operating within the application itself. Contrast leverages instrumentation to embed security within the application runtime that solves the challenges legacy application security tools present in modern software environments. This inside-out approach to application security removes the guesswork of outside-in application security tools, delivering the accuracy, efficiency, and scalability modern software demands.


Contrast offers a platform-level approach that addresses the three main shortfalls of traditional application security solutions. Contrast accelerates DevOps by removing security bottlenecks from application development, reducing the noise of false positives, and scaling security wherever an application exists across its life span without specialized security training and staff. It also provides runtime observability of application code in production to protect both known and unknown vulnerabilities from being exploited.

The Contrast Application Security Platform is comprised of three core solutions:

Contrast Assess

Offers interactive application security testing (IAST) with elements from static application security testing (SAST) and dynamic application security testing (DAST) to automatically identify software vulnerabilities in real time while developers write code. Contrast Assess agents monitor code and report from inside the application—enabling developers to find and fix vulnerabilities without involving security experts and without specialized security expertise. In addition to removing delays in development cycles, Contrast Assess also frees up security teams to focus on providing governance.

Contrast OSS

Detects which open-source software components are called in the application runtime and prioritizes vulnerability remediation based on which libraries are actively being used. It also helps organizations avoid unnecessary security risks or legal problems due to open-source licensing complications. Contrast OSS provides critical versioning and usage information, and triggers alerts when risks and policy violations are detected. This eliminates the need for a separate assessment with different tools. There are no scans to manage and no extra steps for developers—just continuous insight.

Contrast Protect

Uses real-time analysis of application runtime events to confirm exploitability before taking action to block an attack. This accuracy virtually eliminates the problems associated with falsepositive alerts. Contrast Protect continuously detects and prevents both known threats and zero-day attacks by leveraging multi-technique precision sensors and dynamic control over the runtime. It offers an instrumentation-based approach that simplifies security deployment and scalability.

Achieve secure
code flow

Contrast makes security invisible to the developer by turning every test into a security test.

Accelerate digital

Contrast finds security defects with industry best accuracy and makes it simple for developers to fix.

Unleash innovation

Dev teams are unlocked to build and ship in the fastest and most secure manner possible.

Key Platform Capabilities



The Contrast platform offers vulnerability testing as well as protection against attacks in production through a single deployment. It can therefore present a full-stack view of application risk posture. With a single integration point, the Contrast platform delivers true DevSecOps with software composition analysis (SCA), application security testing (AST), and exploit prevention capabilities using instrumentation across the entire SDLC.



Only Contrast provides a true DevSecOps view of an application (or portfolio of applications) from development to production—including open-source components. Through instrumentation, the Contrast platform provides comprehensive visibility and control of software risk at every level—from a single application or microservice up to team, business unit, or even enterprise wide levels. This advantage manifests itself as two key capabilities:

Policy Assurance and Orchestration.
The Contrast platform offers a full life-cycle view of an application’s risk, associated with open-source and custom code as well as attacks on vulnerabilities that can be exploited. This allows for enterprise wide reporting, assurance, and benchmarking of application security risk posture. This capability also allows security teams to enforce consistent, cross-SDLC software security policies across the enterprise, on a business unit, on a specific team, or across a portfolio of applications.

Runtime Informed Risk Posture.
This capability affords more accurate and effective vulnerability fixes, without correlating with other systems or requiring security expertise. In addition, certain cross-phase analysis techniques can greatly improve the fidelity of results (compared to stand-alone tools). Here, the Contrast platform’s static analysis techniques can identify security controls and rule out exploitable flaws to strengthen the accuracy of code analysis results.



In production, Contrast monitors runtime data flows to detect the exact moment an attack reaches an application vulnerability. Then, before a breach can occur, it instantly blocks any exploitable runtime events without affecting the application. This includes unknown threats, new variants, and zero-day attacks that often slip past perimeter defenses (e.g., web application firewalls), directly exposing internal application stacks to exploitation.

Contrast’s runtime protection capabilities offer two critical benefits. First, it provides “air cover” protection against a vulnerability in the application until a patch is released or developers can fix the issue. Second, it discovers and defends against open-source and zero day exploits that do not have a patch or fix.

Contrast Code Security Platform Solutions

CodeSec by

Secure code & serverless environments for free! Through simple command line interface.


Identify and fix real vulnerabilities faster with unparalleled scan accuracy.


Secure every line of code with breakthrough IAST technology.


Detect and block run-time attacks on known and unknown code vulnerabilities with greater precision.


Find & fix security issues across serverless environments in just three clicks.


Test and protect third party, open-source code moving through your software supply chain.


Integrating Seamlessly Into The Dev,
Ops And DevOps Pipelines

The Contrast Application Security Platform has the broadest language support of any application. Security platform that spans IAST, SAST, RASP, SCA, and Serverless,
and has 30+ partner integrations.

See languages and integrations supported below:

Contrast Scan - Code scanning purpose-built for modern pipelines with industry-leading speed and accuracy

Contrast Scan is a code scanning tool built from the ground up to make security testing as routine as a code commit while focusing on the most imperative vulnerabilities to deliver fast, accurate and actionable results.

Purpose-Built for
Native Developer Pipelines

Built from the ground up to run in any modern pipeline. Code scans can be initiated through a command-line (CLI) option, build automation (e.g., Maven, Gradle, GitHub Action), through a simple API call or a secure code upload.

Lightning Speed Without
Sacrificing Accuracy

Expedited time to value for security and development teams when accounting for setup, code scan, and triage time. Speed without compromising accuracy allows scans to actually be run and results to be actioned without breaking the CI/CD pipeline.

Focus on What Gets
You Hacked

With an exploitability-focused detection algorithm, achieve the most accurate static analysis solution based on OWASP Benchmark scores. This allows organizations to focus limited staff resources on the critical vulnerabilities that matter.

See Contrast Scan in Action

Watch this demo where a product expert showcases key Scan features and answers questions live from the audience.

Risk-Based Analysis Engine

Deliver focused results and expedite time-to-results

A breakthrough code scanning algorithm powers the static analysis engine in Contrast Scan, enabling teams to pinpoint exploitable vulnerabilities while ignoring those that pose no risk and only cause hours of needless triage. As a result, based on real-world scan results, Contrast Scan can shrink the amount of time to run scans by up to 10x.

Precision Remediation Guidance

Identify & fix faster with actionable vulnerability data

Contrast Scan delivers unparalleled speed and accuracy that results in dramatically faster scan times and the ability to focus on the most critical attack vectors. It also plugs into pull request workflows, CI builds, and on-scheduled cadences and integrates code-level, "how-to-fix" guidance that does not require security expertise.

Native Integration

Treat security vulnerabilities as code quality defects

Plug-ins for native IDE, build, and bug tracking tools bring security results into the same workstream as any other quality bug. In addition, Contrast CI/CD integrations can enforce a security quality threshold and ensure that vulnerable or noncompliant builds are failed and not promoted to production.

Contrast Assess - Find and fix in real-time the vulnerabilities that really matter in your code.

Now development teams can secure every line of code with breakthrough IAST technology that continuously detects and prioritizes vulnerabilities and guides them on how to eliminate risks. All with industry leading accuracy, efficiency, scalability and coverage.

Turn every test
into a security test
More context =
accurate results

The world’s leading IAST solution

Now development teams can secure every line of code with breakthrough IAST technology that continuously detects and prioritizes vulnerabilities and guides them on how to eliminate risks.

Live architecture and flow view

In-depth visualization of application components, code trees, and data flow.

To manage software inventory and identify aggregate risk in applications, and by leveraging the instrumentation insights of the Contrast agent, organizations can visualize application architecture, code trees, and message flow information. Contrast automatically generates simple diagrams that illustrate the application’s major architectural components. This information helps the developer quickly identify the meaning of a vulnerability that Contrast pinpoints and can form a starting point for threat modeling remediation.

Developer remediation guidance

Pointed, code level remediation guidance.

The Contrast platform explains vulnerabilities to those that need to understand and fix them. Contrast’s innovative Security Trace format pinpoints exactly where a vulnerability appears in the code, and how it works. This enables developers to fix vulnerabilities easily without the need of security expertise.

Application attack intelligence

Attack surface mapping with route and URL intelligence.

Contrast Assess provides developers a mapping of the URL and routes of their software that are executed during the testing phase of the SDLC. This helps security teams increase confidence in the coverage of the Assess solution as well as developers identify the effectiveness of their overall testing practice.

Contrast Protect - Detect and block run-time attacks on known and unknown code vulnerabilities with greater precision.

Contrast Protect is production application and API protection that blocks attacks and reduces false positives, helping developer teams prioritize vulnerability backlogs.

Block attacks against
vulnerabilities not yet fixed

Unlike perimeter defenses, instrumentation and sensors accurately detect and block runtime application attacks. Get a firm yes or no on whether the exploit reached its target. Protects against many zero-day attacks without tuning or reconfiguration.


Give AppSec, SecOps & Dev accurate, detailed information: the lines of code, queries executed, files accessed, and more. Faster remediation.

Application protection
for all organizations

Whether it’s large scale enterprise IT environments, or mid-market growth companies, you get the application protection you need . Harden your applications against zero-day attacks and other vulnerabilities from the inside.

See Contrast Protect in Action

Watch this demo where a product expert showcases key Protect features and answers questions live from the audience.

Continuous Security Observability from the Inside

  • Immediately know when things go wrong and why
  • Code-level telemetry with rich, actionable guidance
  • Prioritized, confirmed vulnerabilities with remediation help specific to your environment

Embedded Runtime Application Self Protection Control

  • Accurate, compliant, and dynamic runtime exploit prevention
  • Application runtime instrumentation on the inside verifies exploitable attacks
  • Dramatically reduces noise and accelerates security posture

Simple Auto-Scaling and Security Portability

  • Simple auto-scaling protection in lockstep with your application runtime
  • DevOps-native process fit that deploys anywhere without bottlenecks
  • Seamless CI/CD and affordable total cost of ownership (TCO)
Contrast SCA - Full software supply chain visibility across your development lifecycle.

Contrast SCA enables businesses to protect their software supply chain by identifying real threats from third-party components across the entire software development lifecycle - from code, through test, to production.

End-to-End Software Supply
Chain Visibility

Flag security gaps embedded in your software supply chain - open-source, commercial, and proprietary code - scaling across dev, testing, and production environments.


Embed secure coding within developers’ native CI/CD processes to help shift left and find actionable findings during routine build and testing workflows.

No More
Testing Siloes

Test the application as a whole- both custom and third-party code - at each stage of the development lifecycle. Aggregated testing enables actionable remediation by highlighting which libraries are invoked by the application.

See Contrast SCA in Action

Watch this demo where a product expert showcases key SCA features and answers questions live from the audience.

Full Software Observability

Embed third-party software testing throughout the software lifecycle

  • As a shared service across the Contrast Application Security Platform, Contrast SCA provides third-party software visibility without the need to deploy any additional tooling
  • Avoid erroneous findings by assessing custom and third-party code simultaneously
  • Embed testing for vulnerable third-party libraries within native CI/CD and runtime testing
  • Flag library risk within cloud-native applications and block attacks on vulnerable libraries in production

Runtime Library Usage

Prioritize the most immediate risk based on which libraries are used

  • Highlight which libraries are used by the application and how often down to the specific class, file, or module
  • Prioritize remediation workflows based on which libraries are actually called at runtime
  • Enable developers to fix vulnerable libraries fast by focusing on the most relevant third-party software risk

Dependency Risk Management

Mitigate security debt by accounting for transitive dependency risk

  • Integrate the Contrast CLI into native CI/CD processes to populate the dependency tree and highlight potential risk
  • Flag software supply chain risk by identifying potential instances of dependency confusion
  • Contextualize how dependencies are pulled into the application to streamline remediation efforts

Real-Time Inventory and Governance

Stay up-to-date on third-party software inventory and institute scalable controls

  • Export library versioning, vulnerability, licensing and environment data to a standardized Software Bill of Materials (SBOM)
  • Ensure rapid response to emerging threats with automated alerts for new vulnerabilities in deployed libraries
  • Institute scalable policy controls for third-party security and licensing and enforce within native pipelines

Contrast Serverless Application Security

Find & fix security issues across cloud-native environments in just three clicks.

Breakthrough Application Security for Serverless Environments.


Accurately finds code security, open source security, and permission issues

Comprehensive serverless application observability for AWS Lambda. Uncovers security vulnerabilities in custom code, open source and overly permissive functions.

Continuously monitors for new application security vulnerabilities

Near real-time monitoring and testing of every change deployed in serverless environments provides developers and application security teams with vulnerability context around code, configuration, relationships, flows and more.

Seamless and easy for developers and AppSec teams to use

Connect to your AWS account and get full results in about 3 clicks and less than five minutes. No application security experts and resources are needed—from deployment to ongoing management.

See Contrast Serverless in Action

Watch this demo where a product expert showcases key Serverless features and answers questions live from the audience.

Graph Visualization

Generates a complete, interactive graph of your application highlighting relationships between functions and services. Click on a function to see vulnerability information and details of each element in the diagram. A posture score is generated for each function’s trigger configuration. Easily change views to group by service and further customize by enabling/disabling services you want included in the graph view.

Dynamic Scanning

Automatically initiates tailored, dynamic security assessments based on any specific updates introduced to the testing environment in real time. This greatly improves the ease of pentesting versus manual approaches. Dynamic scans are based on the interpretation of OWASP Top 10 benchmarks, including SQL injection, code injection, command injection, and local file inclusion.

Resource Observability

Automatically discovers all resources (e.g., S3 bucket, API Gateway, DynamoDB) and their relationships within tested environments in a few short minutes per session.

Static Scanning

Automatically executes assessments of relevant static code and configuration to discover new vulnerabilities in near real time with recommended context-rich remediation guidance. Vulnerability types covered include least privilege identity and access management (IAM) vulnerabilities (over permissive functions) within serverless workload prior to deployment and open-source software vulnerabilities and licensing risks using Contrast’s unique open-source security engine.

Supported Languages

Contrast Security Supported Platforms

Application Life Cycle Integration

IDE / Code Editors


Contrast’s integration with IDE/Code editors empowers developers to act on
clear advice to remediate custom code vulnerabilities.

Vulnerability Management


Contrast’s integration with Vulnerability and Risk Management and Application solutions
empowers organizations to accurately and efficiently measure and remediate application security
risks through a consolidated view.

Security Training


Actively increase developer security knowledge as they code. Contrast’s integration with
security training solutions, provides an easy way to increase developer security knowledge,
just-in-time so they can write safer code, faster.

SIEM / Incident Management


Application security events and known vulnerabilities can be easily integrated into operations’
tools to centralize tracking, collection, analysis and notification of events.

SOAR / Incident Management




AppSec managers struggle to get business units and app teams to adopt the same criteria for failing build.
By integrating Contrast into your CI/CD workflow, centralized build parameters and outcomes
are created enabling teams to understand when builds are too vulnerable.

Build Systems


SDK / Webhooks


Contrast enables teams to easily integrate custom services and receive vulnerability alerts
and attack notifications through SDKs and Webhooks.

Sign Up for Our Newsletter!