Skip to main content

Hosted (SaaS) versus on-premises deployment

When you consider deploying Contrast Security solutions, you have two primary options: a hosted solution (cloud installation) or an on-premises instance. Each approach has its benefits and drawbacks, influenced by cost, control, customization, security, and scalability.

Benefits and drawbacks of hosted solutions

  • Benefits

    • Immediate access to updates and advanced new features: Updates are readily available without delay, promoting the latest security posture. New features are always supported for hosted solutions.

    • Reduced IT overhead: Contrast manages infrastructure and maintenance and thus, streamlines operations. Also, freedom from system-wide management tasks.

    • Scalability: Easier to scale resources as your needs increase.

    • Cost: Pricing for SaaS deployments are subscription-based, allowing flexibility and scalability

  • Drawbacks

    • Data management: Data is stored on Contrast servers, instead of locally.

      However, Contrast complies with these data protection policies:

      • General Data Protection Regulation (GDPR)

      • General Data Protection Regulation-UK (UK-GDPR)

      • California Consumer Privacy Act (CCPA)

      • Protection of Personal Information (APPI)

      • System and Organizational Control Type II Audit (SOC II)

Benefits and drawbacks of on-premises solutions

  • Benefits:

    • Complete control: More control over system-wide settings.

    • Data privacy: Data is stored locally - For deployments that require specific security compliance, sensitive data never leave your company.

  • Drawbacks

    • Resource intensive: Requires significant investment in IT, networking, and infrastructure along with coordination, planning and maintenance.

    • Delayed updates: Updates for product enhancements are often delayed after Contrast releases while for hosted solutions receive them immediately.

    • No support for new features: Advanced new features are often not supported for on-premises solutions. For example, Contrast Scan, static SCA. GitHub App for SCA , and Contrast Serverless are not supported for on-premises instances.

Contrast feature comparison

Feature

Hosted

On-premises

Installation and updates

Contrast installs, configures, and updates the software.

Hosted customers are responsible for installing, configuring, and updating the software.

Management at a system level

Contrast takes care of all system management tasks.

With the correct permissions, a user can control a variety of configuration settings and access control entities

A SuperAdmin is responsible for all settings and configuration at a system-wide level.

Single Sign On (SSO)

Contrast Support configures authentication; however, you may be granted permissions to set up SSO for your organization.

System Administrators can configure SSO at a system-wide level.

TLS connections and certificates

For Contrast agents, Contrast uses strong TLSv1.2 connections and certificates signed by industry standard certificate authorities (CAs).

On-premises customers may need to configure Contrast agents to use enterprise CAs. They may want the agents to send client certificates in the TLS handshake.

Licenses

Hosted customers can allocate Assess and Protect licenses for their organization.

SuperAdmin or ServerAdmin role can allocate Assess and Protect licenses to a particular organization.

New integrations

Hosted customers have access to all new integrations that Contrast adds to the platform.

On-premises customers have limited access to integrations that Contrast supports.

Impersonation

Contrast support manages impersonation when needed for troubleshooting.

SuperAdmins manage impersonation when needed for troubleshooting.

Code scanning (SAST)

Hosted customers can use the Contrast scan engines from the Contrast web interface or a local scan engine. The local scan engine does not require uploading your source files to Contrast.

Not available

Software composition analysis (SCA)

Contrast Support enables this feature for the organization.

A SuperAdmin can enable SCA.

SCA repository scanning

Hosted customers can use SCA repository scanning capabilities to look for known vulnerabilities in the software components that are included in a repository.

Available except for air-gapped environments.

Static scanning of libraries

Hosted customers can automatically scan, in close to real-time, relevant static code and configuration assessments to discover new vulnerabilities.

Available except for air-gapped environments.

Organization management

Users with administrator permissions can manage their organization.

SuperAdmins and System Administrators can manage all organizations at a system-wide level.

Runtime security testing (IAST)

Available

Available

Serverless

Hosted customers can use Contrast Serverless for dynamic scanning, static scanning, graph visualization, and resource observability for AWS functions.

Not available

Software bill of materials (SBOM)

Contrast Support enables this feature for the organization. Users can generate an SBOM from the Applications tab.

A SuperAdmin can enable users to generate an SBOM from the Applications tab.

Attack protection (RASP)

Contrast Security grants permissions that let users access Protect data.

SuperAdmins can grant permissions that let all or some user roles in one or more organizations access Protect data.

Updated attack events user interface

Hosted customers have access to updated views of attack data that Protect provides.

Hosted customers have access to legacy attack views only.

Enhanced role-based access control (RBAC)

Hosted customers have access to an advanced access control system that lets them fine-tune roles and permissions for their organization.

Not available. On-premises customers use the legacy access control.

On-premises customers can add multiple users at one time.

Contrast Security Observability

Hosted customers can access a model of an application’s security architecture and behavior at runtime.

This information provides a better understanding of the underlying behavior of applications for threat modeling, pen test support, and contextual information around vulnerabilities and attacks.

Not available.

Enhanced audit log

Hosted customers can access an updated and enhanced audit log view.

Not available. On-premises customers use the legacy audit log view.

Diagnostics

Contrast Support enables this option of diagnostic information is needed for troubleshooting.

A SuperAdmin, ServerAdmin or System Administrator can enable this option at a system-wide level.

Email

Users with administrator permissions can set default settings for Contrast notifications at an organization level.

Individual users can adjust their own settings.

System Administrators can enable, disable, and configure Contrast to communicate with an appropriate SMTP system to receive these notifications.