Skip to content

Coalfire PCI Compliance & Contrast Security


Contrast Assess and Protect recently went through an independent evaluation by CoalFire, a respected Payment Card Industry (PCI) and Payment Application (PA) Qualified Security Assessor Company (QSAC).

“Coalfire PCI Compliance has determined that Contrast Assess and Contrast Protect can be valuable tools for helping organizations identify, classify, and address vulnerabilities and protect their software throughout the SDLC. Contrast Assess can be useful in the development of secure code by identifying issues earlier in the lifecycle and offering remediation paths. Contrast Protect allows supported software to be protected with greater fidelity than what is offered by traditional software security approaches alone. Contrast Assess and Contrast Protect may be used to replace some of the traditional approaches to assessing and protecting applications.

This is crucial for the industry for three key reasons:

  1. Rather than simply producing a PCI report or talking about PCI, the evaluation was independent and comprehensive by a qualified organization.
  2. When testing software for vulnerabilities (as described in PCI-DSS and the PCI Secure Software Standard), organizations can use the IAST analysis of Contrast Assess to meet compliance without steering through a significant number of false positives produced by other techniques.
  3. When running applications, organizations can defend and monitor these applications and use RASP defense to meet a number of PCI security requirements. This covers both methods of engagement: Language Agents that see inside managed runtimes (such as Java, .NET, Python, Node, and Ruby), as well as the language-agnostic Proxy Agent that acts as an external Web Application Firewall (WAF).

Organizations aspiring to achieve PCI compliance for software should read the full PCI Applicability Guide to determine the ways in which Contrast Security can help with these goals.

Contrast Assess is an automated Interactive Application Security Testing (IAST) solution that infuses software with vulnerability assessment capabilities so that security flaws are automatically identified. Leveraging a well-known industry methodology known as deep security instrumentation, Contrast Assess operates unobtrusively during development and testing of the web application or API, eliminating the need for time-wasting inaccurate manual static security scans, and other out-of-band security testing activities.

Contrast Protect is a Runtime Application Self-Protection (RASP) solution that can identify and block application attacks from within a running application, providing actionable and timely application layer threat intelligence across the entire application portfolio. The use of Contrast Protect eliminates the need for web application firewalls (WAFs) to achieve a number of PCI security requirements while providing better visibility and accuracy in finding and blocking attacks.

Erik Costlow, Director of Developer Relations

Erik Costlow, Director of Developer Relations

Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.