I mainly use AppScan to secure various types of applications. I use its DAFDAT solution for black box scanning, as well as SaaS and source code validation. AppScan helps in scanning code for vulnerabilities, including open-source code.
The easiest route - we'll conduct a 15 minute phone interview and write up the review for you.
Use our online form to submit your review. It's quick and you can post anonymously.
I mainly use AppScan to secure various types of applications. I use its DAFDAT solution for black box scanning, as well as SaaS and source code validation. AppScan helps in scanning code for vulnerabilities, including open-source code.
The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase. This allows for scanning during code construction, which is beneficial. However, I also find the DAF and penetration testing features valuable, especially for discovering vulnerabilities like those in the OWASP Top Ten.
Improving usability could enhance the overall experience with AppScan. It would be beneficial to make the solution more user-friendly, ensuring that everyone can easily navigate and utilize its features. Additionally, improving marketing efforts could help raise awareness about AppScan's features and benefits, especially for external teams beyond just internal use.
I have been working with HCL AppScan for almost ten years.
Since moving to HCL, AppScan has become very stable, addressing any previous issues.
AppScan makes scaling easy, especially with its cloud-based capabilities. I would rate its scalability as a ten out of ten.
I would rate the technical support as a ten out of ten.
Positive
Switching from Fortify to AppScan was a game-changer for me. AppScan was easier to configure and provided more thorough scanning results. The support for AppScan, especially in Brazil, was excellent compared to Fortify's lack of support. Overall, AppScan offered a more user-friendly experience with better results and support.
Setting up AppScan is straightforward and easy, as it typically involves a simple "next-next-finish" process for implementation. I would rate the easiness of the setup as a ten out of ten.
Using AppScan has led to a significant reduction in vulnerabilities and saved us around 20% in costs overall. Many banks in Brazil have also experienced cost savings by using AppScan. Personally, I saw a return on investment within six months of using the tool.
AppScan's pricing is a bit challenging, especially when dealing with currency exchange rates outside Brazil. However, it is still more affordable than alternatives like Fortify. Personally, switching to AppScan helped me save money.
AppScan's dynamic and static scanning capabilities have benefited my security testing processes significantly. It helps in scanning the code automatically during the SDLC and ensures security before pushing it to production. Both dynamic and static scanning solutions are essential for me, making AppScan a valuable tool.
AppScan integrates smoothly with existing security and development workflows. It offers easy integration with tools like SBS and provides developer plug-ins for seamless inclusion in the workflow.
My use of AppScan has been influenced by the trend towards comprehensive application security testing. While researching the best solution, I found it challenging to locate information and personal experiences with AppScan.
I would recommend AppScan to others. In my opinion, it is the best solution for web application security testing.
Overall, I would rate AppScan as a ten out of ten.
I use the solution to check multiple websites, particularly dynamic and e-commerce websites, for vulnerabilities within the code. The tool helps identify any vulnerabilities present in the code, providing precise information about the code that contains vulnerabilities.
In Rapid7 InsightAppSec, a distinctive feature is the provision of a CDM for integrating web servers and web applications. To establish the connection between these applications, you only need to paste the provided CDN into your metadata. Once connected, every piece of information, including vulnerabilities, can be accessed. It also offers demo sessions.
If there is any malicious network traffic targeting a specific web application, it is designed to detect and showcase the entire scenario. It provides insights into potential vulnerabilities, including issues related to process scripting or content security policy vulnerabilities.
Setting up and configuring scans within the tool is easy, and I would rate it a nine out of ten. It provides videos on YouTube, along with documentation that breaks down the process into step-by-step instructions.
Rapid7 InsightAppSec needs improvement in detecting phishing pages.
I have been using the product for four years.
I rate the solution's stability a six out of ten. There have been instances where fetching data, even for old users, took a long time.
I would rate the scalability at an eight out of ten on a scale from one to ten. There are occasional challenges with the product, particularly in onboarding, where delays can be experienced. This delay sometimes makes it difficult to address issues promptly, and reliance on queries may not always yield the desired results due to occasional bugs. Additionally, there have been instances where data retrieval after deployment takes time, sometimes up to 30 minutes to an hour. Scanning a single website can also be time-consuming, ranging from 25 to 30 minutes, and for multi-vendor e-commerce websites, it may take even longer to scan the entire site.
The initial setup is easy, to the extent that even a non-IT person can set it up.
Rapid7 InsightAppSec is cheap.
In a scenario involving the tool and preventing potential security breaches, let's consider a case where a security feature is deployed using Rapid7 InsightAppSec. Although I haven't personally experienced this, I can provide an example. Suppose there is a vulnerability in WordPress or Apache servers, and it identifies a new one-level zero-day attack template associated with it. In this case, it may have detected this vulnerability three months after its initial occurrence.
We utilize dynamic application security testing. It involves deploying an application by onboarding it onto a device, which is then linked to the application. The notable aspect is that we don't need to maintain a server for this process. Instead, we simply log in and configure Splunk Enterprise to connect with the product. There is no need to deploy a separate server. It provides clear, step-by-step instructions, including the provision of a dynamic key by the application, making it easy to implement with documentation.
I rate it an eight out of ten.