We performed a comparison between Acunetix, Checkmarx One, and HCL AppScan based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."We use the solution for the scanning of vulnerabilities like SQL injections."
"The tool's most valuable feature is performance."
"One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."
"Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
"The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
"Our developers can run the attacks directly from their environments, desktops."
"It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
"I haven't seen reporting of that level in any other tool."
"The solution allows us to create custom rules for code checks."
"Vulnerability details is valuable."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"The only thing I like is that Checkmarx does not need to compile."
"We use the solution for dynamic application testing."
"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
"One of the most valuable features is it is flexible."
"The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase."
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"The UI was very intuitive."
"This is a stable solution."
"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"We are now deploying less defects to production."
"Compared to other tools only AppScan supports special language."
"We leverage it as a quality check against code."
"Currently only supports web scanning."
"There is room for improvement in website authentication because I've seen other products that can do it much better."
"The solution's pricing could be better."
"There are some versions of the solution that are not as stable as others."
"The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"In terms of what needs improvement, the way the licensing model is currently is not very convenient for us because initially, when we bought it, the licensing model was very flexible, but now it restricts us."
"The solution can be improved by adding the ability to scan subdomains automatically, and by providing reports that can be exported to external databases to share with other solutions."
"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"The solution sometimes reports a false auditable code or false positive."
"The validation process needs to be sped up."
"They could work to improve the user interface. Right now, it really is lacking."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper."
"We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices."
"IBM Security AppScan Source is rather hard to use."
"We would like to integrate with some of the other reporting tools that we're planning to use in the future."
"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."
"Scans become slow on large websites."
"We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."
