We performed a comparison between Acunetix, HCL AppScan, and SonarQube based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."Overall, it's a very good tool and a very good engine."
"The most valuable feature of the solution is the speed at which it can scan multiple domains in just a few hours."
"The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
"Our developers can run the attacks directly from their environments, desktops."
"It comes equipped with an internal applicator, which automatically identifies and addresses vulnerabilities within the program."
"For us, the most valuable aspect of the solution is the log-sequence feature."
"The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution."
"One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."
"This solution saves us time due to the low number of false positives detected."
"It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."
"I like the recording feature."
"It identifies all the URLs and domains on its own and then performs tests and provides the results."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production."
"We use it as a security testing application."
"It provides a better integration for our ecosystem."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"It has very good scalability and stability."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
"There's plenty of documentation available to users."
"The solution has a plug-in that supports both C and C++ languages."
"Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users."
"SonarQube is admin friendly."
"The pricing is a bit on the higher side."
"While we do have it integrated with other solutions, it could still offer more integrations."
"Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA."
"The solution can be improved by adding the ability to scan subdomains automatically, and by providing reports that can be exported to external databases to share with other solutions."
"It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"Acunetix needs to be dynamic with JavaScript code, unlike Netsparker which can scan complex agents."
"Tools that would allow us to work more efficiently with the mobile environment, with Android and iOS."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"Many silly false positives are produced."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"They should have a better UI for dashboards."
"They have to improve support."
"AppScan is too complicated and should be made more user-friendly."
"IBM Security AppScan Source is rather hard to use."
"HCL AppScan needs to improve security."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"The interface could be a little better and should be enhanced."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."
"We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."
"The product needs to integrate other security tools for security scanning."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
