We performed a comparison between HCL AppScan, Klocwork, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"The static scans are good, and the SaaS as well."
"The most valuable feature of the solution is the scanning or security part."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"The most valuable feature of HCL AppScan is scanning QR codes."
"We leverage it as a quality check against code."
"The solution offers services in a few specific development languages."
"It's integrated into our CI, continuous integration."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"The ability to create custom checkers is a plus."
"The most valuable feature is the Incremental analysis."
"Technical support is quite good."
"The reporting helps us understand the trend of our results and whether we improve over time. We can see the history within Klocwork's server architecture and know that we're making things better. It creates a great story for our management. We can demonstrate value and how our software is developing over time."
"The most valuable feature of Veracode Static Analysis is the scanning."
"The most valuable feature is the efficiency of the tool in finding vulnerabilities."
"We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."
"I like the way the flaws are reported in the system."
"The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed."
"The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future."
"It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase."
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
"It has crashed at times."
"They have to improve support."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"The penetration testing feature should be included."
"One thing which I think can be improved is the CI/CD Integration"
"A desktop version should be added."
"The solution's scalability can be a matter of concern because one license runs on one machine only."
"Many silly false positives are produced."
"The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion."
"Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective."
"I believe it should support more languages, such as Python and JavaScript."
"Every update that we receive requires of us a lengthy and involved process."
"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."
"Klocwork has to improve its features to stay ahead of other free solutions."
"We'd like to see integration with Agile DevOps and Agile methodologies."
"Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages."
"The scanning process for records could be faster and there is room for improvement in Veracode's performance."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects."
"It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow."
"The scanning takes a lot of time to complete."
"The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity."
"Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
