"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use."
"The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"The time savings has been tremendous. We saw ROI in the first six months."
"The Veracode technical support is very good. They are responsive and very knowledgeable."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly."
"The solution offers services in a few specific development languages."
"This is a stable solution."
"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"It was easy to set up."
"The most valuable feature of HCL AppScan is scanning QR codes."
"It identifies all the URLs and domains on its own and then performs tests and provides the results."
"There's extensive functionality with custom rules and a custom knowledge base."
"AppScan is stable."
"The active scanner, which does an automated search of any web vulnerabilities."
"You can scan any number of applications and it updates its database."
"The solution has a pretty simple setup."
"I have found the best features to be the performance and there are a lot of additional plugins available."
"PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running."
"We use the solution for vulnerability assessment in respect of the application and the sites."
"The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."
"The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools."
"Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related."
"The training lab is not very user-friendly and takes a long time to set up."
"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
"Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."
"I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."
"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."
"AppScan is too complicated and should be made more user-friendly."
"We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"One thing which I think can be improved is the CI/CD Integration"
"The solution could improve by having a mobile version."
"Sometimes it doesn't work so well."
"They have to improve support."
"There is not much automation in the tool."
"One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome."
"It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."
"If we're running a huge number of scans regularly, it slows down the tool."
"Currently, the scanning is only available in the full version of Burp, and not in the Community version."
"One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."
"There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."
"We wish that the Spider feature would appear in the same shape that it does in previous versions."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
HCL AppScan is ranked 15th in Application Security Tools with 8 reviews while PortSwigger Burp Suite Professional is ranked 5th in Application Security Tools with 21 reviews. HCL AppScan is rated 6.6, while PortSwigger Burp Suite Professional is rated 8.6. The top reviewer of HCL AppScan writes "Improves application security, identifies gaps, and performs well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". HCL AppScan is most compared with SonarQube, Micro Focus Fortify on Demand, Checkmarx, Fortify WebInspect and Acunetix, whereas PortSwigger Burp Suite Professional is most compared with OWASP Zap, Fortify WebInspect, Acunetix, Qualys Web Application Scanning and Tenable.io Web Application Scanning. See our HCL AppScan vs. PortSwigger Burp Suite Professional report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.