HCL AppScan and SonarQube Cloud compete in the software security category. HCL AppScan holds the advantage for identifying critical vulnerabilities with minimal false positives, while SonarQube Cloud excels in CI/CD integration.
Features: HCL AppScan identifies vulnerabilities like XSS and SQL injection effectively, offers comprehensive SDLC integration, and supports dynamic scanning. SonarQube Cloud provides seamless CI/CD pipeline integration, continuous code analysis, and effectively highlights security hotspots.
Room for Improvement: HCL AppScan requires improvements in mobile integration and false positive reduction, along with better CI/CD integration and support services. SonarQube Cloud could enhance its initial setup, documentation, and flexibility, with attention to reducing false positives and improving reporting and integration options in dynamic code analysis.
Ease of Deployment and Customer Service: HCL AppScan supports multiple deployment models including on-prem, cloud, and hybrid, though it may face post-IBM transition support challenges. SonarQube Cloud excels in cloud deployment with a simple integration process but occasionally encounters support responsiveness issues.
Pricing and ROI: HCL AppScan, while effective at minimizing vulnerabilities, is perceived as expensive and suits high-security environments. SonarQube Cloud offers more affordable options, notably with its community version and line-of-code pricing, though costs can rise at scale. Both tools enhance code security and ROI, subject to budget considerations.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
The product is designed for bigger clients, while smaller companies are often put aside.
Veracode provides excellent assistance and regularly scheduled calls to address customer concerns and updates.
Integrating it into different solutions is straightforward.
The customer service and support for SonarQube Cloud are responsive and helpful.
Some of my teammates have interacted with support by raising tickets, and their issues were successfully resolved.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
SonarQube Cloud is a scalable product, and I rate its scalability at seven out of ten.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.
Companies often choose based on budget constraints, with Veracode being on the higher end cost-wise.
SonarQube Cloud is roughly equivalent in cost to Veracode, maybe a little cheaper.
From my experience, SonarQube Cloud (formerly SonarCloud) is very expensive for small companies.
We used the open-source version of SonarQube Cloud for its minimum features and did not license its extensive capabilities.
AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further.
I find SonarQube Cloud very easy to use and simple to integrate initially.
It suggests fixes where needed, enabling the team to code better and maintain high code quality.
The most valuable features of SonarQube Cloud (formerly SonarCloud) include code inspection, addressing technical debt, and identifying security vulnerabilities.
| Product | Market Share (%) |
|---|---|
| SonarQube Cloud (formerly SonarCloud) | 4.2% |
| HCL AppScan | 2.5% |
| Other | 93.3% |
| Company Size | Count |
|---|---|
| Small Business | 13 |
| Midsize Enterprise | 6 |
| Large Enterprise | 31 |
| Company Size | Count |
|---|---|
| Small Business | 9 |
| Midsize Enterprise | 3 |
| Large Enterprise | 4 |
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
SonarQube Cloud offers static code analysis and application security testing, seamlessly integrating into CI/CD pipelines. It's a vital tool for identifying vulnerabilities and ensuring code quality before deployment.
SonarQube Cloud is widely used for its ability to integrate with tools like GitHub, Jenkins, and Bitbucket, providing critical feedback at the pull request level. It's designed to help organizations maintain clean code by acting as a quality gate. This service supports development methodologies including sprints and Kanban for ongoing vulnerability management. While appreciated for its dashboard and integration capabilities, some users find initial setup challenging and note the need for enhanced documentation. The recent addition of mono reports and microservices support offers deeper insights into security and code quality, though container testing limitations and false positives are noted drawbacks. Manual intervention is sometimes required to address detailed reporting, with external tools being necessary for comprehensive analysis. Notifications for larger teams during serious issues and streamlined integration of new features are also areas of improvement.
What are the key features of SonarQube Cloud?In specific industries, SonarQube Cloud finds application in finance and healthcare where code integrity and security are paramount. It allows teams to identify critical vulnerabilities early and ensures that software development aligns with industry regulations and standards. By continuously analyzing code, it aids organizations in deploying secure and reliable applications, fostering trust and compliance.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
