We performed a comparison between HCL AppScan, Trustwave App Scanner [EOL], and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."The static scans are good, and the SaaS as well."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply."
"The most valuable feature of the solution is Postman."
"I like the recording feature."
"We are now deploying less defects to production."
"It has certainly helped us find vulnerabilities in our software, so this is priceless in the end."
"There's extensive functionality with custom rules and a custom knowledge base."
"The stability is great. We haven't had any issues at all with it."
"The solution can scan old databases and old code written 20 years back."
"The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
"The most valuable feature is the SAST capability and its integration into the Veracode pipelines."
"We use it to get our scan results and see where our software is vulnerable or not vulnerable."
"The static analysis gives you deep insights into problems."
"When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."
"The most valuable features of the solution are its extensive reporting capabilities and user-friendly interface."
"It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle. It is pretty much easy with Veracode. Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good. Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently."
"It has crashed at times."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"They should have a better UI for dashboards."
"Sometimes it doesn't work so well."
"AppScan is too complicated and should be made more user-friendly."
"They have to improve support."
"Improving usability could enhance the overall experience with AppScan. It would be beneficial to make the solution more user-friendly, ensuring that everyone can easily navigate and utilize its features."
"The product has some technical limitations."
"I would like to see a little more flexibility with regards to setting up profiles for vulnerabilities."
"In the future, I would like to see the RASP capability built-in."
"Because our application is large, it takes a long time to upload and scan."
"They need to have a plug-in, a better integration with the development environment."
"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."
"Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."
"The pricing for qualified startups such as Neo4j could be improved."
"The solution does take a bit more time when we use it for multiple processes."
"The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."
Earn 20 points