We changed our name from IT Central Station: Here's why
Get our free report covering SonarSource, Veracode, Micro Focus, and other competitors of HCL AppScan. Updated: January 2022.
566,121 professionals have used our research since 2012.

Read reviews of HCL AppScan alternatives and competitors

Security Consultant at a tech services company with 11-50 employees
Consultant
Top 20
Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines
Pros and Cons
  • "The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
  • "It should be easier to specify your own validation routines and sanitation routines."

What is our primary use case?

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

What is most valuable?

The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at.

What needs improvement?

It should be easier to specify your own validation routines and sanitation routines.

For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. 

Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web.

Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database.

So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice.

Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it.

The speed of Coverity can be improved, although that is true for any similar product.

What do I think about the stability of the solution?

It never crashed so stability has not been an issue.

What do I think about the scalability of the solution?

I have never used it for more than four relatively small to medium-sized projects at a time, so I've never needed to scale it.

How are customer service and technical support?

I have dealt with sales engineering, rather than technical support. They would sometimes provide a liaison to tech support if they didn't know the answer, but really, they guided us through the proof of concept and they knew that they were under a competitive evaluation against the other tools. They were able to resolve any issues that we came across and got us up and running fairly quickly, as far as I recall.

How was the initial setup?

Coverity is on the good side when it comes to setting it up. I think that it is pretty straightforward to get up and running.

What about the implementation team?

We implement Coverity on our own, with guidance from Coverity.

What's my experience with pricing, setup cost, and licensing?

The price is competitive with other solutions.

Which other solutions did I evaluate?

In addition to Coverity, I have experience with Checkmarx, Fortify, Veracode, and HCL AppScan, which was previously known as IBM AppScan.

Checkmarx is probably the most extensible and customizable of these products, and you're able to use the C# language to do so, which a lot of developers are familiar with.

HCL AppScan is another tool that has customization capabilities. They are not as powerful but they are easier to implement because you don't need to write any code.

I cannot give an endorsement for any particular one. They all have their merits and it just depends on the requirements. Generally, however, all of these tools are getting better.

What other advice do I have?

My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their experience.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO at a tech services company with 11-50 employees
Real User
Top 5Leaderboard
Easy interface that is user friendly, quick scanning, and good technical support
Pros and Cons
  • "The most valuable features are the easy to understand interface, and it 's very user-friendly."
  • "We have received some feedback from our customers who are receiving a large number of false positives."

What is our primary use case?

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. 

We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.

The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

What is most valuable?

The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.

We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.

The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.

What needs improvement?

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. 

Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.

We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.

There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. 

Also, they will want to add their own content to this solution.

I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

For how long have I used the solution?

I have been using this solution since 2015.

What do I think about the stability of the solution?

This solution is stable and we have not had bugs or glitches. If it is set up according to the instructions, there will be no negative feedback from the customers.

The platform has regular updates.

What do I think about the scalability of the solution?

This solution is scalable, but it depends on the package you have purchased as some do not allow you to expand. 

How are customer service and technical support?

They have a great support team, and they can help you tune a solution. For our country, it is very important that they have Russian speaking support engineers and to have a quick response.

Also, they have a very good knowledge base. The resources are public on the Checkmarx website and they have good instructions and regulations on how you should tune the solution. It shows you where you can download the plug-ins, how to do it, and explains how they should be integrated.

Which solution did I use previously and why did I switch?

We have some experience with HPP AppScan, and with SonarQube. We started with a trial and felt that Checkmarx was the best.

How was the initial setup?

The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.

It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins. 

If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.

We have one or two engineers who can work with the solution.

For some of our customers have more than 100 developers and a DevOps team.

What's my experience with pricing, setup cost, and licensing?

This solution is expensive.

The customized package allows you to buy additional users at any time.

You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.

They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.

If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.

The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.

What other advice do I have?

We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling.

We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company.

With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. 

Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge.

When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it.

The most effective approach is to implement SAST into the SDLC, (software development life cycle).

You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must.

You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Nawal Singh
Senior DevSecOps/Cloud Engineer at Valeyo
Real User
Top 20
Provides information about the issue as well as resolution, easy to integrate, and never fails
Pros and Cons
  • "It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones."
  • "Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue."
  • "It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time."
  • "We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."

What is our primary use case?

We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

What is most valuable?

It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control. 

It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones. 

Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.

It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.

It never failed, and it is very easy, reliable, and smooth. 

What needs improvement?

It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.

We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.

For how long have I used the solution?

It has been more than one and a half years. 

What do I think about the stability of the solution?

It is stable. I haven't had any problems with its stability.

What do I think about the scalability of the solution?

It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.

Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.

How are customer service and technical support?

I've never used their technical support.

How was the initial setup?

It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.

What's my experience with pricing, setup cost, and licensing?

Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.

What other advice do I have?

I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.

It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.

Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Milin Shah
Information Security Architect at a real estate/law firm with 1,001-5,000 employees
Real User
Top 20
Good reporting and vulnerability management, but needs better performance and resource utilization
Pros and Cons
  • "Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features."
  • "It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application."

What is our primary use case?

We use it for code scanning, security scanning, and finding vulnerabilities.

I am using its latest version. I have Fortify code scan on the cloud and Fortify WebInspect on-premise for a dynamic scan. So, SAST is on the cloud, and DAST is on-premise.

What is most valuable?

Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features.

The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.

What needs improvement?

It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application.

Its installation and maintenance are not easy. Its updates and upgrades are hard.

Its performance needs to be stabilized. It should also be able to find more vulnerabilities than other tools.

It is expensive. Its price needs to be improved.

For how long have I used the solution?

I have been using this solution for five years.

What do I think about the stability of the solution?

Its performance is good, but it takes a lot of resources in terms of CPU utilization, so stability-wise, there are problems at times.

What do I think about the scalability of the solution?

We have 70 to 80 users who use this solution. Its scalability is easy. You just need to add another server, if required.

How are customer service and support?

We have contacted them for multiple issues. Sometimes, scanning didn't work, and the reports didn't come, so we had to escalate. My experience with them was fair. It wasn't great. We asked for remote control or remote setup, but they never provided that. There is no remote assistance. You need to upload the logs. They review and reply back on time. Their response time is very short, which is good, but if we need remote help, it is not easy. You don't get that immediately.

Which solution did I use previously and why did I switch?

I have also been using AppScan. The performance of AppScan is good, but WebInspect has more features, such as a centralized dashboard and the ability to assign a risk into priorities. It is an enterprise and feature-rich tool, but performance-wise, AppScan is good.

How was the initial setup?

The on-premise setup is complex. It requires the installation of a lot of tools, software, licenses, and on. Its installation is very complex as compared to the other tools in the market. It took us a week.

It requires some maintenance in terms of logs. It collects a lot of logs, and you need to remove those logs and keep updating the software. The update is not that regular, and you need to install the update manually on each of the servers. The update requires a lot of effort. It's not a simple auto-update feature.

What about the implementation team?

We had to take help from the vendor. At one point, I was stuck, and the vendor had to install it. They were pretty supportive.

What's my experience with pricing, setup cost, and licensing?

Its price is almost similar to the price of AppScan. Both of them are very costly. 

Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that.

What other advice do I have?

While implementing WebInspect, it is always better to keep all the required software installed and ready. The installation of WebInspect has a lot of dependencies, such as .NET, Java, SQL database, etc. All of the data does not come in-built. So, the moment you start building it, if it creates a problem, you have to remove and reinstall everything from scratch and then come back, which takes a lot of time. So, it is better to have those prerequisites handy, pre-installed, and tested.

I would rate it a seven out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
UAS Innovation Group Lead at a computer software company with 11-50 employees
Real User
Top 20
Promotes collaboration, easy to use, and always evolving with the market needs
Pros and Cons
  • "This product is always evolving, and they listen to the customers."
  • "It would be really good if they integrated more features in application security."

What is our primary use case?

We use this solution for source code management, and also team collaboration for the application lifecycle.

How has it helped my organization?

It has improved the way our organization functions.

What is most valuable?

It is very easy to use.

This product is always evolving, and they listen to the customers.

It solves what the customers what.

What needs improvement?

It would be really good if they integrated more features in application security.

I would also like to see scanning for some vulnerabilities and allow people to have a one-stop glance at the state of the security application

For how long have I used the solution?

I have been working with GitLab for more than five years.

We are always using the latest version.

What do I think about the stability of the solution?

It's stable, and we have not experienced any issues with bugs or glitches.

What do I think about the scalability of the solution?

It's a scalable solution. It's easy to scale.

Which solution did I use previously and why did I switch?

We have used many solutions before GitLab.

How was the initial setup?

The initial setup is straightforward.

What's my experience with pricing, setup cost, and licensing?

The price is okay.

What other advice do I have?

My advice is to work on the processes that are in the environment. Know what you need to do and what you need to deliver the software. You have to ask the question: What do you need to deploy the software?

Always take security into account from the beginning.

While this is a good tool that is always evolving and there are new updated security standards that are being published and improved upon, it is always a good idea to have another solution to compare with to get better at using it. You can always have a combination of all of them, which would something that I would be interested in.

We are always evaluating to see if there is a solution that can do the job better.

You need to have a well-defined set of processes and that will help them adapt GitLab.

Overall, it's a great product and it does a good job.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering SonarSource, Veracode, Micro Focus, and other competitors of HCL AppScan. Updated: January 2022.
566,121 professionals have used our research since 2012.