HCL AppScan Reviews

HCL AppScan is primarily used to improve application security. We are transitioning from DevOps to DevSecOps.

We are attempting to integrate these tools into our CICD pipeline in order to meet our business use cases. And if we notice that the tool is missing any business features or a feature, we will highlight them and work to have them fixed or implemented. That is how we go about it. We don't go for any generic features because that will be handled by the product team. We are here to identify our gaps and then have them implemented by the vendor team.

AppScan is only used for web scanning; we do not use it for anything else.

There are many features that are valuable. such as the APIs. API calls in AppScan, and similar to Burp Suite enterprise edition, which is also for API scans. I can trigger the scan ware API.

The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL.

The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

We have been using HCL AppScan for almost four years.

We are not working with the most recent update, but with two versions earlier.

The HCL AppScan performance is both stable and reliable.

Burp Suite and HCL AppScan are both stable and reliable when compared to other products.

Scalability is a question that is determined by how you allocate your hardware. It is all about how you design your CICD program with HCL AppScan. 

Scalability is quite simple to implement or achieve. Again, this is entirely dependent on your business requirements. Generally, or in short, scalability is not an issue with HCL AppScan.

This solution is used daily.

We have contacted technical support when we need customization, and there are usually other bugs and day-to-day life hacks.

The support has improved since the transition from IBM to HCL AppScan.

We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

The initial setup with most of the products, particularly the Burp Suite and the HCL AppScan, is straightforward. The only difference is that when it is customized to your specific requirements, that is when the key part comes into play. We have to engage the professional services of the product team, or the vendor team, which is where the headache begins. That is a common challenge shared by the all vendor team.

Deployment and installation of AppScan take approximately three hours, or less than that if you have all of the necessary prerequisites, hardware, a database, and everything is in place, then three hours is all you need.

We put our application into maintenance mode during the version upgrade.

We require one person for the administration of this product.

When customization is required, we have assistance from the vendor time.

Most of the HCL AppScan installations are customized. We use Pure Vanilla or a new malware product.

With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level. 

They should reduce it slightly. But, in my opinion, it's not a big deal. If a tool is able to satisfy all your requirements, it doesn't matter, the cost is not a deciding factor.

There are no additional fees in addition to the licensing fee.

We looked into it and decided on two open-source vulnerable management products. We are currently conducting a proof-of-concept on those open source vulnerable management tools.

We are just looking into these open sources and experimenting with them. As a result, this is the first time we intend to incorporate this vulnerable management tool into our world.

We are looking for vulnerability management, purely for vulnerability management, that can collect reports from SAST, DAST, and other scan results and use them in the management dashboard.

Before you choose a tool, whether it is Burp Suite, AppScan, or any other tool, you must first construct your business requirements, or the business use case. And you must detail out all of the product's features, as well as map the features to the business use cases. If the product meets or exceeds the majority of the business use cases, then you only need to choose that product. Otherwise, you will end up customizing the product after you buy it, which will create issues in terms of engaging with the professional services of that specific vendor. Then there's the matter of time and money. 

Detail all of your business use cases, then map those use cases to the product feature list and choose the product.

We have a business relationship with AppScan, as customers, and some of our business partners have project outsourcing with IT companies, such as HCL, IBM, Dell, and Infosys.

I would rate HCL AppScan a nine out of ten.

We use HCL AppScan products to help us scan for vulnerabilities and generate reports to provide a foundation on how to fix any issues. Their 4.7 version facilitates machine learning to help us select APIs and customize our scans more specifically. We also use the HCL AppScan Standard Enterprise Source and Cloud for scanning, and we plan to add the HCL AppScan Switch Casing to our toolkit. This makes it easier for us to scan the internet and use Tenable to help us find any issues.

The most valuable feature of the solution is Postman. As a security engineer, Postman allows me to specify exactly what information I need to scan for, rather than just dropping all information and running a scan. I can also use it to do some information gathering before scanning. This allows me to specify APIs and scan accordingly. The feature also saves us time.

As a developer who has been studying and working in the security product industry for several years, I have been impressed by HCL's progress. Although the cost of their product is competitive, I believe they could make it even better by increasing their database size. Companies like Tenable have much larger databases when it comes to vulnerabilities and portals, and even though HCL is connected with other vendors such as Microsoft, their database is not as expansive. The databases for HCL are small and have room for improvement.

HCL already has four solutions: Standard, Enterprise, Open Source, and the Cloud. Perhaps in a future release, HCL can add AI products. Manual work would be made easier with artificial intelligence. Maybe HCL could develop an AI program for scanning.

I have been using the solution for five months.

The solution is scalable.

The initial setup is straightforward. This is a great advantage of HCL, as we can just download, install and run it to identify potential vulnerabilities. Furthermore, the graphical user interface is also simplified.

The implementation didn't take a lot of time; setting up the cloud was just a matter of making my account and getting familiar with the features. After that, we were all logged in and ready to go with no major changes required.

I give the solution a nine out of ten.

I am currently the first person in my company to begin working with HCL. We have not yet gone to any clients, but I plan to get certified in HCL with AppScan. When we have clients that require components from HCL, I will be the representative for them as I am knowledgeable in the subject.

I would highly recommend HCL for people in the workforce. It has a user-friendly interface and the cost is much lower than Tenable. The database is good, and installation is easy. Additionally, technical support is likely to be helpful. Finally, there are a lot of other tools that come with HCL, such as scanners and detectors, which will make the job much easier.

This is a primarily application security testing solution.

SAST is the only feature that works using the on-prem version. It's becoming very difficult for us to integrate it with the other SecOps solutions. It is a very good solution but only when using the standard version.

We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated.

The weaknesses of this solution include integration ability, the interface and the quality of the output. It lacks a lot of features if you compare it with Fortify, Veracode or Coverity. It is not possible to integrate with the CI/CD pipeline as cloud-native functionalities are not supported. 

We have been using this solution for one year. 

This is a stable solution. 

This solution is not scalable due to its inability to integrate with other solutions. 

Initially, we had a lot of hiccups and we logged a lot of cases with them. The support we received was okay.

Neutral

We are evaluating other options like Fortify and Checkmarx. We have worked with Fortify before. The advantage of this solution over HCL is its cloud setup. It is a solution that integrates well with other products. It also provides less false positives. Our main use case is that it should easily integrate with the CI/CD pipeline. The second requirements is that it should be easily integrate with the developer environment. These were the two main things which HCL AppScan does not provide.

The initial setup is not straightforward. It involved a couple of tweaks and changes within the environment itself. A couple of reinstallations were also required for us to get it working. It was not a click-and-run kind of a product.

Pricing was the main reason that we went ahead with this solution as they were the lowest in the market.

Overall performance of this solution is not terrible but it does not offer new age features. If you want to integrate with other solutions or complete testing in the cloud, this is not the right solution. I would advise others considering this solution to complete a proper proof of concept or to run a pilot before implementing it.

I would rate this solution a three out of ten. 

I have a set project, and I'm writing an application for monitoring server status, and I tried several times to scan it with AppScan in order to understand if there are vulnerabilities in my code.

The dynamic scan, the DAST tool, dynamic applications scanning and testing tool, is great.

It was easy to set up.

It's a stable solution.

The product is easy to scale. 

The solution is affordable and reasonably priced.

The performance could be better. Sometimes it doesn't work so well. There's a tool for connecting the cloud with the application server. Sometimes it doesn't work really well.

I have not come across any missing features. 

I've been using the solution for six months. It's been less than a year so far. 

The solution has been stable. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable. 

So far, we've found the solution can scale well.

I've reached out to support in the past. They are pretty good, however, they are also working from India, and I'm in Italy. There is a delay of course when I open a ticket. We have to wait a bit due to the time shift.

We did not previously use a different solution. This was our first. 

The initial setup is pretty simple and straightforward. It's not an overly complex or difficult process. 

It took about one day to deploy the solution.

I handled the initial setup on my own. I did not ask for help from any consultants or integrators. 

I actually pay for tokens. Any time that I want to perform scanning, I have to pay for another token. It's pretty good for me, this system, as it's really, really nice when I need it. I just need to pay for it, and that's it.

We are end-users.

I'd rate the solution a seven out of ten.

We primarily use the solution for static scans as well as dynamic scans to check for vulnerabilities. 

The scanning is quite good. It's good for helping us seek out vulnerabilities and fixing hot spots. 

The pricing is fine. 

It's on a managed cloud, and that makes it very easy. It's straightforward to use.

The solution has been stable, and we haven't really had downtime. 

It's stable. 

Technical support is helpful.

I do not have any notes for improvements. 

They should have a better UI for dashboards. It would be nice to have visualizations such as pie charts. This would help administrators and be more of a value-add. 

I've been using the solution for three years. 

The solution is stable. We haven't had any downtime. I'd rate it eight out of ten. There are no bugs or glitches. It doesn't crash or freeze. 

I'm not directly working to scale the solution. I don't know how well it extends. 

We have many people in our organization on the product. 

I've contacted technical support in the past. We have dedicated Slack channels, and we can easily open tickets with them for troubleshooting. They are fast and knowledgeable. 

Positive

I also use SonarQube. We also use SonarQube for code quality.

We did not previously use any other solution.

We do not have to manage the setup. It is a managed cloud offering. There is no implementation process. We just need to upload the applications. It doesn't take any time at all. Everything is automatic. 

The cost is okay. It's not overly expensive. 

We do not have to continuously pay for a license. 

I'm not sure of the exact version I'm using. 

I'd rate the solution nine out of ten. It's pretty straightforward to use, and we like that it is a managed cloud. 

The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper. 

I have been working with the solution for more than five years. 

I would rate the tool's stability a seven out of ten. The product's stability is fine if you have admin access. However, you may face issues during intense scanning. 

The product's technical support is not good. 

Neutral

The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance. 

We did  the product's deployment in-house. 

I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer. 

I would rate the product a three out of ten. We use the solution only for quarterly scanning. There are better tools in the market at the same price. These tools can integrate more with applications. The tool's providers don't invest in making a good product. Hence, it is better to use a different tool. 

We use it for evaluating the application's code on web pages and previously published applications to identify vulnerabilities. It helps us to see how the code is written and how hard it is to find vulnerabilities. It's a useful tool for our purposes.

The product is useful, particularly in its sensitivity and scanning capabilities. Additionally, it allows for investigation while the developer is writing the code. It is a more efficient process compared to other tools like App Scan.

There is room for improvement in the pricing model. The price is very expensive.

I have been using HCL AppScan since 2011. It's the standard version, as we use it for evaluating applications and identifying vulnerabilities.

The stability is good. It's not just about the number of users because it's in use during development and while the application is running. So we have concurrent sessions, and it depends on the type of code being written at the moment.

It is a very scalable solution. The scalability is good.

The initial setup is very straightforward. Moreover, it's actually a quite nice solution because we don't require a lot of technical staff for deployment and maintenance.

The deployment process is good and included in the package, but it still needs to be installed before it can be used.

The pricing model is expensive. 

I would recommend the solution. Overall, I would rate the solution an eight out of ten. 

I use the tool to find system information for penetration testing and ethical hacking.

The solution is easy to use. It is useful for finding basic information about systems.

The product has some technical limitations. Finding critical things with the solution is difficult because most organizations update their systems. We find the product vulnerabilities manually.

I have been using the solution for four years.

I rate the stability an eight out of ten.

I rate the scalability a five out of ten. The solution is not enough for our needs. We are testing more than 50 companies with the solution. The largest company has more than 10,000 employees. We are planning to increase the number of users of the solution.

The initial setup is not difficult. I rate the ease of setup a seven out of ten.

It took us five minutes to install the solution. We need four engineers to maintain the solution.

I rate the solution’s pricing a five out of ten.

I am using the latest version of the solution. We usually perform ethical hacking using Burp Suite. The solution will be more advanced if it can be developed using ChatGPT. I would recommend the solution to others because it is the most famous web scanner. Overall, I rate the solution a five out of ten.