HCL AppScan Reviews

The most valuable feature of HCL AppScan is scanning QR codes.

The solution could improve by having a mobile version.

I have been using HCL AppScan for approximately one year.

I have found HCL AppScan to be stable.

HCL AppScan is a scalable solution. it can easily scale up and out.

The support I have received has been good. I had an issue and I opened a ticket with the support, and everything went smooth. 

The initial setup of HCL AppScan is easy.

I rate HCL AppScan an eight out of ten.

We use it as a security testing application. 

HCL AppScan needs to improve security. 

I have been working with the product for ten years. 

HCL AppScan is pretty stable. 

HCL AppScan is easy to deploy and can be done in one to two hours. 

Our clients are willing to pay the extra money. It is expensive. 

I rate HCL AppScan an eight out of ten. 

We primarily use the solution for static analysis.

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

I've used the solution for the last 12 months or so. It's been about a year at this point.

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

HCL AppScan efficiently scans through the website and identifies vulnerabilities for AWS. It is reducing tools day by day, making it more efficient. 

HCL AppScan generates false results. Sometimes, it incorrectly identifies requests as vulnerable when they are not vulnerable. In the ADSL feature managed, the primary objective is to identify application security vulnerabilities. However, sometimes AppScan wrongly flags something as a vulnerability when it's not present, which we call a false positive.

I have been using HCL AppScan for nine years.

I rate the solution’s stability an eight out of ten.

The solution is scalable if required.

Customer support is helpful. 

Positive

There is a licensing partner. Sometimes, it is required to install a server. I must remove that license and then eject a new one on a different server. It becomes a bit harder for beginners if they do not have enough experience to install Zoho software.

Deployment takes around an hour, and one person can do it.

I rate the initial setup a six and a half out of ten, where one is difficult and ten is easy.

The tool is not cost-efficient. Considering the type of service with encryption security scanning from HCL AppScan, it drives up the cost unnecessarily. It is fairly priced.

There are some very cost-effective solutions out there. They are also very efficient for systems scanning.

Overall, I rate the solution an eight-point five out of ten.

We use IBM Appscan for a dynamic assessment of development of our code, so we're looking for something that will actually help us through our entire security development lifecycle.

It has performed better than we expected. We were able to use it quite often, use the server IDE to help test our code before we go into a full test. And it's helped point out some things we had to correct.

We're using it on the cloud. That particular solution we've been using on the cloud because it's a cloud instance, so the transition from going from one to the other wasn't there because we already had our cloud. We were able to use it because we had nothing else there. It helped fill a need that we really had.

It helps the organization the way we process the entire thing. It has actually helped a little bit with the speed of delivery too, which was surprising because most people thought it would be the other way around.

IBM Applications Security has contributed to the maturity of our AppSec risk management program. We've been working on our risk management program overall, for security development, and this has been a great asset to have.

We also use the solution to security test open-source applications. I'd say better than 70-75% of our applications are open-source. To me, a lot of people overly focus on open-source. That's because they believe that all the closed-source or proprietary is, in fact, secure. That's not necessarily the case. The issue is, when you take code and you're combining these different proprietary and open-source, packages, you have to test them all in the context where you're using them. And therein is the real issue. To me, it's not so much about the open-source, it's about all code. I believe all code has something that I have to look at.

We have a number of projects running concurrently, so I look at the aggregate. I try not to go to what's done on a single product. However, having said that, since we had nothing in dynamic and now we do, that's a huge improvement. You might say then that it was 100% improvement. I don't know if I would give it quite that number, but it is a huge improvement. It's quite near that number.

For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted.

I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point.

I haven't had any issues with stability so I think it's fine.

We're in the process of testing scalability, so I can't really speak to how broad that is because we're just parring up our entire installation of it. I am looking across other parts in our business where our more traditional products are that connect. So, we're looking to see how that scales. But, overall it's looking good.

Once we got into the queue, we got a fantastic turnaround.

Here I have an unfair advantage. I came out of a large security company, and because of my experience and the fact that we had a need, I looked around for the best solutions that were available. There were a lot of competitors. The question was, how well it would integrate with our process, since we were developing a full SDL with security tool check-points. AppScan fit that very well.

The most important criteria when selecting a vendor were that it had a great product, but I had to have a product that I could integrate and automate. For me, it wasn't a matter if it was best in breed, they had the neatest slice of cheese. What I was looking for was, could it integrate and automate? If it couldn't, they weren't on the selection list.

I didn't do the work but I directed it.

There were a couple of steps where we had to have some help. But at the same time, we just put in an engagement for a Professional Services to do it quicker, do the integration, to make it tighter for us. We're just waiting for the final part of that to be signed so we can actually move forward.

Veracode, Synopsis, and a few others. What made us go with IBM was the integration and automation efforts; what it would do there, and the fact that it did so well at what AppScan does, which was in the dynamic testing.

In terms of rating it, because I haven't had it installed long enough, and we haven't finished all the integration because of the Professional Services yet, I'd say it's rating really well, toward excellent. But it's just one of those things, until you see all the proof in the pudding...

As of right now I would rate it an eight out of 10.

The advice I would give to a colleague is, first, know your development process and where it's weak. From there, insert secure development, realize that it's not about the tool, it's about the process of development. Then find the tools that solve that. For us the key was, could it integrate, could it automate, and could it make the developer's workload easier? That's what we looked for.

I have a set project, and I'm writing an application for monitoring server status, and I tried several times to scan it with AppScan in order to understand if there are vulnerabilities in my code.

The dynamic scan, the DAST tool, dynamic applications scanning and testing tool, is great.

It was easy to set up.

It's a stable solution.

The product is easy to scale. 

The solution is affordable and reasonably priced.

The performance could be better. Sometimes it doesn't work so well. There's a tool for connecting the cloud with the application server. Sometimes it doesn't work really well.

I have not come across any missing features. 

I've been using the solution for six months. It's been less than a year so far. 

The solution has been stable. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable. 

So far, we've found the solution can scale well.

I've reached out to support in the past. They are pretty good, however, they are also working from India, and I'm in Italy. There is a delay of course when I open a ticket. We have to wait a bit due to the time shift.

We did not previously use a different solution. This was our first. 

The initial setup is pretty simple and straightforward. It's not an overly complex or difficult process. 

It took about one day to deploy the solution.

I handled the initial setup on my own. I did not ask for help from any consultants or integrators. 

I actually pay for tokens. Any time that I want to perform scanning, I have to pay for another token. It's pretty good for me, this system, as it's really, really nice when I need it. I just need to pay for it, and that's it.

We are end-users.

I'd rate the solution a seven out of ten.

I mainly use AppScan for vulnerability scanning and database bridging.

AppScan is too complicated and should be made more user-friendly.

I've been using HCL AppScan for three to four years.

AppScan is stable.

AppScan is scalable.

HCL's technical support is ok, but it could be faster and more responsive.

The initial setup was complex and took about a day and a half.

I would rate AppScan four out of ten.

The solution offers services in a few specific development languages.

They have to improve support. Their support before, when it was IBM, was very good technical support. However, now, it's very bad.

They could add more language coverage. They don't cover so many development languages. They really should be covering more. If they did, it would be a huge improvement.

The technical support is no longer any good. It's gone downhill since they were under IBM. Now, we are no longer satisfied with their level of service and we hope they will improve their services in the future.

I'm currently looking into Checkmarx. I'm evaluating their offering to see how it compares. This product lacks in many areas, and so we are looking at other options.

I don't have information on the relationship HCL has with my company. My understanding is they are just a vendor for us.

In general, I would rate them at a six out of ten. There are many areas in which they could improve, including by adding more languages and re-vamping their technical support. They are lacking in a lot of areas.