It is used for a DevOps environment, to perform a security profile, a code profile assessment. When you are building your software code, before finishing the build process and deploying to production, we run AppScan to figure out any security vulnerabilities in the code. It's called static analysis of the code.
It decreases the operational risk, security risk, a lot. In fact, when we first used it, the number of vulnerability alerts generated by the tool was huge. As time goes on, we can decrease those vulnerabilities because we learn from it. So, in the next release of the software, or new software that we have to develop, we know upfront that we should take care of some of the characteristics of the software.
It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code.
One thing that we would like in this tool is that it keeps ahead of the security guys, because one big advantage of this tool is that it always offers updates. Security is a process, you mitigate a risk, but the malware guys, they're trying to find another security hole in your environment. And the technology is evolving. So new security vulnerabilities are in the software. The point is, I hope that IBM continue, in improving and launching new versions, new upgrades, that can mitigate those security risks.
That's the most important value. It's not the tool itself, but the continuous enhancement of the tool. That's why we recommended this tool.
It's pretty stable. No issues as far as I can remember.
It's scalable. In the beginning, we found some issues regarding installing the tool in an open-source Jenkins environment - Jenkins is a tool for open-source. Jenkins and other tools, they automate the process. Those tools call AppScan in a way to generate a proper time to do this. But after a couple of discussions, we solved the problem, so we don't have any issues anymore.
I think it is pretty good. They answer in a very fast manner.
It's pretty straightforward to install and use it.
One competitor that I remember, one of the last candidates in the evaluation process was Checkmarx. Those tools, especially from startups that come from Israel, they try to grab this market space that IBM dominates.
That's why they have to take care in terms of the price; the price model. But other than that, it would be unbeatable.
The most important criteria when selecting a vendor, first of all, is their capability to continuously invest in the development and enhancement of the software. We are in a very changing process, software is a very changing environment, in terms of the technology. If you develop a tool, launch this tool, but don't have enough commitment to upgrade, to continuously enhance, it's not worth it. That's why I think IBM has a good presence in this area.
My advice would be, don't see only the cost. Try to see the capability of the tools and, besides that, as I have stressed in this review, the capability of the vendor to invest in enhancing and mitigating the risks that will come. New risks, new threats, security threats, will appear. If you don't have a company that is continuously enhancing its software, there will be a problem.
I would rate this product a nine out of 10. The reason I don't give it a 10 is because AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost. But with the maintenance - and the maintenance is the most important, as I told you, because it has to continuously enhance the tool to mitigate the increasing malware in the future - IBM could recover the investment and meet their target margins in another way.
Unfortunately, there is a big discussion if it is very expensive, to use it or not, and there are competitors. I see competitors trying to grab this market.
But from the point of view of quality, very excellent quality, it's above all the tools that I have worked with.