HCL AppScan Reviews

Our use case is that we always test our applications with AppScan before going to the production side. We have been using it for many years. It's honestly one of the best products in the application security the portfolio.

We aren't using it on the cloud.

It has contributed to the maturity of our AppSec risk management program. I would rate that maturity level as eight out of 10. The testing part of your application's security is very valuable. You can't avoid that.

Applications are the faces of companies to the world. How much your application is secure equals how much your brand is secure. AppScan is a very major part of of the story.

We don't use it to test open-source code.

There's a recording feature that I really like. You pass through the login pages. If you record the login part, it becomes very fast with the solution.

It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good.

We experienced some performance problems at times, but it's actually not about the application. It depends on the hardware you use, the power of the CPUs, memory, nothing except that.

In terms of scalability, we don't need much. So I can't really answer this question.

I like IBM technical support as a whole. It was a really good experience.

When selecting a vendor we look for 

• a global brand
• support
• user friendliness
• cost, and the license models.

I would recommend AppScan.

We develop software, and the software is property of our clients. So we want to ensure the highest quality possible, and assist the financial side. We want the application to be as secure as possible. AppScan has helped us to identify a lot of issues; we can find them before they reach a new environment. We catch them, we fix them, and we can offer a higher quality product to our clients.

We test on cloud.

In terms of the transition process from on-prem solutions, it was not so hard because we've been IBM partners for eight years. From the beginning, we started developing on those platforms. So it was natural migration, we were "born" with those applications on those platforms.

Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production.

AppScan has absolutely contributed to the maturity of our AppSec risk management. I would rate that maturity at only nine out of 10 because there are things that we could be doing better. Not only because of our internal processes, but because we need to adopt to the clients' processes, and that adopting always has small gaps. But generally, it's pretty awesome.

We don't use it to security test open-source applications but we do use it for open-source models, or libraries.

It helps you to enforce security practices, beyond the reach of just operations and training. So give the training, but besides that you can detect some deviations in the development process. I think that's the most valuable of all the features.

I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers.

I'm not sure what it like on the current version but the previous version had some small issues, some crashes.

With the latest upgrade - I'm not sure what version, I think it was 8, I've seen no major issues; some small glitches, but nothing really major.

Since we're development, we don't usually have issues with scalability because it's only one application.

Generally speaking, their tech support is good.

Usually our clients want to build in-house, but when we present the benefits of a product already built and, out of the box, it can offer a lot of features and can solve the problem right now... 

Sometimes the cost is equivalent to development, but it's more your product. 

A key factor for decision making is the release time. I can release in two months. or it can be released in six months, so that's a critical factor: price versus release date.

It's complex. Our main client is Citigroup. It's complicated because of the size of the client and all of the internal processes. So it's really a pain, not to blame IBM, not to blame us, not to blame them, but all of the ecosystem is complex.

Our clients evaluate Oracle, sometimes Microsoft. Our clients go with IBM, in Mexico, mainly because of the support. You can get more hands-on experienced people on IBM platforms than Oracle's, so if there is an issue - we always have issues - they get fixed more quickly on IBM than Oracle.

Before we had this solution, our security team was doing manual reviews with the scripts. This would take us a lot of work hours and a lot of people were involved in the process.

Now we just send it to AppScan and we can do other stuff like defining processes or dealing with management issues. We can focus on other aspects of our security.

It helps us avoid any downtime in the applications when they are already in production. It also prevents any vulnerability or security breaches.

We are currently using it in the integration of our agile process so we can find any breaches in the apps while they're in the development process. We can then fix breaches before they go into a production environment.

It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply.

That being said, we have to be very rigorous about what we are protecting, such as the type of data and the code itself. Having those features in the app is a huge must.

We are moving a lot into mobile. While the solution does have a lot of functionalities in mobile, we are trying to expand it more aggressively.

We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices.

We would like to see what type of exposure we have in those specific devices.

There have been no stability issues so far. It has handled anything that we have sent to it.

The number of events we receive per day depends on many factors. The events mostly occur when we charge a new code into AppScan to find the vulnerabilities.

For example, we found ten vulnerabilities with the solution. We can see what our mistakes were and we can try to avoid them the next time.

This solution makes our job a lot easier for continuous vulnerability assessments and development processes.

We used technical support a couple months ago when we migrated from another version. We didn’t use them for an issue, but we got support to help us make the transition. They were very good.

The whole migration process was done in just a couple of weeks. It was fast and it went according to our expectations. After a couple of weeks, we were operational and it was up and running.

At the beginning, you need to know the reach and what you are expecting. The solution is not going to be a silver bullet that will fix everything in your app.

You have to have a mature SDLC process for developers to follow. If they don't have that, AppScan could provide great insight in order to develop it. Once you have both things in motion, it runs automatically.

When looking for a vendor, we want to know if they will go beyond that what is out-of-the-box. We want to see if they will tell us what additional features we can exploit in the solution.

We want to know if they will provide us with knowledge about apps or code for a specific matter and if they can support our expectancy of growth in the near future.

We use the solution to test our web applications and services.

The security and the dashboard are the most valuable features.

The pricing has room for improvement.

I have been using the solution for eight years.

I give the stability a seven out of ten.

I give the scalability an eight out of ten.

The support is fine.

Neutral

I give the initial setup a seven out of ten. The implementation took a few weeks.

The implementation was completed in-house.

We have seen around a 50 percent return on investment.

HCL AppScan is expensive.

I give the solution an eight out of ten.

I recommend the solution to others.

We have around 4,000 end users.

The most valuable feature of this product is its capability to detect XSS and SQL injection.

Security issues reported by the tool help customers write secure code.

• Better detection of DOM-based XSS
• Better remediation guidance using code examples and contexts

I have used it for four years.

I did not encounter any deployment, stability or scalability issues.

I previously used HP WebInspect and Qualys.

I prefer Appscan, as it much more user friendly, and it detects cross-site scripting and SQL injection issues much better than other tools in the market. Also, it has a lower false-positive count than others.

We perform more dynamic scanning using AppScan. We set up a scan, perform it and get the results, and then give the results back to our customer.

Within our organization, there are four members of the team who are using it.

Currently, we are satisfied with AppScan but I am sure there are better alternatives available because this is a very old product. It's been on market for more than ten years now. I am sure there are a lot of new age products that are more scalable and cloud-based. Although we are using it and will probably continue to do so moving forward, I think there are better alternatives on the market now.

It takes care of our dynamic scanning needs. 

It's a good product. It's automated crawler identifies all urls and performs security tests. It has a very rich test cases which ensures pretty good coverage in terms of security testing. The UI is user friendly and intuitive. 

There are some false positives, which need to be removed, but this is common with all types of scanners.

One thing which I think can be improved is the CI/CD Integration. There is a CI/CD Integration model, but I guess they are deliberately not using it currently. There are challenges when integrating AppScan with CI/CD because sometimes the activation plus the login mechanism provided doesn't work properly. Sometimes a login mechanism fails and then the whole scan fails. It's difficult to integrate with CI/CD.

I have been using this solution for almost two years.

Scalability-wise, I'm not sure because you can buy the licenses depending on how many scans you want to do, but yes, it's scalable. I can do multiple scans simultaneously, but we have not tried more than that. I cannot tell you whether it can scale up to more than maybe two, three, or four simultaneous scans. We have not tested that.

The technical support is quite good. They always respond quickly.

Installation is pretty straightforward. Deployment only took a day or two.

We deployed it ourselves. Even one person can manage it so that's not an issue, but currently, we have four users who perform the activities and scans because of the volume of requests that we received from different businesses.

I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely.

On a scale from one to ten, I would give this solution a rating of seven.

If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little faster, then I would give it a higher rating.

Our clients use it to try to find errors in base code, and also to find how solutions work together.

I believe they have on-premise usage; they are local government, so they are not very used to using the cloud.

I'm mainly working on the licensing side and not the technical side, so I don't get this kind of feedback.

Scalability, and it's a very powerful tool.

I believe there are improvements that can be made, but I'm not aware of those kinds of things.

It's stable.

For the market in Finland, when we are talking about a mid-size company, it equals a small company here in the USA, but they are mainly from 1,000 users to 10,000 users.

Tech support is responsive. With the local support I get all the help I need. I'm a former IBMer, so I know the right contacts, so it's quite simple to work.

I think it's a little bit complex, and that's quite a common issue with most of the IBM products.

Some of the customers are using office open-source tools, but most are not using a tool at all. So, that's the competition. Of course, they are thinking about return on investment because it's quite an expensive tool and they won't take it back.

It is used for a DevOps environment, to perform a security profile, a code profile assessment. When you are building your software code, before finishing the build process and deploying to production, we run AppScan to figure out any security vulnerabilities in the code. It's called static analysis of the code.

It decreases the operational risk, security risk, a lot. In fact, when we first used it, the number of vulnerability alerts generated by the tool was huge. As time goes on, we can decrease those vulnerabilities because we learn from it. So, in the next release of the software, or new software that we have to develop, we know upfront that we should take care of some of the characteristics of the software.

It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code.

One thing that we would like in this tool is that it keeps ahead of the security guys, because one big advantage of this tool is that it always offers updates. Security is a process, you mitigate a risk, but the malware guys, they're trying to find another security hole in your environment. And the technology is evolving. So new security vulnerabilities are in the software. The point is, I hope that IBM continue, in improving and launching new versions, new upgrades, that can mitigate those security risks. 

That's the most important value. It's not the tool itself, but the continuous enhancement of the tool. That's why we recommended this tool.

It's pretty stable. No issues as far as I can remember. 

It's scalable. In the beginning, we found some issues regarding installing the tool in an open-source Jenkins environment - Jenkins is a tool for open-source. Jenkins and other tools, they automate the process. Those tools call AppScan in a way to generate a proper time to do this. But after a couple of discussions, we solved the problem, so we don't have any issues anymore.

I think it is pretty good. They answer in a very fast manner.

It's pretty straightforward to install and use it.

One competitor that I remember, one of the last candidates in the evaluation process was Checkmarx. Those tools, especially from startups that come from Israel, they try to grab this market space that IBM dominates.

That's why they have to take care in terms of the price; the price model. But other than that, it would be unbeatable.

The most important criteria when selecting a vendor, first of all, is their capability to continuously invest in the development and enhancement of the software. We are in a very changing process, software is a very changing environment, in terms of the technology. If you develop a tool, launch this tool, but don't have enough commitment to upgrade, to continuously enhance, it's not worth it. That's why I think IBM has a good presence in this area.

My advice would be, don't see only the cost. Try to see the capability of the tools and, besides that, as I have stressed in this review, the capability of the vendor to invest in enhancing and mitigating the risks that will come. New risks, new threats, security threats, will appear. If you don't have a company that is continuously enhancing its software, there will be a problem.

I would rate this product a nine out of 10. The reason I don't give it a 10 is because AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost. But with the maintenance - and the maintenance is the most important, as I told you, because it has to continuously enhance the tool to mitigate the increasing malware in the future - IBM could recover the investment and meet their target margins in another way.

Unfortunately, there is a big discussion if it is very expensive, to use it or not, and there are competitors. I see competitors trying to grab this market.

But from the point of view of quality, very excellent quality, it's above all the tools that I have worked with.