HCL AppScan Reviews

IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability.

Many features are valuable but some features stand out, like using our own scripts, and capturing the authentication.

• It has crashed at times
• Scans become slow on large websites
• Many silly false positives are produced

Yes, sometimes we encounter stability issues.

Yes, sometimes we encounter scalability issues.

I would rate tech support a seven out of 10.

Yes. We switched because they made our work easier, with fewer false positives.

It was simple, once we watched many video tutorials and read PDFs to learn about it.

Yes, I used with Acunetix and open source tools.

We integrate AppSense with Fortinet FortiGate Next-Generation Firewall products. This integration is new for us, but so far, we have had good results. However, it is a new integration. 

Fortinet has a lot of potential and integrations going on with IBM: QRadar, AppSense, and IBM Cloud.

It provides a better integration for our ecosystem. From a Fortinet perspective, this can lead to integration of selling our own products.

Its integration from a UI perspective. You can easily find particular features and functions through the UI. 

For its first initial release, the integration was pretty good.

More seamless integration with Fortinet's technologies as this would make our customers happy. At the moment, it is a good integration, but it is the first time that we have done it. Therefore, there needs to be more integration within our fabric, so it is less obvious.

Visibility is an issue for us. Our partners were not even aware that we had an integration with AppSense. They do not know we have integrations with some of IBM products. Part of this is our marketing budget is small compared to IBM's.

I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources. We are not like IBM, which is huge. We need to prioritize which engineer will work on which technology. 

With QRadar, it has better integration because we have been working with it for awhile and there is a roadmap. There are always new things coming out.

Unknown. We are too new to the product.

Unknown. We are too new to the product.

The IBM technical support staff are good.

Have a look at the competitors as well. There is more than one vendor in the market. I would definitely do your due diligence.

It is used as a last check before moving code to production. Therefore, it is used as a developer tool.

With AppScan, we are now deploying less defects to production.

We leverage it as a quality check against code.

No stability issues.

We have a strong partnership with IBM. Their tech support is very knowledgeable.

We were using something else (a competing product of IBM), but we switched to AppScan because it is reliable.

Most important criteria when selecting a vendor: At the end of the day, it would have to be the support and relationship. There are a lot of smart people out there building products which do things. However, not everyone can use them, and without having someone to call, it is sort of its own disadvantage. 

External and internal web application vulnerability scan.

• We were able to easily diagnose a large number of web applications automatically.
• The depth was low, but the part that the user could miss was also diagnosed.

AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation.

It would be nice to be able to specify the parameter values ​​used in the login sequence function.

The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.

This solution saves us time due to the low number of false positives detected. Other scanners have an issue with respect to reporting false positives.

The most valuable feature is that it achieves a very low false-positive detection rate.

While I did not identify any specific bugs in this application. I did find that sometimes a restart was needed to deal with unresponsiveness means when AppScan is in a hang situation, this happens usually when you select a large number of sources. 

IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.

We previously used Burp Suite. This application is best for static scanning.

Complex

We also evaluated Acunetix and Nexpose.

The benefits are that we that we can find security vulnerabilities fast, get that back to development teams, and report on those. They can then act, fix the issues, and we'll have a secure code in place.

It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings.

We would like to be able to integrate to some of the other tools that we are using. That would be great. We would like to integrate with some of the other reporting tools that we're planning to use in the future.

I think it's quite stable.

So far scalability is pretty good.

We're really happy with technical support. They are great and very responsive.

I was not involved in the initial setup.

What I look for most in a vendor is the product, the offer, the service, the vendor service, and after sale support.

I would definitely recommend this product.

It is an application for security assessment or scanning for static environments.

With all customers, it is performing well.

The static scans are good, and the SaaS as well. 

There is not a central management for static and dynamic. This would be great, at least with competition such as Micro Focus.

The technical support is knowledgeable. However, our issue is not enough resources supporting our region. For Dubai, which is in the Gulf region, we need more technical support resources.

The initial setup is not that complex.

Most important criteria when choosing to partner with a company: I started working with IBM only one year back. When I started a partnership with them, IBM had the security portfolio which covered most of the region where my customers were. IBM has a name with the support along the quality of its products.

We use it for all website development and web-based applications, as part of our development test cycle and QA.

We also routinely use it on existing applications in production because, in terms of security and vulnerabilities, some of the latter exist on some of the platforms that we run. So we run it from time to time, to do some security checks, etc.

It has certainly improved our organization In terms of quality of solutions that are developed. 

I think it's easy to use and gives back some pretty good results, certainly for vulnerabilities.

I haven't actually used it personally, so I'm not sure that I would be able to answer this.

It's pretty stable.

It's scalable. We just did a review of the product itself, and it's something that we've decided to keep and continue using.

Support: I'll just leave it at "good."

This particular product is one of the easier products to set up.

We've had a relationship for some time, over 20 years now, with IBM. It's really about the products, in terms of what we are looking for. That's really the deciding factor in deciding whether we'd use them for a particular solution.