IT Central Station is now PeerSpot: Here's why

HCL AppScan OverviewUNIXBusinessApplication

HCL AppScan is #10 ranked solution in AST tools and #15 ranked solution in application security solutions. PeerSpot users give HCL AppScan an average rating of 6.6 out of 10. HCL AppScan is most commonly compared to SonarQube: HCL AppScan vs SonarQube. HCL AppScan is popular among the large enterprise segment, accounting for 71% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 31% of all views.
HCL AppScan Buyer's Guide

Download the HCL AppScan Buyer's Guide including reviews and more. Updated: July 2022

What is HCL AppScan?

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCL AppScan was previously known as IBM Security AppScan, Rational AppScan, AppScan.

HCL AppScan Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT

HCL AppScan Video

HCL AppScan Pricing Advice

What users are saying about HCL AppScan pricing:
  • "With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level."
  • "Pricing was the main reason that we went ahead with this solution as they were the lowest in the market."
  • HCL AppScan Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Principal Architect, Application Build Security. at a transportation company with 10,001+ employees
    Real User
    Top 20
    Improves application security, identifies gaps, and performs well
    Pros and Cons
    • "The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
    • "The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."

    What is our primary use case?

    HCL AppScan is primarily used to improve application security. We are transitioning from DevOps to DevSecOps.

    We are attempting to integrate these tools into our CICD pipeline in order to meet our business use cases. And if we notice that the tool is missing any business features or a feature, we will highlight them and work to have them fixed or implemented. That is how we go about it. We don't go for any generic features because that will be handled by the product team. We are here to identify our gaps and then have them implemented by the vendor team.

    AppScan is only used for web scanning; we do not use it for anything else.

    What is most valuable?

    There are many features that are valuable. such as the APIs. API calls in AppScan, and similar to Burp Suite enterprise edition, which is also for API scans. I can trigger the scan ware API.

    The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL.

    What needs improvement?

    The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

    We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

    For how long have I used the solution?

    We have been using HCL AppScan for almost four years.

    We are not working with the most recent update, but with two versions earlier.

    Buyer's Guide
    HCL AppScan
    July 2022
    Learn what your peers think about HCL AppScan. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    620,319 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The HCL AppScan performance is both stable and reliable.

    Burp Suite and HCL AppScan are both stable and reliable when compared to other products.

    What do I think about the scalability of the solution?

    Scalability is a question that is determined by how you allocate your hardware. It is all about how you design your CICD program with HCL AppScan. 

    Scalability is quite simple to implement or achieve. Again, this is entirely dependent on your business requirements. Generally, or in short, scalability is not an issue with HCL AppScan.

    This solution is used daily.

    How are customer service and support?

    We have contacted technical support when we need customization, and there are usually other bugs and day-to-day life hacks.

    The support has improved since the transition from IBM to HCL AppScan.

    Which solution did I use previously and why did I switch?

    We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

    Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

    How was the initial setup?

    The initial setup with most of the products, particularly the Burp Suite and the HCL AppScan, is straightforward. The only difference is that when it is customized to your specific requirements, that is when the key part comes into play. We have to engage the professional services of the product team, or the vendor team, which is where the headache begins. That is a common challenge shared by the all vendor team.

    Deployment and installation of AppScan take approximately three hours, or less than that if you have all of the necessary prerequisites, hardware, a database, and everything is in place, then three hours is all you need.

    We put our application into maintenance mode during the version upgrade.

    We require one person for the administration of this product.

    What about the implementation team?

    When customization is required, we have assistance from the vendor time.

    Most of the HCL AppScan installations are customized. We use Pure Vanilla or a new malware product.

    What's my experience with pricing, setup cost, and licensing?

    With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level. 

    They should reduce it slightly. But, in my opinion, it's not a big deal. If a tool is able to satisfy all your requirements, it doesn't matter, the cost is not a deciding factor.

    There are no additional fees in addition to the licensing fee.

    Which other solutions did I evaluate?

    We looked into it and decided on two open-source vulnerable management products. We are currently conducting a proof-of-concept on those open source vulnerable management tools.

    We are just looking into these open sources and experimenting with them. As a result, this is the first time we intend to incorporate this vulnerable management tool into our world.

    We are looking for vulnerability management, purely for vulnerability management, that can collect reports from SAST, DAST, and other scan results and use them in the management dashboard.

    What other advice do I have?

    Before you choose a tool, whether it is Burp Suite, AppScan, or any other tool, you must first construct your business requirements, or the business use case. And you must detail out all of the product's features, as well as map the features to the business use cases. If the product meets or exceeds the majority of the business use cases, then you only need to choose that product. Otherwise, you will end up customizing the product after you buy it, which will create issues in terms of engaging with the professional services of that specific vendor. Then there's the matter of time and money. 

    Detail all of your business use cases, then map those use cases to the product feature list and choose the product.

    We have a business relationship with AppScan, as customers, and some of our business partners have project outsourcing with IT companies, such as HCL, IBM, Dell, and Infosys.

    I would rate HCL AppScan a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    General Manager at a consultancy with 51-200 employees
    Real User
    Top 5
    Allows for dynamic scanning but lacks easy CI/CD integration
    Pros and Cons
    • "It identifies all the URLs and domains on its own and then performs tests and provides the results."
    • "One thing which I think can be improved is the CI/CD Integration"

    What is our primary use case?

    We perform more dynamic scanning using AppScan. We set up a scan, perform it and get the results, and then give the results back to our customer.

    Within our organization, there are four members of the team who are using it.

    Currently, we are satisfied with AppScan but I am sure there are better alternatives available because this is a very old product. It's been on market for more than ten years now. I am sure there are a lot of new age products that are more scalable and cloud-based. Although we are using it and will probably continue to do so moving forward, I think there are better alternatives on the market now.

    How has it helped my organization?

    It takes care of our dynamic scanning needs. 

    What is most valuable?

    It's a good product. It's automated crawler identifies all urls and performs security tests. It has a very rich test cases which ensures pretty good coverage in terms of security testing. The UI is user friendly and intuitive. 

    What needs improvement?

    There are some false positives, which need to be removed, but this is common with all types of scanners.

    One thing which I think can be improved is the CI/CD Integration. There is a CI/CD Integration model, but I guess they are deliberately not using it currently. There are challenges when integrating AppScan with CI/CD because sometimes the activation plus the login mechanism provided doesn't work properly. Sometimes a login mechanism fails and then the whole scan fails. It's difficult to integrate with CI/CD.

    For how long have I used the solution?

    I have been using this solution for almost two years.

    What do I think about the scalability of the solution?

    Scalability-wise, I'm not sure because you can buy the licenses depending on how many scans you want to do, but yes, it's scalable. I can do multiple scans simultaneously, but we have not tried more than that. I cannot tell you whether it can scale up to more than maybe two, three, or four simultaneous scans. We have not tested that.

    How are customer service and technical support?

    The technical support is quite good. They always respond quickly.

    How was the initial setup?

    Installation is pretty straightforward. Deployment only took a day or two.

    What about the implementation team?

    We deployed it ourselves. Even one person can manage it so that's not an issue, but currently, we have four users who perform the activities and scans because of the volume of requests that we received from different businesses.

    What other advice do I have?

    I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely.

    On a scale from one to ten, I would give this solution a rating of seven.

    If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little faster, then I would give it a higher rating.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    HCL AppScan
    July 2022
    Learn what your peers think about HCL AppScan. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    620,319 professionals have used our research since 2012.
    Owner/ Consultant at a tech services company with 1-10 employees
    Consultant
    Top 20
    Offers many support languages, scans in a decent amount of time and is easy to set up
    Pros and Cons
    • "There's extensive functionality with custom rules and a custom knowledge base."
    • "The solution often has a high number of false positives. It's an aspect they really need to improve upon."

    What is our primary use case?

    We primarily use the solution for static analysis.

    What is most valuable?

    AppScan is within the top three or four static analyzers. Its features include support for many languages. 

    The product has a relatively reasonable scan time.

    There's extensive functionality with custom rules and a custom knowledge base.

    What needs improvement?

    The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

    The product has vulnerabilities, or findings, that are almost identical in nature. 

    For how long have I used the solution?

    I've used the solution for the last 12 months or so. It's been about a year at this point.

    What do I think about the stability of the solution?

    The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

    What do I think about the scalability of the solution?

    When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

    How are customer service and technical support?

    The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

    Which solution did I use previously and why did I switch?

    I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

    How was the initial setup?

    I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

    What's my experience with pricing, setup cost, and licensing?

    I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

    What other advice do I have?

    I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

    I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

    Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

    Overall, I would rate the solution eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Director at KPMG
    Real User
    Testing solution that does not integrate with other products or offer the same modern features as other solutions on the market
    Pros and Cons
    • "This is a stable solution."
    • "We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."

    What is our primary use case?

    This is a primarily application security testing solution.

    What is most valuable?

    SAST is the only feature that works using the on-prem version. It's becoming very difficult for us to integrate it with the other SecOps solutions. It is a very good solution but only when using the standard version.

    What needs improvement?

    We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated.

    The weaknesses of this solution include integration ability, the interface and the quality of the output. It lacks a lot of features if you compare it with Fortify, Veracode or Coverity. It is not possible to integrate with the CI/CD pipeline as cloud-native functionalities are not supported. 

    For how long have I used the solution?

    We have been using this solution for one year. 

    What do I think about the stability of the solution?

    This is a stable solution. 

    What do I think about the scalability of the solution?

    This solution is not scalable due to its inability to integrate with other solutions. 

    How are customer service and support?

    Initially, we had a lot of hiccups and we logged a lot of cases with them. The support we received was okay.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We are evaluating other options like Fortify and Checkmarx. We have worked with Fortify before. The advantage of this solution over HCL is its cloud setup. It is a solution that integrates well with other products. It also provides less false positives. Our main use case is that it should easily integrate with the CI/CD pipeline. The second requirements is that it should be easily integrate with the developer environment. These were the two main things which HCL AppScan does not provide.

    How was the initial setup?

    The initial setup is not straightforward. It involved a couple of tweaks and changes within the environment itself. A couple of reinstallations were also required for us to get it working. It was not a click-and-run kind of a product.

    What's my experience with pricing, setup cost, and licensing?

    Pricing was the main reason that we went ahead with this solution as they were the lowest in the market.

    What other advice do I have?

    Overall performance of this solution is not terrible but it does not offer new age features. If you want to integrate with other solutions or complete testing in the cloud, this is not the right solution. I would advise others considering this solution to complete a proper proof of concept or to run a pilot before implementing it.

    I would rate this solution a three out of ten. 

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Innovation manager at a computer software company with 51-200 employees
    Real User
    Top 20
    Affordable and easy to expand but needs better performance
    Pros and Cons
    • "It was easy to set up."
    • "Sometimes it doesn't work so well."

    What is our primary use case?

    I have a set project, and I'm writing an application for monitoring server status, and I tried several times to scan it with AppScan in order to understand if there are vulnerabilities in my code.

    What is most valuable?

    The dynamic scan, the DAST tool, dynamic applications scanning and testing tool, is great.

    It was easy to set up.

    It's a stable solution.

    The product is easy to scale. 

    The solution is affordable and reasonably priced.

    What needs improvement?

    The performance could be better. Sometimes it doesn't work so well. There's a tool for connecting the cloud with the application server. Sometimes it doesn't work really well.

    I have not come across any missing features. 

    For how long have I used the solution?

    I've been using the solution for six months. It's been less than a year so far. 

    What do I think about the stability of the solution?

    The solution has been stable. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable. 

    What do I think about the scalability of the solution?

    So far, we've found the solution can scale well.

    How are customer service and support?

    I've reached out to support in the past. They are pretty good, however, they are also working from India, and I'm in Italy. There is a delay of course when I open a ticket. We have to wait a bit due to the time shift.

    Which solution did I use previously and why did I switch?

    We did not previously use a different solution. This was our first. 

    How was the initial setup?

    The initial setup is pretty simple and straightforward. It's not an overly complex or difficult process. 

    It took about one day to deploy the solution.

    What about the implementation team?

    I handled the initial setup on my own. I did not ask for help from any consultants or integrators. 

    What's my experience with pricing, setup cost, and licensing?

    I actually pay for tokens. Any time that I want to perform scanning, I have to pay for another token. It's pretty good for me, this system, as it's really, really nice when I need it. I just need to pay for it, and that's it.

    What other advice do I have?

    We are end-users.

    I'd rate the solution a seven out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Senior Manager, IT Test Automation Engineering at a outsourcing company with 10,001+ employees
    Real User
    Offers a few specific development languages but needs more languages and lacks good technical support services
    Pros and Cons
    • "The solution offers services in a few specific development languages."
    • "They have to improve support."

    What is most valuable?

    The solution offers services in a few specific development languages.

    What needs improvement?

    They have to improve support. Their support before, when it was IBM, was very good technical support. However, now, it's very bad.

    They could add more language coverage. They don't cover so many development languages. They really should be covering more. If they did, it would be a huge improvement.

    How are customer service and technical support?

    The technical support is no longer any good. It's gone downhill since they were under IBM. Now, we are no longer satisfied with their level of service and we hope they will improve their services in the future.

    Which other solutions did I evaluate?

    I'm currently looking into Checkmarx. I'm evaluating their offering to see how it compares. This product lacks in many areas, and so we are looking at other options.

    What other advice do I have?

    I don't have information on the relationship HCL has with my company. My understanding is they are just a vendor for us.

    In general, I would rate them at a six out of ten. There are many areas in which they could improve, including by adding more languages and re-vamping their technical support. They are lacking in a lot of areas.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Manh Duong - PeerSpot reviewer
    General Manager at Groupe PROGEREAL- FINAREAL - PROMOREAL
    Real User
    Responsive support, simple implementation, and scalable

    What is most valuable?

    The most valuable feature of HCL AppScan is scanning QR codes.

    What needs improvement?

    The solution could improve by having a mobile version.

    For how long have I used the solution?

    I have been using HCL AppScan for approximately one year.

    What do I think about the stability of the solution?

    I have found HCL AppScan to be stable.

    What do I think about the scalability of the solution?

    HCL AppScan is a scalable solution. it can easily scale up and out.

    How are customer service and support?

    The support I have received has been good. I had an issue and I opened a ticket with the support, and everything went smooth. 

    How was the initial setup?

    The initial setup of HCL AppScan is easy.

    What other advice do I have?

    I rate HCL AppScan an eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    VijayKumar16 - PeerSpot reviewer
    Global Business Development Executive - Applications, Data & AI Practice at Kyndryl
    Real User
    Top 10
    Stable and scalable but not user-friendly

    What is our primary use case?

    I mainly use AppScan for vulnerability scanning and database bridging.

    What needs improvement?

    AppScan is too complicated and should be made more user-friendly.

    For how long have I used the solution?

    I've been using HCL AppScan for three to four years.

    What do I think about the stability of the solution?

    AppScan is stable.

    What do I think about the scalability of the solution?

    AppScan is scalable.

    How are customer service and support?

    HCL's technical support is ok, but it could be faster and more responsive.

    How was the initial setup?

    The initial setup was complex and took about a day and a half.

    What other advice do I have?

    I would rate AppScan four out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free HCL AppScan Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2022
    Buyer's Guide
    Download our free HCL AppScan Report and get advice and tips from experienced pros sharing their opinions.