Maybe having some APIs could be helpful. If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly. It would be helpful if the tool had some API gateway that would allow me to run some custom queries.

There is room for improvement in the pricing model. The price is very expensive.

The penetration testing feature should be included.

We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated.

The weaknesses of this solution include integration ability, the interface and the quality of the output. It lacks a lot of features if you compare it with Fortify, Veracode or Coverity. It is not possible to integrate with the CI/CD pipeline as cloud-native functionalities are not supported. 

My company wants a tool that does static scan and dynamic scan. My company generally expects to do a static and dynamic scan with HCL AppScan.

The solution's technical support team has certain shortcomings where improvements are required. The solution's technical support team generally fails to provide spot-on answers to issues. HCL's technical support team takes a lot of time to come up with a solution to a problem.

They could add a software component analysis tool. Additionally, it could cater to the areas related to scanning container packages and images in the repository.

It's very accurate, although there might be a few false positives, but you can configure those out.

In future releases, I would like to see more aggressive reports. I would also like to see less false positives. 

There is room for improvement in pricing as well. 

Also, support for mobile apps would be better. Right now, we're only using it for web applications.

The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

The product has some technical limitations. Finding critical things with the solution is difficult because most organizations update their systems. We find the product vulnerabilities manually.

The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper. 

As a developer who has been studying and working in the security product industry for several years, I have been impressed by HCL's progress. Although the cost of their product is competitive, I believe they could make it even better by increasing their database size. Companies like Tenable have much larger databases when it comes to vulnerabilities and portals, and even though HCL is connected with other vendors such as Microsoft, their database is not as expansive. The databases for HCL are small and have room for improvement.

HCL already has four solutions: Standard, Enterprise, Open Source, and the Cloud. Perhaps in a future release, HCL can add AI products. Manual work would be made easier with artificial intelligence. Maybe HCL could develop an AI program for scanning.

IBM Security AppScan Source is rather hard to use. Some improvements need to be made to the usability for AppScan Source, specifically. Our biggest problem, we have a lot of code and everything just ends up looking like spaghetti after we run an AppScan Source. It is hard to evolve from one rev to the next. Trying to reuse the things we have found in a previous release to the next release is too hard.

I do not have any notes for improvements. 

They should have a better UI for dashboards. It would be nice to have visualizations such as pie charts. This would help administrators and be more of a value-add. 

It would have been better if we could use it on our desktop. A desktop version should be added.

The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed.

The solution could improve by having a mobile version.

HCL AppScan needs to improve security. 

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

HCL AppScan generates false results. Sometimes, it incorrectly identifies requests as vulnerable when they are not vulnerable. In the ADSL feature managed, the primary objective is to identify application security vulnerabilities. However, sometimes AppScan wrongly flags something as a vulnerability when it's not present, which we call a false positive.

I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point.

The performance could be better. Sometimes it doesn't work so well. There's a tool for connecting the cloud with the application server. Sometimes it doesn't work really well.

I have not come across any missing features. 

The pricing has room for improvement.

AppScan is too complicated and should be made more user-friendly.

They have to improve support. Their support before, when it was IBM, was very good technical support. However, now, it's very bad.

They could add more language coverage. They don't cover so many development languages. They really should be covering more. If they did, it would be a huge improvement.

It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good.

I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers.

We are moving a lot into mobile. While the solution does have a lot of functionalities in mobile, we are trying to expand it more aggressively.

We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices.

We would like to see what type of exposure we have in those specific devices.

• Better detection of DOM-based XSS
• Better remediation guidance using code examples and contexts

There are some false positives, which need to be removed, but this is common with all types of scanners.

One thing which I think can be improved is the CI/CD Integration. There is a CI/CD Integration model, but I guess they are deliberately not using it currently. There are challenges when integrating AppScan with CI/CD because sometimes the activation plus the login mechanism provided doesn't work properly. Sometimes a login mechanism fails and then the whole scan fails. It's difficult to integrate with CI/CD.

I believe there are improvements that can be made, but I'm not aware of those kinds of things.

One thing that we would like in this tool is that it keeps ahead of the security guys, because one big advantage of this tool is that it always offers updates. Security is a process, you mitigate a risk, but the malware guys, they're trying to find another security hole in your environment. And the technology is evolving. So new security vulnerabilities are in the software. The point is, I hope that IBM continue, in improving and launching new versions, new upgrades, that can mitigate those security risks. 

That's the most important value. It's not the tool itself, but the continuous enhancement of the tool. That's why we recommended this tool.

• It has crashed at times
• Scans become slow on large websites
• Many silly false positives are produced

More seamless integration with Fortinet's technologies as this would make our customers happy. At the moment, it is a good integration, but it is the first time that we have done it. Therefore, there needs to be more integration within our fabric, so it is less obvious.

Visibility is an issue for us. Our partners were not even aware that we had an integration with AppSense. They do not know we have integrations with some of IBM products. Part of this is our marketing budget is small compared to IBM's.

I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources. We are not like IBM, which is huge. We need to prioritize which engineer will work on which technology. 

With QRadar, it has better integration because we have been working with it for awhile and there is a roadmap. There are always new things coming out.

It would be nice to be able to specify the parameter values ​​used in the login sequence function.

While I did not identify any specific bugs in this application. I did find that sometimes a restart was needed to deal with unresponsiveness means when AppScan is in a hang situation, this happens usually when you select a large number of sources. 

IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.

We would like to be able to integrate to some of the other tools that we are using. That would be great. We would like to integrate with some of the other reporting tools that we're planning to use in the future.

There is not a central management for static and dynamic. This would be great, at least with competition such as Micro Focus.

I haven't actually used it personally, so I'm not sure that I would be able to answer this.