Coming October 25: PeerSpot Awards will be announced! Learn more

HCL AppScan OverviewUNIXBusinessApplication

HCL AppScan is #13 ranked solution in AST tools and #16 ranked solution in application security solutions. PeerSpot users give HCL AppScan an average rating of 6.6 out of 10. HCL AppScan is most commonly compared to SonarQube: HCL AppScan vs SonarQube. HCL AppScan is popular among the large enterprise segment, accounting for 71% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
HCL AppScan Buyer's Guide

Download the HCL AppScan Buyer's Guide including reviews and more. Updated: September 2022

What is HCL AppScan?

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCL AppScan was previously known as IBM Security AppScan, Rational AppScan, AppScan.

HCL AppScan Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT

HCL AppScan Video

Archived HCL AppScan Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
PeerSpot user
Cybersecurity Architecture and Technology Lead at Appxone
Consultant
A low rate of false positives translates to a savings in time
Pros and Cons
  • "This solution saves us time due to the low number of false positives detected."
  • "IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."

What is our primary use case?

The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.

How has it helped my organization?

This solution saves us time due to the low number of false positives detected. Other scanners have an issue with respect to reporting false positives.

What is most valuable?

The most valuable feature is that it achieves a very low false-positive detection rate.

What needs improvement?

While I did not identify any specific bugs in this application. I did find that sometimes a restart was needed to deal with unresponsiveness means when AppScan is in a hang situation, this happens usually when you select a large number of sources. 

IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.

Buyer's Guide
HCL AppScan
September 2022
Learn what your peers think about HCL AppScan. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
634,775 professionals have used our research since 2012.

For how long have I used the solution?

One to three years.

Which solution did I use previously and why did I switch?

We previously used Burp Suite. This application is best for static scanning.

How was the initial setup?

Complex

Which other solutions did I evaluate?

We also evaluated Acunetix and Nexpose.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Chief researcher at INSEC Security
Real User
The depth was low, but the part that the user could miss was also diagnosed

What is our primary use case?

External and internal web application vulnerability scan.

How has it helped my organization?

  • We were able to easily diagnose a large number of web applications automatically.
  • The depth was low, but the part that the user could miss was also diagnosed.

What is most valuable?

AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation.

What needs improvement?

It would be nice to be able to specify the parameter values ​​used in the login sequence function.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
HCL AppScan
September 2022
Learn what your peers think about HCL AppScan. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
634,775 professionals have used our research since 2012.
it_user840837 - PeerSpot reviewer
Manager at a tech vendor with 501-1,000 employees
Real User
Scalable and powerful, helps find errors in the code base

What is our primary use case?

Our clients use it to try to find errors in base code, and also to find how solutions work together.

I believe they have on-premise usage; they are local government, so they are not very used to using the cloud.

How has it helped my organization?

I'm mainly working on the licensing side and not the technical side, so I don't get this kind of feedback.

What is most valuable?

Scalability, and it's a very powerful tool.

What needs improvement?

I believe there are improvements that can be made, but I'm not aware of those kinds of things.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's stable.

What do I think about the scalability of the solution?

For the market in Finland, when we are talking about a mid-size company, it equals a small company here in the USA, but they are mainly from 1,000 users to 10,000 users.

How is customer service and technical support?

Tech support is responsive. With the local support I get all the help I need. I'm a former IBMer, so I know the right contacts, so it's quite simple to work.

How was the initial setup?

I think it's a little bit complex, and that's quite a common issue with most of the IBM products.

Which other solutions did I evaluate?

Some of the customers are using office open-source tools, but most are not using a tool at all. So, that's the competition. Of course, they are thinking about return on investment because it's quite an expensive tool and they won't take it back.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user841920 - PeerSpot reviewer
Business Development Manager at a tech services company with 10,001+ employees
Reseller
The static scans are good, though there is no central management

What is our primary use case?

It is an application for security assessment or scanning for static environments.

With all customers, it is performing well.

What is most valuable?

The static scans are good, and the SaaS as well. 

What needs improvement?

There is not a central management for static and dynamic. This would be great, at least with competition such as Micro Focus.

For how long have I used the solution?

Less than one year.

How is customer service and technical support?

The technical support is knowledgeable. However, our issue is not enough resources supporting our region. For Dubai, which is in the Gulf region, we need more technical support resources.

How was the initial setup?

The initial setup is not that complex.

What other advice do I have?

Most important criteria when choosing to partner with a company: I started working with IBM only one year back. When I started a partnership with them, IBM had the security portfolio which covered most of the region where my customers were. IBM has a name with the support along the quality of its products.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PeerSpot user
Senior Cloud Architect at a tech company with 1,001-5,000 employees
Real User
Provides a better integration for our ecosystem, but we are still waiting to see the roadmap
Pros and Cons
  • "It provides a better integration for our ecosystem."
  • "You can easily find particular features and functions through the UI."
  • "Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
  • "I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."

What is our primary use case?

We integrate AppSense with Fortinet FortiGate Next-Generation Firewall products. This integration is new for us, but so far, we have had good results. However, it is a new integration. 

Fortinet has a lot of potential and integrations going on with IBM: QRadar, AppSense, and IBM Cloud.

How has it helped my organization?

It provides a better integration for our ecosystem. From a Fortinet perspective, this can lead to integration of selling our own products.

What is most valuable?

Its integration from a UI perspective. You can easily find particular features and functions through the UI. 

For its first initial release, the integration was pretty good.

What needs improvement?

More seamless integration with Fortinet's technologies as this would make our customers happy. At the moment, it is a good integration, but it is the first time that we have done it. Therefore, there needs to be more integration within our fabric, so it is less obvious.

Visibility is an issue for us. Our partners were not even aware that we had an integration with AppSense. They do not know we have integrations with some of IBM products. Part of this is our marketing budget is small compared to IBM's.

I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources. We are not like IBM, which is huge. We need to prioritize which engineer will work on which technology. 

With QRadar, it has better integration because we have been working with it for awhile and there is a roadmap. There are always new things coming out.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

Unknown. We are too new to the product.

What do I think about the scalability of the solution?

Unknown. We are too new to the product.

How is customer service and technical support?

The IBM technical support staff are good.

What other advice do I have?

Have a look at the competitors as well. There is more than one vendor in the market. I would definitely do your due diligence.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
it_user279198 - PeerSpot reviewer
CEO at a government
Vendor
Easy to use and gives good insights into vulnerabilities

What is our primary use case?

We use it for all website development and web-based applications, as part of our development test cycle and QA.

We also routinely use it on existing applications in production because, in terms of security and vulnerabilities, some of the latter exist on some of the platforms that we run. So we run it from time to time, to do some security checks, etc.

How has it helped my organization?

It has certainly improved our organization In terms of quality of solutions that are developed. 

What is most valuable?

I think it's easy to use and gives back some pretty good results, certainly for vulnerabilities.

What needs improvement?

I haven't actually used it personally, so I'm not sure that I would be able to answer this.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's pretty stable.

What do I think about the scalability of the solution?

It's scalable. We just did a review of the product itself, and it's something that we've decided to keep and continue using.

How is customer service and technical support?

Support: I'll just leave it at "good."

How was the initial setup?

This particular product is one of the easier products to set up.

What other advice do I have?

We've had a relationship for some time, over 20 years now, with IBM. It's really about the products, in terms of what we are looking for. That's really the deciding factor in deciding whether we'd use them for a particular solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user844479 - PeerSpot reviewer
People Leader Of Cyber Strategy And Solutions at a insurance company with 10,001+ employees
Real User
We are now deploying less defects to production
Pros and Cons
  • "We leverage it as a quality check against code."
  • "We are now deploying less defects to production."

    What is our primary use case?

    It is used as a last check before moving code to production. Therefore, it is used as a developer tool.

    How has it helped my organization?

    With AppScan, we are now deploying less defects to production.

    What is most valuable?

    We leverage it as a quality check against code.

    For how long have I used the solution?

    Less than one year.

    What do I think about the stability of the solution?

    No stability issues.

    How are customer service and technical support?

    We have a strong partnership with IBM. Their tech support is very knowledgeable.

    Which solution did I use previously and why did I switch?

    We were using something else (a competing product of IBM), but we switched to AppScan because it is reliable.

    What other advice do I have?

    Most important criteria when selecting a vendor: At the end of the day, it would have to be the support and relationship. There are a lot of smart people out there building products which do things. However, not everyone can use them, and without having someone to call, it is sort of its own disadvantage. 

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user842904 - PeerSpot reviewer
    CTO at Anzen
    Real User
    Ethical hacking during application deployment is almost clean, every time
    Pros and Cons
    • "Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production."
    • "I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."

    What is our primary use case?

    We develop software, and the software is property of our clients. So we want to ensure the highest quality possible, and assist the financial side. We want the application to be as secure as possible. AppScan has helped us to identify a lot of issues; we can find them before they reach a new environment. We catch them, we fix them, and we can offer a higher quality product to our clients.

    We test on cloud.

    In terms of the transition process from on-prem solutions, it was not so hard because we've been IBM partners for eight years. From the beginning, we started developing on those platforms. So it was natural migration, we were "born" with those applications on those platforms.

    How has it helped my organization?

    Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production.

    AppScan has absolutely contributed to the maturity of our AppSec risk management. I would rate that maturity at only nine out of 10 because there are things that we could be doing better. Not only because of our internal processes, but because we need to adopt to the clients' processes, and that adopting always has small gaps. But generally, it's pretty awesome.

    We don't use it to security test open-source applications but we do use it for open-source models, or libraries.

    What is most valuable?

    It helps you to enforce security practices, beyond the reach of just operations and training. So give the training, but besides that you can detect some deviations in the development process. I think that's the most valuable of all the features.

    What needs improvement?

    I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers.

    What do I think about the stability of the solution?

    I'm not sure what it like on the current version but the previous version had some small issues, some crashes.

    With the latest upgrade - I'm not sure what version, I think it was 8, I've seen no major issues; some small glitches, but nothing really major.

    What do I think about the scalability of the solution?

    Since we're development, we don't usually have issues with scalability because it's only one application.

    How are customer service and technical support?

    Generally speaking, their tech support is good.

    Which solution did I use previously and why did I switch?

    Usually our clients want to build in-house, but when we present the benefits of a product already built and, out of the box, it can offer a lot of features and can solve the problem right now... 

    Sometimes the cost is equivalent to development, but it's more your product. 

    A key factor for decision making is the release time. I can release in two months. or it can be released in six months, so that's a critical factor: price versus release date.

    How was the initial setup?

    It's complex. Our main client is Citigroup. It's complicated because of the size of the client and all of the internal processes. So it's really a pain, not to blame IBM, not to blame us, not to blame them, but all of the ecosystem is complex.

    Which other solutions did I evaluate?

    Our clients evaluate Oracle, sometimes Microsoft. Our clients go with IBM, in Mexico, mainly because of the support. You can get more hands-on experienced people on IBM platforms than Oracle's, so if there is an issue - we always have issues - they get fixed more quickly on IBM than Oracle.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
    PeerSpot user
    TimHill - PeerSpot reviewer
    Director For Security Products at a manufacturing company with 10,001+ employees
    Real User
    It has helped us find vulnerabilities in our software, though AppScan Source is rather hard to use
    Pros and Cons
    • "It has certainly helped us find vulnerabilities in our software, so this is priceless in the end."
    • "​IBM Security AppScan Source is rather hard to use​."
    • "There are so many lines of code with so many different categories that I am likely to get lost. ​"

    What is our primary use case?

    We use it prior to product releases. The web scan portion is used to find vulnerabilities, for example, if we have opened up any ports that we should not have. The source scan is used to look for similar types of vulnerabilities. However, at the source code level, it is scanning the source code, whereas the web scan is hitting ports trying to overload it. Thus, we use both of these types of scans before every product release of several of our products.

    We have it installed on-premise, although we have a guy who is looking at the cloud version.

    How has it helped my organization?

    It has certainly helped us find vulnerabilities in our software, so this is priceless in the end. 

    IBM Application Security has contributed to the maturity of our AppScan risk management program.

    While it depends on the product, on average ten percent of our code is open source. Many products are either zero percent open source or maybe up to ten percent. They could possible be up to twenty percent open source, but never more than that.

    What is most valuable?

    The most valuable feature is the web scan from our perspective. Being able to quickly find the vulnerabilities if any developer has inadvertently put them in. The source scan is of value, but it is so hard to use that it is of less value.

    What needs improvement?

    IBM Security AppScan Source is rather hard to use. Some improvements need to be made to the usability for AppScan Source, specifically. Our biggest problem, we have a lot of code and everything just ends up looking like spaghetti after we run an AppScan Source. It is hard to evolve from one rev to the next. Trying to reuse the things we have found in a previous release to the next release is too hard.

    What do I think about the stability of the solution?

    It is perfectly stable.

    What do I think about the scalability of the solution?

    Scalability is good. However, this ties into the usability a little bit, because we have a million lines of code in one product and this is part of what makes AppScan Source so difficult to use. There are so many lines of code with so many different categories that I am likely to get lost. 

    What other advice do I have?

    AppScan Web is a good, and it does a good job. 

    For AppScan Source, you might find a better solution out there. We are not actively looking for a better solution right now, and are just using it. However, if somebody else was starting from scratch, that is what I would tell them.

    Most important criteria when selecting a vendor: quality of the software.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
    PeerSpot user
    Senior Security Specialist at a transportation company with 10,001+ employees
    Real User
    Contributes to maturity of our AppSec risk management, but Web Services testing is basic
    Pros and Cons
    • "I like the recording feature."
    • "It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."

    What is our primary use case?

    Our use case is that we always test our applications with AppScan before going to the production side. We have been using it for many years. It's honestly one of the best products in the application security the portfolio.

    We aren't using it on the cloud.

    How has it helped my organization?

    It has contributed to the maturity of our AppSec risk management program. I would rate that maturity level as eight out of 10. The testing part of your application's security is very valuable. You can't avoid that.

    Applications are the faces of companies to the world. How much your application is secure equals how much your brand is secure. AppScan is a very major part of of the story.

    We don't use it to test open-source code.

    What is most valuable?

    There's a recording feature that I really like. You pass through the login pages. If you record the login part, it becomes very fast with the solution.

    What needs improvement?

    It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good.

    What do I think about the stability of the solution?

    We experienced some performance problems at times, but it's actually not about the application. It depends on the hardware you use, the power of the CPUs, memory, nothing except that.

    What do I think about the scalability of the solution?

    In terms of scalability, we don't need much. So I can't really answer this question.

    How is customer service and technical support?

    I like IBM technical support as a whole. It was a really good experience.

    What other advice do I have?

    When selecting a vendor we look for 

    • a global brand
    • support
    • user friendliness
    • cost, and the license models.

    I would recommend AppScan.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user841956 - PeerSpot reviewer
    Director Of Product Cyber Security at a aerospace/defense firm with 10,001+ employees
    Vendor
    The ease of use is key, the developers can actually use it and get results from dynamic testing
    Pros and Cons
    • "For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
    • "I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point."

    What is our primary use case?

    We use IBM Appscan for a dynamic assessment of development of our code, so we're looking for something that will actually help us through our entire security development lifecycle.

    It has performed better than we expected. We were able to use it quite often, use the server IDE to help test our code before we go into a full test. And it's helped point out some things we had to correct.

    We're using it on the cloud. That particular solution we've been using on the cloud because it's a cloud instance, so the transition from going from one to the other wasn't there because we already had our cloud. We were able to use it because we had nothing else there. It helped fill a need that we really had.

    How has it helped my organization?

    It helps the organization the way we process the entire thing. It has actually helped a little bit with the speed of delivery too, which was surprising because most people thought it would be the other way around.

    IBM Applications Security has contributed to the maturity of our AppSec risk management program. We've been working on our risk management program overall, for security development, and this has been a great asset to have.

    We also use the solution to security test open-source applications. I'd say better than 70-75% of our applications are open-source. To me, a lot of people overly focus on open-source. That's because they believe that all the closed-source or proprietary is, in fact, secure. That's not necessarily the case. The issue is, when you take code and you're combining these different proprietary and open-source, packages, you have to test them all in the context where you're using them. And therein is the real issue. To me, it's not so much about the open-source, it's about all code. I believe all code has something that I have to look at.

    We have a number of projects running concurrently, so I look at the aggregate. I try not to go to what's done on a single product. However, having said that, since we had nothing in dynamic and now we do, that's a huge improvement. You might say then that it was 100% improvement. I don't know if I would give it quite that number, but it is a huge improvement. It's quite near that number.

    What is most valuable?

    For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted.

    What needs improvement?

    I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point.

    What do I think about the stability of the solution?

    I haven't had any issues with stability so I think it's fine.

    What do I think about the scalability of the solution?

    We're in the process of testing scalability, so I can't really speak to how broad that is because we're just parring up our entire installation of it. I am looking across other parts in our business where our more traditional products are that connect. So, we're looking to see how that scales. But, overall it's looking good.

    How are customer service and technical support?

    Once we got into the queue, we got a fantastic turnaround.

    Which solution did I use previously and why did I switch?

    Here I have an unfair advantage. I came out of a large security company, and because of my experience and the fact that we had a need, I looked around for the best solutions that were available. There were a lot of competitors. The question was, how well it would integrate with our process, since we were developing a full SDL with security tool check-points. AppScan fit that very well.

    The most important criteria when selecting a vendor were that it had a great product, but I had to have a product that I could integrate and automate. For me, it wasn't a matter if it was best in breed, they had the neatest slice of cheese. What I was looking for was, could it integrate and automate? If it couldn't, they weren't on the selection list.

    How was the initial setup?

    I didn't do the work but I directed it.

    There were a couple of steps where we had to have some help. But at the same time, we just put in an engagement for a Professional Services to do it quicker, do the integration, to make it tighter for us. We're just waiting for the final part of that to be signed so we can actually move forward.

    Which other solutions did I evaluate?

    Veracode, Synopsis, and a few others. What made us go with IBM was the integration and automation efforts; what it would do there, and the fact that it did so well at what AppScan does, which was in the dynamic testing.

    What other advice do I have?

    In terms of rating it, because I haven't had it installed long enough, and we haven't finished all the integration because of the Professional Services yet, I'd say it's rating really well, toward excellent. But it's just one of those things, until you see all the proof in the pudding...

    As of right now I would rate it an eight out of 10.

    The advice I would give to a colleague is, first, know your development process and where it's weak. From there, insert secure development, realize that it's not about the tool, it's about the process of development. Then find the tools that solve that. For us the key was, could it integrate, could it automate, and could it make the developer's workload easier? That's what we looked for.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user840909 - PeerSpot reviewer
    Managing director at Accenture
    Real User
    It indicates several grades of code vulnerabilities, so we can focus on the most severe first
    Pros and Cons
    • "It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."

      What is our primary use case?

      It is used for a DevOps environment, to perform a security profile, a code profile assessment. When you are building your software code, before finishing the build process and deploying to production, we run AppScan to figure out any security vulnerabilities in the code. It's called static analysis of the code.

      How has it helped my organization?

      It decreases the operational risk, security risk, a lot. In fact, when we first used it, the number of vulnerability alerts generated by the tool was huge. As time goes on, we can decrease those vulnerabilities because we learn from it. So, in the next release of the software, or new software that we have to develop, we know upfront that we should take care of some of the characteristics of the software.

      What is most valuable?

      It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code.

      What needs improvement?

      One thing that we would like in this tool is that it keeps ahead of the security guys, because one big advantage of this tool is that it always offers updates. Security is a process, you mitigate a risk, but the malware guys, they're trying to find another security hole in your environment. And the technology is evolving. So new security vulnerabilities are in the software. The point is, I hope that IBM continue, in improving and launching new versions, new upgrades, that can mitigate those security risks. 

      That's the most important value. It's not the tool itself, but the continuous enhancement of the tool. That's why we recommended this tool.

      What do I think about the stability of the solution?

      It's pretty stable. No issues as far as I can remember. 

      What do I think about the scalability of the solution?

      It's scalable. In the beginning, we found some issues regarding installing the tool in an open-source Jenkins environment - Jenkins is a tool for open-source. Jenkins and other tools, they automate the process. Those tools call AppScan in a way to generate a proper time to do this. But after a couple of discussions, we solved the problem, so we don't have any issues anymore.

      How is customer service and technical support?

      I think it is pretty good. They answer in a very fast manner.

      How was the initial setup?

      It's pretty straightforward to install and use it.

      Which other solutions did I evaluate?

      One competitor that I remember, one of the last candidates in the evaluation process was Checkmarx. Those tools, especially from startups that come from Israel, they try to grab this market space that IBM dominates.

      That's why they have to take care in terms of the price; the price model. But other than that, it would be unbeatable.

      What other advice do I have?

      The most important criteria when selecting a vendor, first of all, is their capability to continuously invest in the development and enhancement of the software. We are in a very changing process, software is a very changing environment, in terms of the technology. If you develop a tool, launch this tool, but don't have enough commitment to upgrade, to continuously enhance, it's not worth it. That's why I think IBM has a good presence in this area.

      My advice would be, don't see only the cost. Try to see the capability of the tools and, besides that, as I have stressed in this review, the capability of the vendor to invest in enhancing and mitigating the risks that will come. New risks, new threats, security threats, will appear. If you don't have a company that is continuously enhancing its software, there will be a problem.

      I would rate this product a nine out of 10. The reason I don't give it a 10 is because AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost. But with the maintenance - and the maintenance is the most important, as I told you, because it has to continuously enhance the tool to mitigate the increasing malware in the future - IBM could recover the investment and meet their target margins in another way.

      Unfortunately, there is a big discussion if it is very expensive, to use it or not, and there are competitors. I see competitors trying to grab this market.

      But from the point of view of quality, very excellent quality, it's above all the tools that I have worked with.

      Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
      PeerSpot user
      Prasoon Nigam - PeerSpot reviewer
      Security Consultant at a consultancy with 10,001+ employees
      Real User
      Simplifies our work by allowing us to do multiple website scans together

      How has it helped my organization?

      IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability.

      What is most valuable?

      Many features are valuable but some features stand out, like using our own scripts, and capturing the authentication.

      What needs improvement?

      • It has crashed at times
      • Scans become slow on large websites
      • Many silly false positives are produced

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      Yes, sometimes we encounter stability issues.

      What do I think about the scalability of the solution?

      Yes, sometimes we encounter scalability issues.

      How are customer service and technical support?

      I would rate tech support a seven out of 10.

      Which solution did I use previously and why did I switch?

      Yes. We switched because they made our work easier, with fewer false positives.

      How was the initial setup?

      It was simple, once we watched many video tutorials and read PDFs to learn about it.

      Which other solutions did I evaluate?

      Yes, I used with Acunetix and open source tools.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user634947 - PeerSpot reviewer
      Application Security Consultant at a financial services firm with 10,001+ employees
      Real User
      We can find security vulnerabilities.
      Pros and Cons
      • "It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."
      • "We would like to integrate with some of the other reporting tools that we're planning to use in the future."

      How has it helped my organization?

      The benefits are that we that we can find security vulnerabilities fast, get that back to development teams, and report on those. They can then act, fix the issues, and we'll have a secure code in place.

      What is most valuable?

      It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings.

      What needs improvement?

      We would like to be able to integrate to some of the other tools that we are using. That would be great. We would like to integrate with some of the other reporting tools that we're planning to use in the future.

      What do I think about the stability of the solution?

      I think it's quite stable.

      What do I think about the scalability of the solution?

      So far scalability is pretty good.

      How is customer service and technical support?

      We're really happy with technical support. They are great and very responsive.

      How was the initial setup?

      I was not involved in the initial setup.

      What other advice do I have?

      What I look for most in a vendor is the product, the offer, the service, the vendor service, and after sale support.

      I would definitely recommend this product.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user634890 - PeerSpot reviewer
      Chief information with 5,001-10,000 employees
      Vendor
      We use it to find breaches in apps while they are in development.
      Pros and Cons
      • "It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply."
      • "We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices."

      How has it helped my organization?

      Before we had this solution, our security team was doing manual reviews with the scripts. This would take us a lot of work hours and a lot of people were involved in the process.

      Now we just send it to AppScan and we can do other stuff like defining processes or dealing with management issues. We can focus on other aspects of our security.

      It helps us avoid any downtime in the applications when they are already in production. It also prevents any vulnerability or security breaches.

      What is most valuable?

      We are currently using it in the integration of our agile process so we can find any breaches in the apps while they're in the development process. We can then fix breaches before they go into a production environment.

      It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply.

      That being said, we have to be very rigorous about what we are protecting, such as the type of data and the code itself. Having those features in the app is a huge must.

      What needs improvement?

      We are moving a lot into mobile. While the solution does have a lot of functionalities in mobile, we are trying to expand it more aggressively.

      We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices.

      We would like to see what type of exposure we have in those specific devices.

      What do I think about the stability of the solution?

      There have been no stability issues so far. It has handled anything that we have sent to it.

      The number of events we receive per day depends on many factors. The events mostly occur when we charge a new code into AppScan to find the vulnerabilities.

      For example, we found ten vulnerabilities with the solution. We can see what our mistakes were and we can try to avoid them the next time.

      This solution makes our job a lot easier for continuous vulnerability assessments and development processes.

      How is customer service and technical support?

      We used technical support a couple months ago when we migrated from another version. We didn’t use them for an issue, but we got support to help us make the transition. They were very good.

      The whole migration process was done in just a couple of weeks. It was fast and it went according to our expectations. After a couple of weeks, we were operational and it was up and running.

      What other advice do I have?

      At the beginning, you need to know the reach and what you are expecting. The solution is not going to be a silver bullet that will fix everything in your app.

      You have to have a mature SDLC process for developers to follow. If they don't have that, AppScan could provide great insight in order to develop it. Once you have both things in motion, it runs automatically.

      When looking for a vendor, we want to know if they will go beyond that what is out-of-the-box. We want to see if they will tell us what additional features we can exploit in the solution.

      We want to know if they will provide us with knowledge about apps or code for a specific matter and if they can support our expectancy of growth in the near future.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      PeerSpot user
      Security Consultant at a tech vendor with 501-1,000 employees
      Vendor
      It detects cross-site scripting and SQL injection issues better than other tools.

      What is most valuable?

      The most valuable feature of this product is its capability to detect XSS and SQL injection.

      How has it helped my organization?

      Security issues reported by the tool help customers write secure code.

      What needs improvement?

      • Better detection of DOM-based XSS
      • Better remediation guidance using code examples and contexts

      For how long have I used the solution?

      I have used it for four years.

      What was my experience with deployment of the solution?

      I did not encounter any deployment, stability or scalability issues.

      Which solution did I use previously and why did I switch?

      I previously used HP WebInspect and Qualys.

      I prefer Appscan, as it much more user friendly, and it detects cross-site scripting and SQL injection issues much better than other tools in the market. Also, it has a lower false-positive count than others.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Buyer's Guide
      Download our free HCL AppScan Report and get advice and tips from experienced pros sharing their opinions.
      Updated: September 2022
      Buyer's Guide
      Download our free HCL AppScan Report and get advice and tips from experienced pros sharing their opinions.