IT Central Station is now PeerSpot: Here's why
Buyer's Guide
Application Security Testing (AST)
July 2022
Get our free report covering PortSwigger, Veracode, Invicti, and other competitors of OWASP Zap. Updated: July 2022.
620,068 professionals have used our research since 2012.

Read reviews of OWASP Zap alternatives and competitors

Principal Architect, Application Build Security. at a transportation company with 10,001+ employees
Real User
Top 20
Improves application security, identifies gaps, and performs well
Pros and Cons
  • "The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
  • "The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."

What is our primary use case?

HCL AppScan is primarily used to improve application security. We are transitioning from DevOps to DevSecOps.

We are attempting to integrate these tools into our CICD pipeline in order to meet our business use cases. And if we notice that the tool is missing any business features or a feature, we will highlight them and work to have them fixed or implemented. That is how we go about it. We don't go for any generic features because that will be handled by the product team. We are here to identify our gaps and then have them implemented by the vendor team.

AppScan is only used for web scanning; we do not use it for anything else.

What is most valuable?

There are many features that are valuable. such as the APIs. API calls in AppScan, and similar to Burp Suite enterprise edition, which is also for API scans. I can trigger the scan ware API.

The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL.

What needs improvement?

The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

For how long have I used the solution?

We have been using HCL AppScan for almost four years.

We are not working with the most recent update, but with two versions earlier.

What do I think about the stability of the solution?

The HCL AppScan performance is both stable and reliable.

Burp Suite and HCL AppScan are both stable and reliable when compared to other products.

What do I think about the scalability of the solution?

Scalability is a question that is determined by how you allocate your hardware. It is all about how you design your CICD program with HCL AppScan. 

Scalability is quite simple to implement or achieve. Again, this is entirely dependent on your business requirements. Generally, or in short, scalability is not an issue with HCL AppScan.

This solution is used daily.

How are customer service and support?

We have contacted technical support when we need customization, and there are usually other bugs and day-to-day life hacks.

The support has improved since the transition from IBM to HCL AppScan.

Which solution did I use previously and why did I switch?

We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

How was the initial setup?

The initial setup with most of the products, particularly the Burp Suite and the HCL AppScan, is straightforward. The only difference is that when it is customized to your specific requirements, that is when the key part comes into play. We have to engage the professional services of the product team, or the vendor team, which is where the headache begins. That is a common challenge shared by the all vendor team.

Deployment and installation of AppScan take approximately three hours, or less than that if you have all of the necessary prerequisites, hardware, a database, and everything is in place, then three hours is all you need.

We put our application into maintenance mode during the version upgrade.

We require one person for the administration of this product.

What about the implementation team?

When customization is required, we have assistance from the vendor time.

Most of the HCL AppScan installations are customized. We use Pure Vanilla or a new malware product.

What's my experience with pricing, setup cost, and licensing?

With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level. 

They should reduce it slightly. But, in my opinion, it's not a big deal. If a tool is able to satisfy all your requirements, it doesn't matter, the cost is not a deciding factor.

There are no additional fees in addition to the licensing fee.

Which other solutions did I evaluate?

We looked into it and decided on two open-source vulnerable management products. We are currently conducting a proof-of-concept on those open source vulnerable management tools.

We are just looking into these open sources and experimenting with them. As a result, this is the first time we intend to incorporate this vulnerable management tool into our world.

We are looking for vulnerability management, purely for vulnerability management, that can collect reports from SAST, DAST, and other scan results and use them in the management dashboard.

What other advice do I have?

Before you choose a tool, whether it is Burp Suite, AppScan, or any other tool, you must first construct your business requirements, or the business use case. And you must detail out all of the product's features, as well as map the features to the business use cases. If the product meets or exceeds the majority of the business use cases, then you only need to choose that product. Otherwise, you will end up customizing the product after you buy it, which will create issues in terms of engaging with the professional services of that specific vendor. Then there's the matter of time and money. 

Detail all of your business use cases, then map those use cases to the product feature list and choose the product.

We have a business relationship with AppScan, as customers, and some of our business partners have project outsourcing with IT companies, such as HCL, IBM, Dell, and Infosys.

I would rate HCL AppScan a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
VinothKumar5 - PeerSpot reviewer
Senior Technical Architect at Hexaware Technologies Limited
Real User
Effective automatic scanning, Academy portal for learning, and reliable
Pros and Cons
  • "The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
  • "There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."

What is our primary use case?

The solution is for web security testing and the primary use is to eliminate the false positives.

How has it helped my organization?

This solution has helped our company in many ways. PortSwigger Acadamy has given us the knowledge to be able to do deeper tests. The effectiveness of the tests is directly proportional to your knowledge about security testing. Even if you do not have this knowledge at the beginning you still you can perform some kind of testing. If you do not know how to choose your payload then it is going to suggest the built-in payloads to which you can perform those test attacks.

You do not need to be an expert to use the solution, an intermediate skilled person can use it and over time they can become an expert. Sometimes it is difficult to find skilled employees to start working in this field for your company but with PortSwigger the new employee does not have to be an expert because they are able to grow quite quickly in their knowledge.

What is most valuable?

The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.

What needs improvement?

There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI.

In a future release, if there could be some kind of autonomous function, or user behavior prediction that would be beneficial.

For how long have I used the solution?

I have been using this solution for approximately three years.

What do I think about the stability of the solution?

The solution has not had any crashes or any problems. It is reliable.

What do I think about the scalability of the solution?

The solution is scalable. There are types of operations we can do and it has good peak performance.

How are customer service and technical support?

PortSwigger has something called Academy where you can go to learn about many things related to security testing.

How was the initial setup?

The installation is very easy.

What's my experience with pricing, setup cost, and licensing?

The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable.

Which other solutions did I evaluate?

I have evaluated Zap.

What other advice do I have?

My advice to others just starting out with security testing is to evaluate Zap, which is open-source, to allow them to get an understanding of the processes. Then once they have an understanding they should look into PortSwigger Burp Suite Professional. This solution would win in comparison with its features and would be a very good choice after they have some experience.

I rate PortSwigger Burp Suite Professional an eight out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Application Security Testing (AST)
July 2022
Get our free report covering PortSwigger, Veracode, Invicti, and other competitors of OWASP Zap. Updated: July 2022.
620,068 professionals have used our research since 2012.