Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Application Security Tools
October 2022
Get our free report covering Tenable Network Security, OWASP, Veracode, and other competitors of Qualys Web Application Scanning. Updated: October 2022.
635,987 professionals have used our research since 2012.

Read reviews of Qualys Web Application Scanning alternatives and competitors

Kevin Dsouza - PeerSpot reviewer
Intramural OfficialIntramural at Northeastern University
Real User
Top 20
Easy to set up with vulnerability analysis and is reliable
Pros and Cons
  • "The vulnerability analysis is the best aspect of the solution."
  • "The only thing that I don't find support for on Mend Prioritize is C++."

What is our primary use case?

We use Mend especially for code analysis. I work in the application security part of my company. Developers will build and push the code to the GitHub repository. We have a build server that pulls in the code, and we are using Jenkins to automate that to do the DevOps stuff.

Once the code is built, we create a product for that particular version on Mend. We are currently working with three different versions for our particular product. We have the products created on Mend via White Source, which has a configuration file and a back file that runs. The configuration files basically tell what parameters to use, which server URL to use, which files to ignore, and which files to use.

For example, if I just have to do Python, I can make changes in the configuration files in Excel to include just .py files and exclude all of the files. If I have to do Python and C++, I can make changes in the configuration file itself to make .py, .C++ and exclude all of those. Once that configuration file is ready, then we run a White Source back file that just connects to the server, contacts the configuration file as well, does the scan on all the files that are there in the project, the project being for, and then pushes it to Mend, our Mend page.

On our Mend page, once we go into the product page of it, we can see what libraries have been used by us and what have some vulnerabilities. We also can set policies on Mend. We set some policies for our organization to accept and reject. For each product, we also get the policy violations that the libraries go through and any new versions for any new libraries that are available on that library's parent page - the parent page being the official developers of the library. We can get the new versions as well. We get the licenses we use with the library, and most importantly, we get vulnerability alerts regarding every library we use in our code.

Once the code is pulled, scanned, and pushed, we get the UI. We go to the library alerts. Once we go to the library alerts, we can see the different severities and the different libraries with vulnerabilities. We normally just sort according to higher severity first and go down to lower severity. We check what can be ignored or what is acceptable and what cannot be ignored, and what is of high priority. Ones that are a high priority, we flag and create a ticket on JIRA. That's our platform for collaboration.

Once we create a ticket for JIRA, the developers can see it, the QA team can see it, and they will go through that as well. They can tell if the update or the upgrade of the library is possible or not. They'll check its compatibility and see if it's actually doable or not. If it's not doable, they'll just tell us it's not doable, and probably our next version of the application will have the changes - not this one. We term that as acceptable or within our domains of acceptance. However, daily, if a JIRA ticket is created, the developers get back to us saying yes or no. Mostly they can say yes to changing the library to upgrade the library. If it's upgraded, they upgrade it to the next version. We scan it again. We do a weekly scan. We'll just check the next week if that particular liability is upgraded and the vulnerability has been remediated.

What is most valuable?

The vulnerability analysis is the best aspect of the solution. It’s my main go-to.

We can't do static code analysis ourselves; it's manual. That's a lot of manual tasks to handle. It's close to impossible to do that. That was a lot for static code analysis of our projects, alerting on vulnerabilities whenever it's possible. Whenever there's a vulnerability available, Mend does that. It vulnerability analyst is a report as well with how many high vulnerabilities, how many medium, how many lows we got, and how many accepted or how many are without any vulnerabilities basically.

I see a lot of it is pretty good and has a high level of trust.

It’s stable and easy to set up.

What needs improvement?

All applications in the world that are created have room for improvement.

Within Mend itself, there’s Mend Prioritize, which prioritizes the vulnerability automatically by itself with relevance to our application. Mend Prioritize has support for five or six languages right now, including JavaScript, C, and C#. The only thing that I don't find support for on Mend Prioritize is C++, which they'll be working on since the product is under development. Once that's done, we can also add it into Mend Prioritize for our weekly scans, which will help us with our analysis and efforts for remediation.

It's everything we need right now. There's nothing as such that’s out of the world that they should do. We use it just for one thing and focus on that. Therefore, they should not do anything else. We're fine with it as it is.

For how long have I used the solution?

I've been using Mend for six months now.

What do I think about the stability of the solution?

It’s quite stable. There are no bugs or glitches. It doesn’t crash or freeze. A lot of infrastructure is dependent on Mend right now, and it's not disappointing.

What do I think about the scalability of the solution?

It is a pretty scalable product.

The application security team uses it. That’s four people using it regularly.

We are using everything that it does. Mend does a lot of things. It does SAST, SCA, it does DAST as well. We are using just the SCA module of it, which we need, and we are using the SCA model to its fullest. I hope we're doing the most efficient deployment of it.

How are customer service and support?

We’ve used technical support in the past. We had some issues with One RPM last month. That was sorted quickly.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not previously use any different solution prior to Mend.

We did look at other solutions. There was Veracode that we tried and Tenable. There was Qualys as well. However, we chose Mend, and we have had a license for three years right now.

How was the initial setup?

The initial setup was pretty easy.

The deployment didn’t take long. Within a day or two, it was done.

There's no maintenance and deployment of Mend as such.

What about the implementation team?

We have a license, so once the license was set up, once the server was set up, after that, we rolled it out by ourselves.

What was our ROI?

We’ve seen a terrific ROI. I’d rate the solution a 4.5 out of five in terms of delivering us ROI.

What's my experience with pricing, setup cost, and licensing?

I don’t have any information in regards to pricing.

What other advice do I have?

I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan.

I’d rate the solution a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Principal Architect, Application Build Security. at a transportation company with 10,001+ employees
Real User
Top 20
Improves application security, identifies gaps, and performs well
Pros and Cons
  • "The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
  • "The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."

What is our primary use case?

HCL AppScan is primarily used to improve application security. We are transitioning from DevOps to DevSecOps.

We are attempting to integrate these tools into our CICD pipeline in order to meet our business use cases. And if we notice that the tool is missing any business features or a feature, we will highlight them and work to have them fixed or implemented. That is how we go about it. We don't go for any generic features because that will be handled by the product team. We are here to identify our gaps and then have them implemented by the vendor team.

AppScan is only used for web scanning; we do not use it for anything else.

What is most valuable?

There are many features that are valuable. such as the APIs. API calls in AppScan, and similar to Burp Suite enterprise edition, which is also for API scans. I can trigger the scan ware API.

The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL.

What needs improvement?

The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

For how long have I used the solution?

We have been using HCL AppScan for almost four years.

We are not working with the most recent update, but with two versions earlier.

What do I think about the stability of the solution?

The HCL AppScan performance is both stable and reliable.

Burp Suite and HCL AppScan are both stable and reliable when compared to other products.

What do I think about the scalability of the solution?

Scalability is a question that is determined by how you allocate your hardware. It is all about how you design your CICD program with HCL AppScan. 

Scalability is quite simple to implement or achieve. Again, this is entirely dependent on your business requirements. Generally, or in short, scalability is not an issue with HCL AppScan.

This solution is used daily.

How are customer service and support?

We have contacted technical support when we need customization, and there are usually other bugs and day-to-day life hacks.

The support has improved since the transition from IBM to HCL AppScan.

Which solution did I use previously and why did I switch?

We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

How was the initial setup?

The initial setup with most of the products, particularly the Burp Suite and the HCL AppScan, is straightforward. The only difference is that when it is customized to your specific requirements, that is when the key part comes into play. We have to engage the professional services of the product team, or the vendor team, which is where the headache begins. That is a common challenge shared by the all vendor team.

Deployment and installation of AppScan take approximately three hours, or less than that if you have all of the necessary prerequisites, hardware, a database, and everything is in place, then three hours is all you need.

We put our application into maintenance mode during the version upgrade.

We require one person for the administration of this product.

What about the implementation team?

When customization is required, we have assistance from the vendor time.

Most of the HCL AppScan installations are customized. We use Pure Vanilla or a new malware product.

What's my experience with pricing, setup cost, and licensing?

With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level. 

They should reduce it slightly. But, in my opinion, it's not a big deal. If a tool is able to satisfy all your requirements, it doesn't matter, the cost is not a deciding factor.

There are no additional fees in addition to the licensing fee.

Which other solutions did I evaluate?

We looked into it and decided on two open-source vulnerable management products. We are currently conducting a proof-of-concept on those open source vulnerable management tools.

We are just looking into these open sources and experimenting with them. As a result, this is the first time we intend to incorporate this vulnerable management tool into our world.

We are looking for vulnerability management, purely for vulnerability management, that can collect reports from SAST, DAST, and other scan results and use them in the management dashboard.

What other advice do I have?

Before you choose a tool, whether it is Burp Suite, AppScan, or any other tool, you must first construct your business requirements, or the business use case. And you must detail out all of the product's features, as well as map the features to the business use cases. If the product meets or exceeds the majority of the business use cases, then you only need to choose that product. Otherwise, you will end up customizing the product after you buy it, which will create issues in terms of engaging with the professional services of that specific vendor. Then there's the matter of time and money. 

Detail all of your business use cases, then map those use cases to the product feature list and choose the product.

We have a business relationship with AppScan, as customers, and some of our business partners have project outsourcing with IT companies, such as HCL, IBM, Dell, and Infosys.

I would rate HCL AppScan a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Paul Young Okkamy - PeerSpot reviewer
IT Department Manager at Okkamy
Real User
Top 20
AI-driven, easily customizable, and has a zero false-positive SLA
Pros and Cons
  • "After the assessment, you clearly know which assets require penetration testing."
  • "A great idea would be to make a mobile application for the ImmuniWeb portal so that all information would be available on the go and from a mobile phone as well. It would be much more convenient."

What is our primary use case?

I should say that we've already used ImminiWeb services before. But it was a traditional penetration test of a website. We were absolutely satisfied with their work and selected ImmuniWeb to test our new project for bugs and vulnerabilities.

ImmuniWeb has grown dramatically in these last 4 years. Now, it's a large platform that handles the discovery of your IT assets and launches an AI automated penetration test to fix bugs found.

The first discovery revealed some critical bugs in our assets. ImmuniWeb's team responded very quickly and soon provided a detailed report and guidelines for remediation.

How has it helped my organization?

The ImmuniWeb Platform is the best and easiest way to secure a business online. It's a really great experience. We got reports with zero false-positives and detailed instructions regarding how to solve problems and remove any vulnerabilities found with ImmuniWeb Discovery. We didn't have to purchase any complicated software. Everything is online in the cloud.

We are sure that ImmuniWeb is definitely the best alternative to traditional penetration testing. They really reduced our security costs and made our business compliant with GDPR and other European and international laws and regulations.

What is most valuable?

I like that ImmuniWeb finds all your assets literally anywhere, including on your website, clouds, repositories, network infrastructure, et cetera. Moreover, it scans the Dark Web for assets. Dark Web Monitoring is the most valuable tool. It quickly scans the dark web and you see it all in the dashboard. In our case, we found a password leak.

After the assessment, you clearly know which assets require penetration testing.

The penetration test itself is AI-driven, easily customizable, and provided with a zero false-positive SLA.

What needs improvement?

You may find the dashboard a bit complicated. That's because of a large number of features. If ImmuniWeb will make a kind of presentation on how to work with a platform when you log in for the first time, that would be ideal.

On the other hand, ImmuniWeb holds monthly webinars where they explain how to use the platform. I took part in one of them and found out a lot of new options I didn't know about before.

A great idea would be to make a mobile application for the ImmuniWeb portal so that all information would be available on the go and from a mobile phone as well. It would be much more convenient.

For how long have I used the solution?

We have been using ImmuniWeb for 6 months already.

How are customer service and technical support?

The product offers fast 24/7 support. 

Which solution did I use previously and why did I switch?

I used the vulnerability scanner from Acunetix and some Qualys products. The scanner is nice but very expensive. It also didn't give the full view of the problems within the website.

What's my experience with pricing, setup cost, and licensing?

I would advise users to start with a small package. Other packages may look costly for an SMB. That said, the price/value ratio is perfect.

Which other solutions did I evaluate?

We did look at Qualys.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Application Security Tools
October 2022
Get our free report covering Tenable Network Security, OWASP, Veracode, and other competitors of Qualys Web Application Scanning. Updated: October 2022.
635,987 professionals have used our research since 2012.