HCL AppScan Reviews

We use HCL AppScan products to help us scan for vulnerabilities and generate reports to provide a foundation on how to fix any issues. Their 4.7 version facilitates machine learning to help us select APIs and customize our scans more specifically. We also use the HCL AppScan Standard Enterprise Source and Cloud for scanning, and we plan to add the HCL AppScan Switch Casing to our toolkit. This makes it easier for us to scan the internet and use Tenable to help us find any issues.

The most valuable feature of the solution is Postman. As a security engineer, Postman allows me to specify exactly what information I need to scan for, rather than just dropping all information and running a scan. I can also use it to do some information gathering before scanning. This allows me to specify APIs and scan accordingly. The feature also saves us time.

As a developer who has been studying and working in the security product industry for several years, I have been impressed by HCL's progress. Although the cost of their product is competitive, I believe they could make it even better by increasing their database size. Companies like Tenable have much larger databases when it comes to vulnerabilities and portals, and even though HCL is connected with other vendors such as Microsoft, their database is not as expansive. The databases for HCL are small and have room for improvement.

HCL already has four solutions: Standard, Enterprise, Open Source, and the Cloud. Perhaps in a future release, HCL can add AI products. Manual work would be made easier with artificial intelligence. Maybe HCL could develop an AI program for scanning.

I have been using the solution for five months.

The solution is scalable.

The initial setup is straightforward. This is a great advantage of HCL, as we can just download, install and run it to identify potential vulnerabilities. Furthermore, the graphical user interface is also simplified.

The implementation didn't take a lot of time; setting up the cloud was just a matter of making my account and getting familiar with the features. After that, we were all logged in and ready to go with no major changes required.

I give the solution a nine out of ten.

I am currently the first person in my company to begin working with HCL. We have not yet gone to any clients, but I plan to get certified in HCL with AppScan. When we have clients that require components from HCL, I will be the representative for them as I am knowledgeable in the subject.

I would highly recommend HCL for people in the workforce. It has a user-friendly interface and the cost is much lower than Tenable. The database is good, and installation is easy. Additionally, technical support is likely to be helpful. Finally, there are a lot of other tools that come with HCL, such as scanners and detectors, which will make the job much easier.

It depends on the application, but it's generally a very user-friendly tool. Anyone can easily learn how to scan and boost their security.  

It's very accurate, although there might be a few false positives, but you can configure those out.

In future releases, I would like to see more aggressive reports. I would also like to see less false positives. 

There is room for improvement in pricing as well. 

Also, support for mobile apps would be better. Right now, we're only using it for web applications.

I've used AppScan for four years now.

I would rate the stability an eight out of ten. 

It is a scalable product. I would rate the scalability an eight out of ten. 

The customer service and support are very user-friendly. They'll send meetings whenever we need them, respecting our valuable time. They'll do their best to resolve our problems.

Positive

I used Fortify WebInspect in my previous company. They were more manual and time-consuming, and we often got more false positives. The result was very vast, and we needed to find everything and check over and over. We didn't find it very user-friendly.  

Fortify WebInspect was okay, but not as good. If we get the same result, it takes more time to understand the output and how to remediate it. It leaks more time. We need to reduce time nowadays and get things done.

AppScan is much faster and more reliable.  

We also used Burp Suite before, which was also user-friendly and allowed for manual testing. It's good for auto-mesh, but it takes longer and doesn't offer as much satisfactory results.

It is easy to implement and set up for users.

The pricing is good. We had two licenses, and we were offered good discounts. 

It's user-friendly and easy to install and analyze results. The solution also provides clear explanations and recommendations in the output, which is very helpful. I highly recommend it.

Overall, I would rate the solution a nine out of ten. 

I use HCL AppScan in my company for application security scanning.

The most valuable feature of the solution stems from the fact that it is good to run the scan faster. You can basically run the scan and take a break at work since the tool will compute the results, which makes the product quite intuitive. HCL AppScan doesn't require constant monitoring.

Maybe having some APIs could be helpful. If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly. It would be helpful if the tool had some API gateway that would allow me to run some custom queries.

I have been using HCL AppScan for around four months. My company is a customer of HCL AppScan.

It is a stable solution.

It is a scalable solution.

Around 20 people in my company use HCL AppScan.

The solution's technical support is good. I rate the technical support an eight out of ten.

Positive

The initial setup or installation of HCL AppScan is easy.

Maybe two or three hours are required to deploy, install, and configure the product.

About seven or eight engineers and architects may be required to deploy the product.

The solution is deployed on the cloud.

The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase.

Once we get the updates for HCL AppScan, another team in my company takes care of the installation of the new updates, which takes about half a day.

I would tell those who plan to use HCL AppScan that it is a helpful and beginner-friendly product.

I rate the overall product a ten out of ten.

I use the tool to find system information for penetration testing and ethical hacking.

The solution is easy to use. It is useful for finding basic information about systems.

The product has some technical limitations. Finding critical things with the solution is difficult because most organizations update their systems. We find the product vulnerabilities manually.

I have been using the solution for four years.

I rate the stability an eight out of ten.

I rate the scalability a five out of ten. The solution is not enough for our needs. We are testing more than 50 companies with the solution. The largest company has more than 10,000 employees. We are planning to increase the number of users of the solution.

The initial setup is not difficult. I rate the ease of setup a seven out of ten.

It took us five minutes to install the solution. We need four engineers to maintain the solution.

I rate the solution’s pricing a five out of ten.

I am using the latest version of the solution. We usually perform ethical hacking using Burp Suite. The solution will be more advanced if it can be developed using ChatGPT. I would recommend the solution to others because it is the most famous web scanner. Overall, I rate the solution a five out of ten.

The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper. 

I have been working with the solution for more than five years. 

I would rate the tool's stability a seven out of ten. The product's stability is fine if you have admin access. However, you may face issues during intense scanning. 

The product's technical support is not good. 

Neutral

The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance. 

We did  the product's deployment in-house. 

I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer. 

I would rate the product a three out of ten. We use the solution only for quarterly scanning. There are better tools in the market at the same price. These tools can integrate more with applications. The tool's providers don't invest in making a good product. Hence, it is better to use a different tool. 

We primarily use the solution for static scans as well as dynamic scans to check for vulnerabilities. 

The scanning is quite good. It's good for helping us seek out vulnerabilities and fixing hot spots. 

The pricing is fine. 

It's on a managed cloud, and that makes it very easy. It's straightforward to use.

The solution has been stable, and we haven't really had downtime. 

It's stable. 

Technical support is helpful.

I do not have any notes for improvements. 

They should have a better UI for dashboards. It would be nice to have visualizations such as pie charts. This would help administrators and be more of a value-add. 

I've been using the solution for three years. 

The solution is stable. We haven't had any downtime. I'd rate it eight out of ten. There are no bugs or glitches. It doesn't crash or freeze. 

I'm not directly working to scale the solution. I don't know how well it extends. 

We have many people in our organization on the product. 

I've contacted technical support in the past. We have dedicated Slack channels, and we can easily open tickets with them for troubleshooting. They are fast and knowledgeable. 

Positive

I also use SonarQube. We also use SonarQube for code quality.

We did not previously use any other solution.

We do not have to manage the setup. It is a managed cloud offering. There is no implementation process. We just need to upload the applications. It doesn't take any time at all. Everything is automatic. 

The cost is okay. It's not overly expensive. 

We do not have to continuously pay for a license. 

I'm not sure of the exact version I'm using. 

I'd rate the solution nine out of ten. It's pretty straightforward to use, and we like that it is a managed cloud. 

This is a primarily application security testing solution.

SAST is the only feature that works using the on-prem version. It's becoming very difficult for us to integrate it with the other SecOps solutions. It is a very good solution but only when using the standard version.

We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated.

The weaknesses of this solution include integration ability, the interface and the quality of the output. It lacks a lot of features if you compare it with Fortify, Veracode or Coverity. It is not possible to integrate with the CI/CD pipeline as cloud-native functionalities are not supported. 

We have been using this solution for one year. 

This is a stable solution. 

This solution is not scalable due to its inability to integrate with other solutions. 

Initially, we had a lot of hiccups and we logged a lot of cases with them. The support we received was okay.

Neutral

We are evaluating other options like Fortify and Checkmarx. We have worked with Fortify before. The advantage of this solution over HCL is its cloud setup. It is a solution that integrates well with other products. It also provides less false positives. Our main use case is that it should easily integrate with the CI/CD pipeline. The second requirements is that it should be easily integrate with the developer environment. These were the two main things which HCL AppScan does not provide.

The initial setup is not straightforward. It involved a couple of tweaks and changes within the environment itself. A couple of reinstallations were also required for us to get it working. It was not a click-and-run kind of a product.

Pricing was the main reason that we went ahead with this solution as they were the lowest in the market.

Overall performance of this solution is not terrible but it does not offer new age features. If you want to integrate with other solutions or complete testing in the cloud, this is not the right solution. I would advise others considering this solution to complete a proper proof of concept or to run a pilot before implementing it.

I would rate this solution a three out of ten. 

The most valuable feature of HCL AppScan is scanning QR codes.

The solution could improve by having a mobile version.

I have been using HCL AppScan for approximately one year.

I have found HCL AppScan to be stable.

HCL AppScan is a scalable solution. it can easily scale up and out.

The support I have received has been good. I had an issue and I opened a ticket with the support, and everything went smooth. 

The initial setup of HCL AppScan is easy.

I rate HCL AppScan an eight out of ten.