HCL AppScan Reviews

HCL AppScan is primarily used to improve application security. We are transitioning from DevOps to DevSecOps.

We are attempting to integrate these tools into our CICD pipeline in order to meet our business use cases. And if we notice that the tool is missing any business features or a feature, we will highlight them and work to have them fixed or implemented. That is how we go about it. We don't go for any generic features because that will be handled by the product team. We are here to identify our gaps and then have them implemented by the vendor team.

AppScan is only used for web scanning; we do not use it for anything else.

There are many features that are valuable. such as the APIs. API calls in AppScan, and similar to Burp Suite enterprise edition, which is also for API scans. I can trigger the scan ware API.

The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL.

The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

We have been using HCL AppScan for almost four years.

We are not working with the most recent update, but with two versions earlier.

The HCL AppScan performance is both stable and reliable.

Burp Suite and HCL AppScan are both stable and reliable when compared to other products.

Scalability is a question that is determined by how you allocate your hardware. It is all about how you design your CICD program with HCL AppScan. 

Scalability is quite simple to implement or achieve. Again, this is entirely dependent on your business requirements. Generally, or in short, scalability is not an issue with HCL AppScan.

This solution is used daily.

We have contacted technical support when we need customization, and there are usually other bugs and day-to-day life hacks.

The support has improved since the transition from IBM to HCL AppScan.

We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

The initial setup with most of the products, particularly the Burp Suite and the HCL AppScan, is straightforward. The only difference is that when it is customized to your specific requirements, that is when the key part comes into play. We have to engage the professional services of the product team, or the vendor team, which is where the headache begins. That is a common challenge shared by the all vendor team.

Deployment and installation of AppScan take approximately three hours, or less than that if you have all of the necessary prerequisites, hardware, a database, and everything is in place, then three hours is all you need.

We put our application into maintenance mode during the version upgrade.

We require one person for the administration of this product.

When customization is required, we have assistance from the vendor time.

Most of the HCL AppScan installations are customized. We use Pure Vanilla or a new malware product.

With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level. 

They should reduce it slightly. But, in my opinion, it's not a big deal. If a tool is able to satisfy all your requirements, it doesn't matter, the cost is not a deciding factor.

There are no additional fees in addition to the licensing fee.

We looked into it and decided on two open-source vulnerable management products. We are currently conducting a proof-of-concept on those open source vulnerable management tools.

We are just looking into these open sources and experimenting with them. As a result, this is the first time we intend to incorporate this vulnerable management tool into our world.

We are looking for vulnerability management, purely for vulnerability management, that can collect reports from SAST, DAST, and other scan results and use them in the management dashboard.

Before you choose a tool, whether it is Burp Suite, AppScan, or any other tool, you must first construct your business requirements, or the business use case. And you must detail out all of the product's features, as well as map the features to the business use cases. If the product meets or exceeds the majority of the business use cases, then you only need to choose that product. Otherwise, you will end up customizing the product after you buy it, which will create issues in terms of engaging with the professional services of that specific vendor. Then there's the matter of time and money. 

Detail all of your business use cases, then map those use cases to the product feature list and choose the product.

We have a business relationship with AppScan, as customers, and some of our business partners have project outsourcing with IT companies, such as HCL, IBM, Dell, and Infosys.

I would rate HCL AppScan a nine out of ten.

I mainly use AppScan to secure various types of applications. I use its DAFDAT solution for black box scanning, as well as SaaS and source code validation. AppScan helps in scanning code for vulnerabilities, including open-source code.

The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase. This allows for scanning during code construction, which is beneficial. However, I also find the DAF and penetration testing features valuable, especially for discovering vulnerabilities like those in the OWASP Top Ten.

Improving usability could enhance the overall experience with AppScan. It would be beneficial to make the solution more user-friendly, ensuring that everyone can easily navigate and utilize its features. Additionally, improving marketing efforts could help raise awareness about AppScan's features and benefits, especially for external teams beyond just internal use.

I have been working with HCL AppScan for almost ten years.

Since moving to HCL, AppScan has become very stable, addressing any previous issues.

AppScan makes scaling easy, especially with its cloud-based capabilities. I would rate its scalability as a ten out of ten.

I would rate the technical support as a ten out of ten.

Positive

Switching from Fortify to AppScan was a game-changer for me. AppScan was easier to configure and provided more thorough scanning results. The support for AppScan, especially in Brazil, was excellent compared to Fortify's lack of support. Overall, AppScan offered a more user-friendly experience with better results and support.

Setting up AppScan is straightforward and easy, as it typically involves a simple "next-next-finish" process for implementation. I would rate the easiness of the setup as a ten out of ten.

Using AppScan has led to a significant reduction in vulnerabilities and saved us around 20% in costs overall. Many banks in Brazil have also experienced cost savings by using AppScan. Personally, I saw a return on investment within six months of using the tool.

AppScan's pricing is a bit challenging, especially when dealing with currency exchange rates outside Brazil. However, it is still more affordable than alternatives like Fortify. Personally, switching to AppScan helped me save money.

AppScan's dynamic and static scanning capabilities have benefited my security testing processes significantly. It helps in scanning the code automatically during the SDLC and ensures security before pushing it to production. Both dynamic and static scanning solutions are essential for me, making AppScan a valuable tool.

AppScan integrates smoothly with existing security and development workflows. It offers easy integration with tools like SBS and provides developer plug-ins for seamless inclusion in the workflow.

My use of AppScan has been influenced by the trend towards comprehensive application security testing. While researching the best solution, I found it challenging to locate information and personal experiences with AppScan.

I would recommend AppScan to others. In my opinion, it is the best solution for web application security testing.

Overall, I would rate AppScan as a ten out of ten.

I use HCL AppScan in my company for application security scanning.

The most valuable feature of the solution stems from the fact that it is good to run the scan faster. You can basically run the scan and take a break at work since the tool will compute the results, which makes the product quite intuitive. HCL AppScan doesn't require constant monitoring.

Maybe having some APIs could be helpful. If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly. It would be helpful if the tool had some API gateway that would allow me to run some custom queries.

I have been using HCL AppScan for around four months. My company is a customer of HCL AppScan.

It is a stable solution.

It is a scalable solution.

Around 20 people in my company use HCL AppScan.

The solution's technical support is good. I rate the technical support an eight out of ten.

Positive

The initial setup or installation of HCL AppScan is easy.

Maybe two or three hours are required to deploy, install, and configure the product.

About seven or eight engineers and architects may be required to deploy the product.

The solution is deployed on the cloud.

The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase.

Once we get the updates for HCL AppScan, another team in my company takes care of the installation of the new updates, which takes about half a day.

I would tell those who plan to use HCL AppScan that it is a helpful and beginner-friendly product.

I rate the overall product a ten out of ten.

It depends on the application, but it's generally a very user-friendly tool. Anyone can easily learn how to scan and boost their security.  

It's very accurate, although there might be a few false positives, but you can configure those out.

In future releases, I would like to see more aggressive reports. I would also like to see less false positives. 

There is room for improvement in pricing as well. 

Also, support for mobile apps would be better. Right now, we're only using it for web applications.

I've used AppScan for four years now.

I would rate the stability an eight out of ten. 

It is a scalable product. I would rate the scalability an eight out of ten. 

The customer service and support are very user-friendly. They'll send meetings whenever we need them, respecting our valuable time. They'll do their best to resolve our problems.

Positive

I used Fortify WebInspect in my previous company. They were more manual and time-consuming, and we often got more false positives. The result was very vast, and we needed to find everything and check over and over. We didn't find it very user-friendly.  

Fortify WebInspect was okay, but not as good. If we get the same result, it takes more time to understand the output and how to remediate it. It leaks more time. We need to reduce time nowadays and get things done.

AppScan is much faster and more reliable.  

We also used Burp Suite before, which was also user-friendly and allowed for manual testing. It's good for auto-mesh, but it takes longer and doesn't offer as much satisfactory results.

It is easy to implement and set up for users.

The pricing is good. We had two licenses, and we were offered good discounts. 

It's user-friendly and easy to install and analyze results. The solution also provides clear explanations and recommendations in the output, which is very helpful. I highly recommend it.

Overall, I would rate the solution a nine out of ten. 

We primarily use the solution for static analysis.

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

I've used the solution for the last 12 months or so. It's been about a year at this point.

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

I use the tool to find system information for penetration testing and ethical hacking.

The solution is easy to use. It is useful for finding basic information about systems.

The product has some technical limitations. Finding critical things with the solution is difficult because most organizations update their systems. We find the product vulnerabilities manually.

I have been using the solution for four years.

I rate the stability an eight out of ten.

I rate the scalability a five out of ten. The solution is not enough for our needs. We are testing more than 50 companies with the solution. The largest company has more than 10,000 employees. We are planning to increase the number of users of the solution.

The initial setup is not difficult. I rate the ease of setup a seven out of ten.

It took us five minutes to install the solution. We need four engineers to maintain the solution.

I rate the solution’s pricing a five out of ten.

I am using the latest version of the solution. We usually perform ethical hacking using Burp Suite. The solution will be more advanced if it can be developed using ChatGPT. I would recommend the solution to others because it is the most famous web scanner. Overall, I rate the solution a five out of ten.

I used the solution to find vulnerabilities in our website and system. I did some regular checkups.

The UI was very intuitive. It was very easy to understand. It was very easy to scan the websites, see the results, and deliver them to higher management.

It would have been better if we could use it on our desktop. A desktop version should be added.

I had used the solution for one month.

The tool was very stable. I rate the tool’s stability a seven or eight out of ten. Very few people were using the tool in our organization. The stability could have been affected if there were more users.

We had a few users.

We have used solutions like Acunetix. HCL was better. The UI was pretty good. It was intuitive, easy to understand, and reliable.

The installation was easy for me. It took a few hours. A senior employee helped me deploy the tool. The solution was deployed on the cloud.

The tool was expensive. We paid a monthly license fee. There were no additional costs associated with the product.

Someone who wants to use the solution must know why they need the solution. It is quite expensive. We must not spend much on something we do not need. If we have a need and can afford the solution, HCL is a good solution. It is very easy to understand. It has a lot of features. The reporting system is good. Overall, I rate the product a seven out of ten.

The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper. 

I have been working with the solution for more than five years. 

I would rate the tool's stability a seven out of ten. The product's stability is fine if you have admin access. However, you may face issues during intense scanning. 

The product's technical support is not good. 

Neutral

The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance. 

We did  the product's deployment in-house. 

I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer. 

I would rate the product a three out of ten. We use the solution only for quarterly scanning. There are better tools in the market at the same price. These tools can integrate more with applications. The tool's providers don't invest in making a good product. Hence, it is better to use a different tool.