HCL AppScan Reviews

I use it for my customers. 

Improvement can be done as per customer requirements.

I have been using HCL AppScan for some time. 

The technical support is good. 

The initial setup took one to two days. 

The solution is cheap. 

I rate the overall solution a nine out of ten.

HCL AppScan efficiently scans through the website and identifies vulnerabilities for AWS. It is reducing tools day by day, making it more efficient. 

HCL AppScan generates false results. Sometimes, it incorrectly identifies requests as vulnerable when they are not vulnerable. In the ADSL feature managed, the primary objective is to identify application security vulnerabilities. However, sometimes AppScan wrongly flags something as a vulnerability when it's not present, which we call a false positive.

I have been using HCL AppScan for nine years.

I rate the solution’s stability an eight out of ten.

The solution is scalable if required.

Customer support is helpful. 

Positive

There is a licensing partner. Sometimes, it is required to install a server. I must remove that license and then eject a new one on a different server. It becomes a bit harder for beginners if they do not have enough experience to install Zoho software.

Deployment takes around an hour, and one person can do it.

I rate the initial setup a six and a half out of ten, where one is difficult and ten is easy.

The tool is not cost-efficient. Considering the type of service with encryption security scanning from HCL AppScan, it drives up the cost unnecessarily. It is fairly priced.

There are some very cost-effective solutions out there. They are also very efficient for systems scanning.

Overall, I rate the solution an eight-point five out of ten.

I use the tool to scan the web interface.

Compared to other tools only AppScan supports special language.

The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed.

I have been using the solution for two years.

The solution has dedicated and good tech support. We can open a ticket and we get information within two hours. Once we open a ticket we get validation or confirmation of our problem. When we get to the specialist, we will get more information.

Positive

I would rate the overall solution a nine out of ten.

I mainly use AppScan for vulnerability scanning and database bridging.

AppScan is too complicated and should be made more user-friendly.

I've been using HCL AppScan for three to four years.

AppScan is stable.

AppScan is scalable.

HCL's technical support is ok, but it could be faster and more responsive.

The initial setup was complex and took about a day and a half.

I would rate AppScan four out of ten.

I have a set project, and I'm writing an application for monitoring server status, and I tried several times to scan it with AppScan in order to understand if there are vulnerabilities in my code.

The dynamic scan, the DAST tool, dynamic applications scanning and testing tool, is great.

It was easy to set up.

It's a stable solution.

The product is easy to scale. 

The solution is affordable and reasonably priced.

The performance could be better. Sometimes it doesn't work so well. There's a tool for connecting the cloud with the application server. Sometimes it doesn't work really well.

I have not come across any missing features. 

I've been using the solution for six months. It's been less than a year so far. 

The solution has been stable. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable. 

So far, we've found the solution can scale well.

I've reached out to support in the past. They are pretty good, however, they are also working from India, and I'm in Italy. There is a delay of course when I open a ticket. We have to wait a bit due to the time shift.

We did not previously use a different solution. This was our first. 

The initial setup is pretty simple and straightforward. It's not an overly complex or difficult process. 

It took about one day to deploy the solution.

I handled the initial setup on my own. I did not ask for help from any consultants or integrators. 

I actually pay for tokens. Any time that I want to perform scanning, I have to pay for another token. It's pretty good for me, this system, as it's really, really nice when I need it. I just need to pay for it, and that's it.

We are end-users.

I'd rate the solution a seven out of ten.

The solution offers services in a few specific development languages.

They have to improve support. Their support before, when it was IBM, was very good technical support. However, now, it's very bad.

They could add more language coverage. They don't cover so many development languages. They really should be covering more. If they did, it would be a huge improvement.

The technical support is no longer any good. It's gone downhill since they were under IBM. Now, we are no longer satisfied with their level of service and we hope they will improve their services in the future.

I'm currently looking into Checkmarx. I'm evaluating their offering to see how it compares. This product lacks in many areas, and so we are looking at other options.

I don't have information on the relationship HCL has with my company. My understanding is they are just a vendor for us.

In general, I would rate them at a six out of ten. There are many areas in which they could improve, including by adding more languages and re-vamping their technical support. They are lacking in a lot of areas.

We perform more dynamic scanning using AppScan. We set up a scan, perform it and get the results, and then give the results back to our customer.

Within our organization, there are four members of the team who are using it.

Currently, we are satisfied with AppScan but I am sure there are better alternatives available because this is a very old product. It's been on market for more than ten years now. I am sure there are a lot of new age products that are more scalable and cloud-based. Although we are using it and will probably continue to do so moving forward, I think there are better alternatives on the market now.

It takes care of our dynamic scanning needs. 

It's a good product. It's automated crawler identifies all urls and performs security tests. It has a very rich test cases which ensures pretty good coverage in terms of security testing. The UI is user friendly and intuitive. 

There are some false positives, which need to be removed, but this is common with all types of scanners.

One thing which I think can be improved is the CI/CD Integration. There is a CI/CD Integration model, but I guess they are deliberately not using it currently. There are challenges when integrating AppScan with CI/CD because sometimes the activation plus the login mechanism provided doesn't work properly. Sometimes a login mechanism fails and then the whole scan fails. It's difficult to integrate with CI/CD.

I have been using this solution for almost two years.

Scalability-wise, I'm not sure because you can buy the licenses depending on how many scans you want to do, but yes, it's scalable. I can do multiple scans simultaneously, but we have not tried more than that. I cannot tell you whether it can scale up to more than maybe two, three, or four simultaneous scans. We have not tested that.

The technical support is quite good. They always respond quickly.

Installation is pretty straightforward. Deployment only took a day or two.

We deployed it ourselves. Even one person can manage it so that's not an issue, but currently, we have four users who perform the activities and scans because of the volume of requests that we received from different businesses.

I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely.

On a scale from one to ten, I would give this solution a rating of seven.

If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little faster, then I would give it a higher rating.

The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.

This solution saves us time due to the low number of false positives detected. Other scanners have an issue with respect to reporting false positives.

The most valuable feature is that it achieves a very low false-positive detection rate.

While I did not identify any specific bugs in this application. I did find that sometimes a restart was needed to deal with unresponsiveness means when AppScan is in a hang situation, this happens usually when you select a large number of sources. 

IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.

We previously used Burp Suite. This application is best for static scanning.

Complex

We also evaluated Acunetix and Nexpose.

External and internal web application vulnerability scan.

• We were able to easily diagnose a large number of web applications automatically.
• The depth was low, but the part that the user could miss was also diagnosed.

AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation.

It would be nice to be able to specify the parameter values ​​used in the login sequence function.

Our clients use it to try to find errors in base code, and also to find how solutions work together.

I believe they have on-premise usage; they are local government, so they are not very used to using the cloud.

I'm mainly working on the licensing side and not the technical side, so I don't get this kind of feedback.

Scalability, and it's a very powerful tool.

I believe there are improvements that can be made, but I'm not aware of those kinds of things.

It's stable.

For the market in Finland, when we are talking about a mid-size company, it equals a small company here in the USA, but they are mainly from 1,000 users to 10,000 users.

Tech support is responsive. With the local support I get all the help I need. I'm a former IBMer, so I know the right contacts, so it's quite simple to work.

I think it's a little bit complex, and that's quite a common issue with most of the IBM products.

Some of the customers are using office open-source tools, but most are not using a tool at all. So, that's the competition. Of course, they are thinking about return on investment because it's quite an expensive tool and they won't take it back.