HCL AppScan Reviews

We primarily use the solution for static scans as well as dynamic scans to check for vulnerabilities. 

The scanning is quite good. It's good for helping us seek out vulnerabilities and fixing hot spots. 

The pricing is fine. 

It's on a managed cloud, and that makes it very easy. It's straightforward to use.

The solution has been stable, and we haven't really had downtime. 

It's stable. 

Technical support is helpful.

I do not have any notes for improvements. 

They should have a better UI for dashboards. It would be nice to have visualizations such as pie charts. This would help administrators and be more of a value-add. 

I've been using the solution for three years. 

The solution is stable. We haven't had any downtime. I'd rate it eight out of ten. There are no bugs or glitches. It doesn't crash or freeze. 

I'm not directly working to scale the solution. I don't know how well it extends. 

We have many people in our organization on the product. 

I've contacted technical support in the past. We have dedicated Slack channels, and we can easily open tickets with them for troubleshooting. They are fast and knowledgeable. 

I also use SonarQube. We also use SonarQube for code quality.

We did not previously use any other solution.

We do not have to manage the setup. It is a managed cloud offering. There is no implementation process. We just need to upload the applications. It doesn't take any time at all. Everything is automatic. 

The cost is okay. It's not overly expensive. 

We do not have to continuously pay for a license. 

I'm not sure of the exact version I'm using. 

I'd rate the solution nine out of ten. It's pretty straightforward to use, and we like that it is a managed cloud. 

I have a set project, and I'm writing an application for monitoring server status, and I tried several times to scan it with AppScan in order to understand if there are vulnerabilities in my code.

The dynamic scan, the DAST tool, dynamic applications scanning and testing tool, is great.

It was easy to set up.

It's a stable solution.

The product is easy to scale. 

The solution is affordable and reasonably priced.

The performance could be better. Sometimes it doesn't work so well. There's a tool for connecting the cloud with the application server. Sometimes it doesn't work really well.

I have not come across any missing features. 

I've been using the solution for six months. It's been less than a year so far. 

The solution has been stable. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable. 

So far, we've found the solution can scale well.

I've reached out to support in the past. They are pretty good, however, they are also working from India, and I'm in Italy. There is a delay of course when I open a ticket. We have to wait a bit due to the time shift.

We did not previously use a different solution. This was our first. 

The initial setup is pretty simple and straightforward. It's not an overly complex or difficult process. 

It took about one day to deploy the solution.

I handled the initial setup on my own. I did not ask for help from any consultants or integrators. 

I actually pay for tokens. Any time that I want to perform scanning, I have to pay for another token. It's pretty good for me, this system, as it's really, really nice when I need it. I just need to pay for it, and that's it.

We are end-users.

I'd rate the solution a seven out of ten.

The most valuable feature of HCL AppScan is scanning QR codes.

The solution could improve by having a mobile version.

I have been using HCL AppScan for approximately one year.

I have found HCL AppScan to be stable.

HCL AppScan is a scalable solution. it can easily scale up and out.

The support I have received has been good. I had an issue and I opened a ticket with the support, and everything went smooth. 

The initial setup of HCL AppScan is easy.

I rate HCL AppScan an eight out of ten.

HCL AppScan is primarily used to improve application security. We are transitioning from DevOps to DevSecOps.

We are attempting to integrate these tools into our CICD pipeline in order to meet our business use cases. And if we notice that the tool is missing any business features or a feature, we will highlight them and work to have them fixed or implemented. That is how we go about it. We don't go for any generic features because that will be handled by the product team. We are here to identify our gaps and then have them implemented by the vendor team.

AppScan is only used for web scanning; we do not use it for anything else.

There are many features that are valuable. such as the APIs. API calls in AppScan, and similar to Burp Suite enterprise edition, which is also for API scans. I can trigger the scan ware API.

The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL.

The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved. We always raise that as an announcement request because statistics gathering or management reports based on statistics are quite important. that is the only generic feature that we always request from the product team. The standard response is "Yes, it is in the pipeline, we will take a look." 

We would like to see all of the results in the same product. However, specific products for a specific test are available on the market. For example, you cannot upload the task report to the DAST report dashboard and instead request that the product team or vendor team create a sophisticated dashboard for that. Definitely, they will say "No, it is not possible because you have a DAST tool on the market. Go and purchase that. It will have your dashboard.  If you're a DevSecOps team, and you ask me I would like to see all of the reports uploaded and collaborated on the same dashboard of the particular product. This is the reason we are using an open-sourced vulnerable management tool.

We have been using HCL AppScan for almost four years.

We are not working with the most recent update, but with two versions earlier.

The HCL AppScan performance is both stable and reliable.

Burp Suite and HCL AppScan are both stable and reliable when compared to other products.

Scalability is a question that is determined by how you allocate your hardware. It is all about how you design your CICD program with HCL AppScan. 

Scalability is quite simple to implement or achieve. Again, this is entirely dependent on your business requirements. Generally, or in short, scalability is not an issue with HCL AppScan.

This solution is used daily.

We have contacted technical support when we need customization, and there are usually other bugs and day-to-day life hacks.

The support has improved since the transition from IBM to HCL AppScan.

We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

The initial setup with most of the products, particularly the Burp Suite and the HCL AppScan, is straightforward. The only difference is that when it is customized to your specific requirements, that is when the key part comes into play. We have to engage the professional services of the product team, or the vendor team, which is where the headache begins. That is a common challenge shared by the all vendor team.

Deployment and installation of AppScan take approximately three hours, or less than that if you have all of the necessary prerequisites, hardware, a database, and everything is in place, then three hours is all you need.

We put our application into maintenance mode during the version upgrade.

We require one person for the administration of this product.

When customization is required, we have assistance from the vendor time.

Most of the HCL AppScan installations are customized. We use Pure Vanilla or a new malware product.

With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level. 

They should reduce it slightly. But, in my opinion, it's not a big deal. If a tool is able to satisfy all your requirements, it doesn't matter, the cost is not a deciding factor.

There are no additional fees in addition to the licensing fee.

We looked into it and decided on two open-source vulnerable management products. We are currently conducting a proof-of-concept on those open source vulnerable management tools.

We are just looking into these open sources and experimenting with them. As a result, this is the first time we intend to incorporate this vulnerable management tool into our world.

We are looking for vulnerability management, purely for vulnerability management, that can collect reports from SAST, DAST, and other scan results and use them in the management dashboard.

Before you choose a tool, whether it is Burp Suite, AppScan, or any other tool, you must first construct your business requirements, or the business use case. And you must detail out all of the product's features, as well as map the features to the business use cases. If the product meets or exceeds the majority of the business use cases, then you only need to choose that product. Otherwise, you will end up customizing the product after you buy it, which will create issues in terms of engaging with the professional services of that specific vendor. Then there's the matter of time and money. 

Detail all of your business use cases, then map those use cases to the product feature list and choose the product.

We have a business relationship with AppScan, as customers, and some of our business partners have project outsourcing with IT companies, such as HCL, IBM, Dell, and Infosys.

I would rate HCL AppScan a nine out of ten.

We primarily use the solution for static analysis.

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

I've used the solution for the last 12 months or so. It's been about a year at this point.

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

I use it for my customers. 

Improvement can be done as per customer requirements.

I have been using HCL AppScan for some time. 

The technical support is good. 

Positive

The initial setup took one to two days. 

The solution is cheap. 

I rate the overall solution a nine out of ten.

HCL AppScan efficiently scans through the website and identifies vulnerabilities for AWS. It is reducing tools day by day, making it more efficient. 

HCL AppScan generates false results. Sometimes, it incorrectly identifies requests as vulnerable when they are not vulnerable. In the ADSL feature managed, the primary objective is to identify application security vulnerabilities. However, sometimes AppScan wrongly flags something as a vulnerability when it's not present, which we call a false positive.

I have been using HCL AppScan for nine years.

I rate the solution’s stability an eight out of ten.

The solution is scalable if required.

Customer support is helpful. 

Positive

There is a licensing partner. Sometimes, it is required to install a server. I must remove that license and then eject a new one on a different server. It becomes a bit harder for beginners if they do not have enough experience to install Zoho software.

Deployment takes around an hour, and one person can do it.

I rate the initial setup a six and a half out of ten, where one is difficult and ten is easy.

The tool is not cost-efficient. Considering the type of service with encryption security scanning from HCL AppScan, it drives up the cost unnecessarily. It is fairly priced.

There are some very cost-effective solutions out there. They are also very efficient for systems scanning.

Overall, I rate the solution an eight-point five out of ten.

I use the tool to scan the web interface.

Compared to other tools only AppScan supports special language.

The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed.

I have been using the solution for two years.

The solution has dedicated and good tech support. We can open a ticket and we get information within two hours. Once we open a ticket we get validation or confirmation of our problem. When we get to the specialist, we will get more information.

Positive

I would rate the overall solution a nine out of ten.