HCL AppScan Reviews

I'm currently working with BigFix and HCL AppScan. At least three people in my company are using HCL AppScan. Since we are a reseller, we run it in both lab environments and live production applications. Our production applications include our CRM, monitoring setups, active directory, and quite a few other live applications.

We don't have too many applications in our own environment, but in our customer environments, we do plan to integrate HCL AppScan into the DevOps toolchains. Although we've read about the integration capabilities, we will have to identify how it works specifically for our needs. It may be slightly early to fully assess that integration.

Although automated scanning may not be very important for us, it is definitely going to be important for our customers.

I've been using HCL AppScan for about three months now, and we've just started with it. My experience with HCL AppScan has been good so far.

I have utilized its interactive application security testing, as well as both static application security testing, dynamic application security testing, and IAST. HCL AppScan has helped us improve our security posture, as we've been able to identify quite a few issues. We conducted security testing of several applications running in our on-premises setups as well as our cloud setups. We were able to identify security issues such as certificate-related issues, authentication-related issues, and weak encryption-related issues.

During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interface. However, there is one feature called SCA, which stands for Software Composition Analysis, that could be improved. When I'm doing an application scan, HCL AppScan has the ability to generate information about what components are in use. For example, if I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present.

I would like to see more detailed reports from the tool. Currently, you can find out the components belonging to a specific software, but if detailed reporting became available, you would be in a better position to identify vulnerabilities. For instance, I could identify that I had the Log4j vulnerability and know that I need to fix my application accordingly.

If they add the features I'm describing, I would consider giving them a higher rating. However, I've only been experienced with the product for three months.

Since we've been using HCL AppScan for about three months, we really have not encountered a false positive. Otherwise, we've found it pretty effective.

I would rate the technical support by HCL from one to ten as an eight. There is still room for improvement when it comes to the speed of response, mainly because we were very new to the setup and required more support than might be expected.

Positive

Before HCL AppScan, I tried to work with a solution called Black Duck, but I was not able to test it. We read about it, but we were unable to do the testing for that solution.

I was involved in the deployment of HCL AppScan in our system. It was very straightforward. Under a couple of hours, we were up and running with the implementation of HCL AppScan.

I would recommend HCL AppScan for large industries, as they definitely need to adopt application security tools. Specifically in the financial sector, since they are governed by regulators, they need to be able to convince those regulators that their applications are secure, have undergone security testing, and that identified loopholes have been fixed. Any regulated industry should consider HCL AppScan. The primary regulated industries that come to mind are the finance sector, the defense sector, manufacturing, the medical industry, and healthcare setups. I gave this product a rating of 8.5 out of 10.

The primary use case for AppScan is for security purposes. I compare AppScan with other tools such as Veracode. We use AppScan for vulnerability detection and auto-remediation of vulnerabilities with features built into the tool, including their AI solutions. I work with AppScan and other security tools as part of my role, focusing on market-leading tools.

AppScan provides great features that facilitate quick solutions to vulnerabilities. It helps by suggesting alternative functions that can be implemented directly into the code, thus reducing the need for developers to conduct extensive searches.

AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further. These features collectively aim to improve security by introducing efficient AI solutions.

AppScan needs to improve its handling of false positives. It also requires enhancements in customer support, similar to what Veracode provides. Regularly scheduling calls with clients to discuss features and solicit feedback would be beneficial. Moreover, enhancing the accuracy and specificity of Bug reporting is crucial.

I have worked with AppScan for approximately four to five years, focusing on security tools throughout my career.

AppScan is stable. There are no specific stability issues mentioned.

There are no specific issues with scalability mentioned in the transcript. The solution is considered adaptable since both AppScan and Veracode offer CI/CD pipeline integrations.

Customer service and support from AppScan need improvement, especially when compared to Veracode. Veracode provides excellent assistance and regularly scheduled calls to address customer concerns and updates.

Neutral

I have worked with various leading tools, both AppScan and Veracode among them, shifting attention based on the tools' security features and my organization's needs.

AppScan's setup is not difficult. It offers a fast solution, simplifying processes with just a URL.

Implementation involves logging in through the URL provided and proceeding as required, which is efficient and straightforward.

Financial details and return on investment are not within my remit, and hence, I cannot provide specific insights.

AppScan is considered more cost-effective than Veracode, although I have not updated the exact pricing details. Companies often choose based on budget constraints, with Veracode being on the higher end cost-wise.

I have used various other market-leading security tools such as Veracode and IBM solutions.

If funding is not an issue, I recommend considering higher-priced tools for their extended features, but AppScan is a reliable option as well when budget constraints are a concern.

I'd rate the solution seven out of ten.

HCL AppScan is a security scanning tool that we use in our company to scan our applications.

The most valuable feature of the solution is the scanning or security part.

My company wants a tool that does static scan and dynamic scan. My company generally expects to do a static and dynamic scan with HCL AppScan.

The solution's technical support team has certain shortcomings where improvements are required. The solution's technical support team generally fails to provide spot-on answers to issues. HCL's technical support team takes a lot of time to come up with a solution to a problem.

I have been using HCL AppScan for six to seven years. I use HCL AppScan Version 10.1.0. I am a customer of HCL.

Stability-wise, I rate the solution a seven to eight out of ten.

The solution's scalability can be a matter of concern because one license runs on one machine only. I think if you need scalability, then you need to have multiple licenses. When it comes to HCL AppScan, it's not a question of scalability. You can't run one license on multiple machines, as one license is only for one machine. In general, HCL AppScan is not scalable unless you buy more licenses.

The solution's technical support is not that great. I rate the technical support a six out of ten.

Neutral

Given that we have been using HCL AppScan for many years, I think the setup process is not difficult at all. Sometimes, some issues stop or prevent my company from moving forward with the product's setup phase. We have to call HCL's support team and engage in long discussions to smoothly carry out the setup phase. In general, the product's setup phase is not difficult in our company.

The solution is deployed on an on-premises model. The licenses for the solution are available only on cloud deployments nowadays.

The solution is already installed in our environment. Every time a new release or software comes out from HCL, our company does a scan, which takes maybe a day or two.

One of the in-house teams in my company was involved in the solution's installation process.

I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool.

I compared HCL AppScan with Veracode and other tools. I wanted to see if I could get meaningful differences between them from PeerSpot's website. I couldn't find details on what I was looking for in terms of the comparison of HCL AppScan with Veracode.

I rate the overall tool a seven and a half to eight out of ten.

We use AppScan primarily for security testing and performance monitoring across our systems.

The product's features for comprehensive code analysis (static) and live environment testing (dynamic) have significantly enhanced our ability to identify and address vulnerabilities, improving overall security.

The platform has valuable security features, helping us identify sensitive code issues and the possibility of internal applications' exposure to external threats.

They could incorporate AI to enhance vulnerability detection and improve the product's reporting capabilities.

We've been using HCL AppScan since July last year, so approximately one year.

The platform has been stable, reducing code issues significantly. 

I rate stability an eight. 

The product scalability hasn't been fully tested in our environment, but I estimate it to be around seven or eight. 

The deployment was straightforward as we used the on-premise version. Some initial challenges were later resolved with assistance from HCL. 

I would rate the setup process a seven out of ten.

The product is moderately priced, though it's an investment due to extensive code analysis needs.

The platform avails dynamic scanning checks in the pre-live environment, while static scanning evaluates code in the development phase. It aids in achieving ISO compliance by ensuring thorough scanning and security checks across our environment. 

Overall, I rate it an eight. 

We use the product for Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). By integrating AppScan into our CI/CD pipelines, aligned with Agile methodologies, we ensure that security testing becomes an integral part of the software development lifecycle.

The product has valuable features for static and dynamic testing. It is one of the leaders in the market amongst SAST solutions.

They could add a software component analysis tool. Additionally, it could cater to the areas related to scanning container packages and images in the repository.

We have been using HCL AppScan for two to three years.

The product's cloud version is scalable. We manage the product for enterprise customers consisting of 250 to 500 employees.

We have experience working with multiple security testing tools, including Fortify, Vericode, and Checkmarx.

Vericode provides more efficient mobile application security testing features than other tools in this domain. Checkmarx is recognized for its market presence and technical capabilities.

The initial setup process is complex. The time taken depends on specific use cases and integration requirements. It might take ten days to a month to complete.

The product provides added value in the microservices-led architecture. It helps us reduce errors by integrating DevOps processes and IT pipelines in digitized times. It brings down maximum defects. It has improved the attack surface of applications in the post-deployment phase.

The product has premium pricing and could be more competitive.

I rate HCL AppScan a nine out of ten, specifically for SAST and DAST functionality. However, I would rate a seven out of ten for the areas related to API and mobile application security testing.

We use HCL AppScan products to help us scan for vulnerabilities and generate reports to provide a foundation on how to fix any issues. Their 4.7 version facilitates machine learning to help us select APIs and customize our scans more specifically. We also use the HCL AppScan Standard Enterprise Source and Cloud for scanning, and we plan to add the HCL AppScan Switch Casing to our toolkit. This makes it easier for us to scan the internet and use Tenable to help us find any issues.

The most valuable feature of the solution is Postman. As a security engineer, Postman allows me to specify exactly what information I need to scan for, rather than just dropping all information and running a scan. I can also use it to do some information gathering before scanning. This allows me to specify APIs and scan accordingly. The feature also saves us time.

As a developer who has been studying and working in the security product industry for several years, I have been impressed by HCL's progress. Although the cost of their product is competitive, I believe they could make it even better by increasing their database size. Companies like Tenable have much larger databases when it comes to vulnerabilities and portals, and even though HCL is connected with other vendors such as Microsoft, their database is not as expansive. The databases for HCL are small and have room for improvement.

HCL already has four solutions: Standard, Enterprise, Open Source, and the Cloud. Perhaps in a future release, HCL can add AI products. Manual work would be made easier with artificial intelligence. Maybe HCL could develop an AI program for scanning.

I have been using the solution for five months.

The solution is scalable.

The initial setup is straightforward. This is a great advantage of HCL, as we can just download, install and run it to identify potential vulnerabilities. Furthermore, the graphical user interface is also simplified.

The implementation didn't take a lot of time; setting up the cloud was just a matter of making my account and getting familiar with the features. After that, we were all logged in and ready to go with no major changes required.

I give the solution a nine out of ten.

I am currently the first person in my company to begin working with HCL. We have not yet gone to any clients, but I plan to get certified in HCL with AppScan. When we have clients that require components from HCL, I will be the representative for them as I am knowledgeable in the subject.

I would highly recommend HCL for people in the workforce. It has a user-friendly interface and the cost is much lower than Tenable. The database is good, and installation is easy. Additionally, technical support is likely to be helpful. Finally, there are a lot of other tools that come with HCL, such as scanners and detectors, which will make the job much easier.

I mainly use AppScan to secure various types of applications. I use its DAFDAT solution for black box scanning, as well as SaaS and source code validation. AppScan helps in scanning code for vulnerabilities, including open-source code.

The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase. This allows for scanning during code construction, which is beneficial. However, I also find the DAF and penetration testing features valuable, especially for discovering vulnerabilities like those in the OWASP Top Ten.

Improving usability could enhance the overall experience with AppScan. It would be beneficial to make the solution more user-friendly, ensuring that everyone can easily navigate and utilize its features. Additionally, improving marketing efforts could help raise awareness about AppScan's features and benefits, especially for external teams beyond just internal use.

I have been working with HCL AppScan for almost ten years.

Since moving to HCL, AppScan has become very stable, addressing any previous issues.

AppScan makes scaling easy, especially with its cloud-based capabilities. I would rate its scalability as a ten out of ten.

I would rate the technical support as a ten out of ten.

Positive

Switching from Fortify to AppScan was a game-changer for me. AppScan was easier to configure and provided more thorough scanning results. The support for AppScan, especially in Brazil, was excellent compared to Fortify's lack of support. Overall, AppScan offered a more user-friendly experience with better results and support.

Setting up AppScan is straightforward and easy, as it typically involves a simple "next-next-finish" process for implementation. I would rate the easiness of the setup as a ten out of ten.

Using AppScan has led to a significant reduction in vulnerabilities and saved us around 20% in costs overall. Many banks in Brazil have also experienced cost savings by using AppScan. Personally, I saw a return on investment within six months of using the tool.

AppScan's pricing is a bit challenging, especially when dealing with currency exchange rates outside Brazil. However, it is still more affordable than alternatives like Fortify. Personally, switching to AppScan helped me save money.

AppScan's dynamic and static scanning capabilities have benefited my security testing processes significantly. It helps in scanning the code automatically during the SDLC and ensures security before pushing it to production. Both dynamic and static scanning solutions are essential for me, making AppScan a valuable tool.

AppScan integrates smoothly with existing security and development workflows. It offers easy integration with tools like SBS and provides developer plug-ins for seamless inclusion in the workflow.

My use of AppScan has been influenced by the trend towards comprehensive application security testing. While researching the best solution, I found it challenging to locate information and personal experiences with AppScan.

I would recommend AppScan to others. In my opinion, it is the best solution for web application security testing.

Overall, I would rate AppScan as a ten out of ten.

It depends on the application, but it's generally a very user-friendly tool. Anyone can easily learn how to scan and boost their security.  

It's very accurate, although there might be a few false positives, but you can configure those out.

In future releases, I would like to see more aggressive reports. I would also like to see less false positives. 

There is room for improvement in pricing as well. 

Also, support for mobile apps would be better. Right now, we're only using it for web applications.

I've used AppScan for four years now.

I would rate the stability an eight out of ten. 

It is a scalable product. I would rate the scalability an eight out of ten. 

The customer service and support are very user-friendly. They'll send meetings whenever we need them, respecting our valuable time. They'll do their best to resolve our problems.

Positive

I used Fortify WebInspect in my previous company. They were more manual and time-consuming, and we often got more false positives. The result was very vast, and we needed to find everything and check over and over. We didn't find it very user-friendly.  

Fortify WebInspect was okay, but not as good. If we get the same result, it takes more time to understand the output and how to remediate it. It leaks more time. We need to reduce time nowadays and get things done.

AppScan is much faster and more reliable.  

We also used Burp Suite before, which was also user-friendly and allowed for manual testing. It's good for auto-mesh, but it takes longer and doesn't offer as much satisfactory results.

It is easy to implement and set up for users.

The pricing is good. We had two licenses, and we were offered good discounts. 

It's user-friendly and easy to install and analyze results. The solution also provides clear explanations and recommendations in the output, which is very helpful. I highly recommend it.

Overall, I would rate the solution a nine out of ten. 

I use HCL AppScan in my company for application security scanning.

The most valuable feature of the solution stems from the fact that it is good to run the scan faster. You can basically run the scan and take a break at work since the tool will compute the results, which makes the product quite intuitive. HCL AppScan doesn't require constant monitoring.

Maybe having some APIs could be helpful. If HCL AppScan is able to alert the clients over email once the scan is complete, it would be great. Right now, HCL AppScan doesn't let me know if the scanning part is finished or not, because of which I have to come back and check mostly. It would be helpful if the tool had some API gateway that would allow me to run some custom queries.

I have been using HCL AppScan for around four months. My company is a customer of HCL AppScan.

It is a stable solution.

It is a scalable solution.

Around 20 people in my company use HCL AppScan.

The solution's technical support is good. I rate the technical support an eight out of ten.

Positive

The initial setup or installation of HCL AppScan is easy.

Maybe two or three hours are required to deploy, install, and configure the product.

About seven or eight engineers and architects may be required to deploy the product.

The solution is deployed on the cloud.

The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase.

Once we get the updates for HCL AppScan, another team in my company takes care of the installation of the new updates, which takes about half a day.

I would tell those who plan to use HCL AppScan that it is a helpful and beginner-friendly product.

I rate the overall product a ten out of ten.

The solution is used for the vulnerabilities scan on the network side.

The reporting part is the most valuable feature.

The penetration testing feature should be included.

I have been using the solution for four years.

It is a stable solution. I rate it seven out of ten.

It is a scalable solution. I rate it seven out of ten.

The initial setup is very easy. The deployment takes a couple of weeks including customer training as well. I rate it ten out of ten.

The solution is moderately priced. I rate them four out of ten.

I rate the overall solution eight out of ten.