Try our new research platform with insights from 80,000+ expert users
Yong Seok Kang - PeerSpot reviewer
Technical Consultant at MTRiver Consulting
Real User
Top 5Leaderboard
A security testing application that needs to improve security
Pros and Cons
  • "We use it as a security testing application."
  • "HCL AppScan needs to improve security."

What is our primary use case?

We use it as a security testing application. 

What needs improvement?

HCL AppScan needs to improve security. 

For how long have I used the solution?

I have been working with the product for ten years. 

What do I think about the stability of the solution?

HCL AppScan is pretty stable. 

Buyer's Guide
HCL AppScan
November 2024
Learn what your peers think about HCL AppScan. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.

How was the initial setup?

HCL AppScan is easy to deploy and can be done in one to two hours. 

What's my experience with pricing, setup cost, and licensing?

Our clients are willing to pay the extra money. It is expensive. 

What other advice do I have?

I rate HCL AppScan an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Senior Manager - IT Security & ISMS at Ericsson
Real User
Top 5
Helps with scanning but needs to be more user-friendly
Pros and Cons
  • "The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
  • "The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper."

What needs improvement?

The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper. 

For how long have I used the solution?

I have been working with the solution for more than five years. 

What do I think about the stability of the solution?

I would rate the tool's stability a seven out of ten. The product's stability is fine if you have admin access. However, you may face issues during intense scanning. 

How are customer service and support?

The product's technical support is not good. 

How would you rate customer service and support?

Neutral

How was the initial setup?

The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance. 

What about the implementation team?

We did  the product's deployment in-house. 

What's my experience with pricing, setup cost, and licensing?

I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer. 

What other advice do I have?

I would rate the product a three out of ten. We use the solution only for quarterly scanning. There are better tools in the market at the same price. These tools can integrate more with applications. The tool's providers don't invest in making a good product. Hence, it is better to use a different tool. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
HCL AppScan
November 2024
Learn what your peers think about HCL AppScan. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
reviewer1467588 - PeerSpot reviewer
Owner/ Consultant at a tech services company with 1-10 employees
Consultant
Offers many support languages, scans in a decent amount of time and is easy to set up
Pros and Cons
  • "There's extensive functionality with custom rules and a custom knowledge base."
  • "The solution often has a high number of false positives. It's an aspect they really need to improve upon."

What is our primary use case?

We primarily use the solution for static analysis.

What is most valuable?

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

What needs improvement?

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

For how long have I used the solution?

I've used the solution for the last 12 months or so. It's been about a year at this point.

What do I think about the stability of the solution?

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

What do I think about the scalability of the solution?

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

How are customer service and technical support?

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

Which solution did I use previously and why did I switch?

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

How was the initial setup?

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

What's my experience with pricing, setup cost, and licensing?

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

What other advice do I have?

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer943074 - PeerSpot reviewer
Scientific Officer at a tech services company with 51-200 employees
Real User
Top 20
Efficiently scans through the website and identifies vulnerabilities

What is our primary use case?

HCL AppScan efficiently scans through the website and identifies vulnerabilities for AWS. It is reducing tools day by day, making it more efficient. 

What needs improvement?

HCL AppScan generates false results. Sometimes, it incorrectly identifies requests as vulnerable when they are not vulnerable. In the ADSL feature managed, the primary objective is to identify application security vulnerabilities. However, sometimes AppScan wrongly flags something as a vulnerability when it's not present, which we call a false positive.

For how long have I used the solution?

I have been using HCL AppScan for nine years.

What do I think about the stability of the solution?

I rate the solution’s stability an eight out of ten.

What do I think about the scalability of the solution?

The solution is scalable if required.

How are customer service and support?

Customer support is helpful. 

How would you rate customer service and support?

Positive

How was the initial setup?

There is a licensing partner. Sometimes, it is required to install a server. I must remove that license and then eject a new one on a different server. It becomes a bit harder for beginners if they do not have enough experience to install Zoho software.

Deployment takes around an hour, and one person can do it.

I rate the initial setup a six and a half out of ten, where one is difficult and ten is easy.

What's my experience with pricing, setup cost, and licensing?

The tool is not cost-efficient. Considering the type of service with encryption security scanning from HCL AppScan, it drives up the cost unnecessarily. It is fairly priced.

What other advice do I have?

There are some very cost-effective solutions out there. They are also very efficient for systems scanning.

Overall, I rate the solution an eight-point five out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Mechanical maintenance technician at SAQ
Real User
Top 5
Helps with the scan of the web interface and supports special languages
Pros and Cons
  • "Compared to other tools only AppScan supports special language."
  • "The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed."

What is our primary use case?

I use the tool to scan the web interface.

What is most valuable?

Compared to other tools only AppScan supports special language.

What needs improvement?

The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed.

For how long have I used the solution?

I have been using the solution for two years.

How are customer service and support?

The solution has dedicated and good tech support. We can open a ticket and we get information within two hours. Once we open a ticket we get validation or confirmation of our problem. When we get to the specialist, we will get more information.

How would you rate customer service and support?

Positive

What other advice do I have?

I would rate the overall solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user841956 - PeerSpot reviewer
Director Of Product Cyber Security at a aerospace/defense firm with 10,001+ employees
Real User
The ease of use is key, the developers can actually use it and get results from dynamic testing
Pros and Cons
  • "For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
  • "I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point."

What is our primary use case?

We use IBM Appscan for a dynamic assessment of development of our code, so we're looking for something that will actually help us through our entire security development lifecycle.

It has performed better than we expected. We were able to use it quite often, use the server IDE to help test our code before we go into a full test. And it's helped point out some things we had to correct.

We're using it on the cloud. That particular solution we've been using on the cloud because it's a cloud instance, so the transition from going from one to the other wasn't there because we already had our cloud. We were able to use it because we had nothing else there. It helped fill a need that we really had.

How has it helped my organization?

It helps the organization the way we process the entire thing. It has actually helped a little bit with the speed of delivery too, which was surprising because most people thought it would be the other way around.

IBM Applications Security has contributed to the maturity of our AppSec risk management program. We've been working on our risk management program overall, for security development, and this has been a great asset to have.

We also use the solution to security test open-source applications. I'd say better than 70-75% of our applications are open-source. To me, a lot of people overly focus on open-source. That's because they believe that all the closed-source or proprietary is, in fact, secure. That's not necessarily the case. The issue is, when you take code and you're combining these different proprietary and open-source, packages, you have to test them all in the context where you're using them. And therein is the real issue. To me, it's not so much about the open-source, it's about all code. I believe all code has something that I have to look at.

We have a number of projects running concurrently, so I look at the aggregate. I try not to go to what's done on a single product. However, having said that, since we had nothing in dynamic and now we do, that's a huge improvement. You might say then that it was 100% improvement. I don't know if I would give it quite that number, but it is a huge improvement. It's quite near that number.

What is most valuable?

For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted.

What needs improvement?

I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point.

What do I think about the stability of the solution?

I haven't had any issues with stability so I think it's fine.

What do I think about the scalability of the solution?

We're in the process of testing scalability, so I can't really speak to how broad that is because we're just parring up our entire installation of it. I am looking across other parts in our business where our more traditional products are that connect. So, we're looking to see how that scales. But, overall it's looking good.

How are customer service and technical support?

Once we got into the queue, we got a fantastic turnaround.

Which solution did I use previously and why did I switch?

Here I have an unfair advantage. I came out of a large security company, and because of my experience and the fact that we had a need, I looked around for the best solutions that were available. There were a lot of competitors. The question was, how well it would integrate with our process, since we were developing a full SDL with security tool check-points. AppScan fit that very well.

The most important criteria when selecting a vendor were that it had a great product, but I had to have a product that I could integrate and automate. For me, it wasn't a matter if it was best in breed, they had the neatest slice of cheese. What I was looking for was, could it integrate and automate? If it couldn't, they weren't on the selection list.

How was the initial setup?

I didn't do the work but I directed it.

There were a couple of steps where we had to have some help. But at the same time, we just put in an engagement for a Professional Services to do it quicker, do the integration, to make it tighter for us. We're just waiting for the final part of that to be signed so we can actually move forward.

Which other solutions did I evaluate?

Veracode, Synopsis, and a few others. What made us go with IBM was the integration and automation efforts; what it would do there, and the fact that it did so well at what AppScan does, which was in the dynamic testing.

What other advice do I have?

In terms of rating it, because I haven't had it installed long enough, and we haven't finished all the integration because of the Professional Services yet, I'd say it's rating really well, toward excellent. But it's just one of those things, until you see all the proof in the pudding...

As of right now I would rate it an eight out of 10.

The advice I would give to a colleague is, first, know your development process and where it's weak. From there, insert secure development, realize that it's not about the tool, it's about the process of development. Then find the tools that solve that. For us the key was, could it integrate, could it automate, and could it make the developer's workload easier? That's what we looked for.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
NamNguyen11 - PeerSpot reviewer
CTO at FPT Telecom
Real User
Top 5Leaderboard
A cheap solution with a good technical support team
Pros and Cons
  • "The solution is cheap."
  • "Improvement can be done as per customer requirements."

What is our primary use case?

I use it for my customers. 

What needs improvement?

Improvement can be done as per customer requirements.

For how long have I used the solution?

I have been using HCL AppScan for some time. 

How are customer service and support?

The technical support is good. 

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup took one to two days. 

What's my experience with pricing, setup cost, and licensing?

The solution is cheap. 

What other advice do I have?

I rate the overall solution a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Flag as inappropriate
PeerSpot user
SeniorSe47a0 - PeerSpot reviewer
Senior Security Specialist at a transportation company with 10,001+ employees
Real User
Contributes to maturity of our AppSec risk management, but Web Services testing is basic
Pros and Cons
  • "I like the recording feature."
  • "It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."

What is our primary use case?

Our use case is that we always test our applications with AppScan before going to the production side. We have been using it for many years. It's honestly one of the best products in the application security the portfolio.

We aren't using it on the cloud.

How has it helped my organization?

It has contributed to the maturity of our AppSec risk management program. I would rate that maturity level as eight out of 10. The testing part of your application's security is very valuable. You can't avoid that.

Applications are the faces of companies to the world. How much your application is secure equals how much your brand is secure. AppScan is a very major part of of the story.

We don't use it to test open-source code.

What is most valuable?

There's a recording feature that I really like. You pass through the login pages. If you record the login part, it becomes very fast with the solution.

What needs improvement?

It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good.

What do I think about the stability of the solution?

We experienced some performance problems at times, but it's actually not about the application. It depends on the hardware you use, the power of the CPUs, memory, nothing except that.

What do I think about the scalability of the solution?

In terms of scalability, we don't need much. So I can't really answer this question.

How is customer service and technical support?

I like IBM technical support as a whole. It was a really good experience.

What other advice do I have?

When selecting a vendor we look for 

  • a global brand
  • support
  • user friendliness
  • cost, and the license models.

I would recommend AppScan.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free HCL AppScan Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free HCL AppScan Report and get advice and tips from experienced pros sharing their opinions.