HCL AppScan Reviews

I use it for my customers. 

Improvement can be done as per customer requirements.

I have been using HCL AppScan for some time. 

The technical support is good. 

Positive

The initial setup took one to two days. 

The solution is cheap. 

I rate the overall solution a nine out of ten.

I use the tool to scan the web interface.

Compared to other tools only AppScan supports special language.

The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed.

I have been using the solution for two years.

The solution has dedicated and good tech support. We can open a ticket and we get information within two hours. Once we open a ticket we get validation or confirmation of our problem. When we get to the specialist, we will get more information.

Positive

I would rate the overall solution a nine out of ten.

We use HCL AppScan products to help us scan for vulnerabilities and generate reports to provide a foundation on how to fix any issues. Their 4.7 version facilitates machine learning to help us select APIs and customize our scans more specifically. We also use the HCL AppScan Standard Enterprise Source and Cloud for scanning, and we plan to add the HCL AppScan Switch Casing to our toolkit. This makes it easier for us to scan the internet and use Tenable to help us find any issues.

The most valuable feature of the solution is Postman. As a security engineer, Postman allows me to specify exactly what information I need to scan for, rather than just dropping all information and running a scan. I can also use it to do some information gathering before scanning. This allows me to specify APIs and scan accordingly. The feature also saves us time.

As a developer who has been studying and working in the security product industry for several years, I have been impressed by HCL's progress. Although the cost of their product is competitive, I believe they could make it even better by increasing their database size. Companies like Tenable have much larger databases when it comes to vulnerabilities and portals, and even though HCL is connected with other vendors such as Microsoft, their database is not as expansive. The databases for HCL are small and have room for improvement.

HCL already has four solutions: Standard, Enterprise, Open Source, and the Cloud. Perhaps in a future release, HCL can add AI products. Manual work would be made easier with artificial intelligence. Maybe HCL could develop an AI program for scanning.

I have been using the solution for five months.

The solution is scalable.

The initial setup is straightforward. This is a great advantage of HCL, as we can just download, install and run it to identify potential vulnerabilities. Furthermore, the graphical user interface is also simplified.

The implementation didn't take a lot of time; setting up the cloud was just a matter of making my account and getting familiar with the features. After that, we were all logged in and ready to go with no major changes required.

I give the solution a nine out of ten.

I am currently the first person in my company to begin working with HCL. We have not yet gone to any clients, but I plan to get certified in HCL with AppScan. When we have clients that require components from HCL, I will be the representative for them as I am knowledgeable in the subject.

I would highly recommend HCL for people in the workforce. It has a user-friendly interface and the cost is much lower than Tenable. The database is good, and installation is easy. Additionally, technical support is likely to be helpful. Finally, there are a lot of other tools that come with HCL, such as scanners and detectors, which will make the job much easier.

We primarily use the solution for static analysis.

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

I've used the solution for the last 12 months or so. It's been about a year at this point.

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

I used the solution to find vulnerabilities in our website and system. I did some regular checkups.

The UI was very intuitive. It was very easy to understand. It was very easy to scan the websites, see the results, and deliver them to higher management.

It would have been better if we could use it on our desktop. A desktop version should be added.

I had used the solution for one month.

The tool was very stable. I rate the tool’s stability a seven or eight out of ten. Very few people were using the tool in our organization. The stability could have been affected if there were more users.

We had a few users.

We have used solutions like Acunetix. HCL was better. The UI was pretty good. It was intuitive, easy to understand, and reliable.

The installation was easy for me. It took a few hours. A senior employee helped me deploy the tool. The solution was deployed on the cloud.

The tool was expensive. We paid a monthly license fee. There were no additional costs associated with the product.

Someone who wants to use the solution must know why they need the solution. It is quite expensive. We must not spend much on something we do not need. If we have a need and can afford the solution, HCL is a good solution. It is very easy to understand. It has a lot of features. The reporting system is good. Overall, I rate the product a seven out of ten.

We use the solution to test our web applications and services.

The security and the dashboard are the most valuable features.

The pricing has room for improvement.

I have been using the solution for eight years.

I give the stability a seven out of ten.

I give the scalability an eight out of ten.

The support is fine.

Neutral

I give the initial setup a seven out of ten. The implementation took a few weeks.

The implementation was completed in-house.

We have seen around a 50 percent return on investment.

HCL AppScan is expensive.

I give the solution an eight out of ten.

I recommend the solution to others.

We have around 4,000 end users.

We develop software, and the software is property of our clients. So we want to ensure the highest quality possible, and assist the financial side. We want the application to be as secure as possible. AppScan has helped us to identify a lot of issues; we can find them before they reach a new environment. We catch them, we fix them, and we can offer a higher quality product to our clients.

We test on cloud.

In terms of the transition process from on-prem solutions, it was not so hard because we've been IBM partners for eight years. From the beginning, we started developing on those platforms. So it was natural migration, we were "born" with those applications on those platforms.

Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production.

AppScan has absolutely contributed to the maturity of our AppSec risk management. I would rate that maturity at only nine out of 10 because there are things that we could be doing better. Not only because of our internal processes, but because we need to adopt to the clients' processes, and that adopting always has small gaps. But generally, it's pretty awesome.

We don't use it to security test open-source applications but we do use it for open-source models, or libraries.

It helps you to enforce security practices, beyond the reach of just operations and training. So give the training, but besides that you can detect some deviations in the development process. I think that's the most valuable of all the features.

I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers.

I'm not sure what it like on the current version but the previous version had some small issues, some crashes.

With the latest upgrade - I'm not sure what version, I think it was 8, I've seen no major issues; some small glitches, but nothing really major.

Since we're development, we don't usually have issues with scalability because it's only one application.

Generally speaking, their tech support is good.

Usually our clients want to build in-house, but when we present the benefits of a product already built and, out of the box, it can offer a lot of features and can solve the problem right now... 

Sometimes the cost is equivalent to development, but it's more your product. 

A key factor for decision making is the release time. I can release in two months. or it can be released in six months, so that's a critical factor: price versus release date.

It's complex. Our main client is Citigroup. It's complicated because of the size of the client and all of the internal processes. So it's really a pain, not to blame IBM, not to blame us, not to blame them, but all of the ecosystem is complex.

Our clients evaluate Oracle, sometimes Microsoft. Our clients go with IBM, in Mexico, mainly because of the support. You can get more hands-on experienced people on IBM platforms than Oracle's, so if there is an issue - we always have issues - they get fixed more quickly on IBM than Oracle.

Our use case is that we always test our applications with AppScan before going to the production side. We have been using it for many years. It's honestly one of the best products in the application security the portfolio.

We aren't using it on the cloud.

It has contributed to the maturity of our AppSec risk management program. I would rate that maturity level as eight out of 10. The testing part of your application's security is very valuable. You can't avoid that.

Applications are the faces of companies to the world. How much your application is secure equals how much your brand is secure. AppScan is a very major part of of the story.

We don't use it to test open-source code.

There's a recording feature that I really like. You pass through the login pages. If you record the login part, it becomes very fast with the solution.

It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good.

We experienced some performance problems at times, but it's actually not about the application. It depends on the hardware you use, the power of the CPUs, memory, nothing except that.

In terms of scalability, we don't need much. So I can't really answer this question.

I like IBM technical support as a whole. It was a really good experience.

When selecting a vendor we look for 

• a global brand
• support
• user friendliness
• cost, and the license models.

I would recommend AppScan.