HCL AppScan Reviews

We perform more dynamic scanning using AppScan. We set up a scan, perform it and get the results, and then give the results back to our customer.

Within our organization, there are four members of the team who are using it.

Currently, we are satisfied with AppScan but I am sure there are better alternatives available because this is a very old product. It's been on market for more than ten years now. I am sure there are a lot of new age products that are more scalable and cloud-based. Although we are using it and will probably continue to do so moving forward, I think there are better alternatives on the market now.

It takes care of our dynamic scanning needs. 

It's a good product. It's automated crawler identifies all urls and performs security tests. It has a very rich test cases which ensures pretty good coverage in terms of security testing. The UI is user friendly and intuitive. 

There are some false positives, which need to be removed, but this is common with all types of scanners.

One thing which I think can be improved is the CI/CD Integration. There is a CI/CD Integration model, but I guess they are deliberately not using it currently. There are challenges when integrating AppScan with CI/CD because sometimes the activation plus the login mechanism provided doesn't work properly. Sometimes a login mechanism fails and then the whole scan fails. It's difficult to integrate with CI/CD.

I have been using this solution for almost two years.

Scalability-wise, I'm not sure because you can buy the licenses depending on how many scans you want to do, but yes, it's scalable. I can do multiple scans simultaneously, but we have not tried more than that. I cannot tell you whether it can scale up to more than maybe two, three, or four simultaneous scans. We have not tested that.

The technical support is quite good. They always respond quickly.

Installation is pretty straightforward. Deployment only took a day or two.

We deployed it ourselves. Even one person can manage it so that's not an issue, but currently, we have four users who perform the activities and scans because of the volume of requests that we received from different businesses.

I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely.

On a scale from one to ten, I would give this solution a rating of seven.

If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little faster, then I would give it a higher rating.

It is an application for security assessment or scanning for static environments.

With all customers, it is performing well.

The static scans are good, and the SaaS as well. 

There is not a central management for static and dynamic. This would be great, at least with competition such as Micro Focus.

The technical support is knowledgeable. However, our issue is not enough resources supporting our region. For Dubai, which is in the Gulf region, we need more technical support resources.

The initial setup is not that complex.

Most important criteria when choosing to partner with a company: I started working with IBM only one year back. When I started a partnership with them, IBM had the security portfolio which covered most of the region where my customers were. IBM has a name with the support along the quality of its products.

We use it for all website development and web-based applications, as part of our development test cycle and QA.

We also routinely use it on existing applications in production because, in terms of security and vulnerabilities, some of the latter exist on some of the platforms that we run. So we run it from time to time, to do some security checks, etc.

It has certainly improved our organization In terms of quality of solutions that are developed. 

I think it's easy to use and gives back some pretty good results, certainly for vulnerabilities.

I haven't actually used it personally, so I'm not sure that I would be able to answer this.

It's pretty stable.

It's scalable. We just did a review of the product itself, and it's something that we've decided to keep and continue using.

Support: I'll just leave it at "good."

This particular product is one of the easier products to set up.

We've had a relationship for some time, over 20 years now, with IBM. It's really about the products, in terms of what we are looking for. That's really the deciding factor in deciding whether we'd use them for a particular solution.