HCL AppScan Reviews

It is used for a DevOps environment, to perform a security profile, a code profile assessment. When you are building your software code, before finishing the build process and deploying to production, we run AppScan to figure out any security vulnerabilities in the code. It's called static analysis of the code.

It decreases the operational risk, security risk, a lot. In fact, when we first used it, the number of vulnerability alerts generated by the tool was huge. As time goes on, we can decrease those vulnerabilities because we learn from it. So, in the next release of the software, or new software that we have to develop, we know upfront that we should take care of some of the characteristics of the software.

It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code.

One thing that we would like in this tool is that it keeps ahead of the security guys, because one big advantage of this tool is that it always offers updates. Security is a process, you mitigate a risk, but the malware guys, they're trying to find another security hole in your environment. And the technology is evolving. So new security vulnerabilities are in the software. The point is, I hope that IBM continue, in improving and launching new versions, new upgrades, that can mitigate those security risks. 

That's the most important value. It's not the tool itself, but the continuous enhancement of the tool. That's why we recommended this tool.

It's pretty stable. No issues as far as I can remember. 

It's scalable. In the beginning, we found some issues regarding installing the tool in an open-source Jenkins environment - Jenkins is a tool for open-source. Jenkins and other tools, they automate the process. Those tools call AppScan in a way to generate a proper time to do this. But after a couple of discussions, we solved the problem, so we don't have any issues anymore.

I think it is pretty good. They answer in a very fast manner.

It's pretty straightforward to install and use it.

One competitor that I remember, one of the last candidates in the evaluation process was Checkmarx. Those tools, especially from startups that come from Israel, they try to grab this market space that IBM dominates.

That's why they have to take care in terms of the price; the price model. But other than that, it would be unbeatable.

The most important criteria when selecting a vendor, first of all, is their capability to continuously invest in the development and enhancement of the software. We are in a very changing process, software is a very changing environment, in terms of the technology. If you develop a tool, launch this tool, but don't have enough commitment to upgrade, to continuously enhance, it's not worth it. That's why I think IBM has a good presence in this area.

My advice would be, don't see only the cost. Try to see the capability of the tools and, besides that, as I have stressed in this review, the capability of the vendor to invest in enhancing and mitigating the risks that will come. New risks, new threats, security threats, will appear. If you don't have a company that is continuously enhancing its software, there will be a problem.

I would rate this product a nine out of 10. The reason I don't give it a 10 is because AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost. But with the maintenance - and the maintenance is the most important, as I told you, because it has to continuously enhance the tool to mitigate the increasing malware in the future - IBM could recover the investment and meet their target margins in another way.

Unfortunately, there is a big discussion if it is very expensive, to use it or not, and there are competitors. I see competitors trying to grab this market.

But from the point of view of quality, very excellent quality, it's above all the tools that I have worked with.

IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability.

Many features are valuable but some features stand out, like using our own scripts, and capturing the authentication.

• It has crashed at times
• Scans become slow on large websites
• Many silly false positives are produced

Yes, sometimes we encounter stability issues.

Yes, sometimes we encounter scalability issues.

I would rate tech support a seven out of 10.

Yes. We switched because they made our work easier, with fewer false positives.

It was simple, once we watched many video tutorials and read PDFs to learn about it.

Yes, I used with Acunetix and open source tools.

We integrate AppSense with Fortinet FortiGate Next-Generation Firewall products. This integration is new for us, but so far, we have had good results. However, it is a new integration. 

Fortinet has a lot of potential and integrations going on with IBM: QRadar, AppSense, and IBM Cloud.

It provides a better integration for our ecosystem. From a Fortinet perspective, this can lead to integration of selling our own products.

Its integration from a UI perspective. You can easily find particular features and functions through the UI. 

For its first initial release, the integration was pretty good.

More seamless integration with Fortinet's technologies as this would make our customers happy. At the moment, it is a good integration, but it is the first time that we have done it. Therefore, there needs to be more integration within our fabric, so it is less obvious.

Visibility is an issue for us. Our partners were not even aware that we had an integration with AppSense. They do not know we have integrations with some of IBM products. Part of this is our marketing budget is small compared to IBM's.

I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources. We are not like IBM, which is huge. We need to prioritize which engineer will work on which technology. 

With QRadar, it has better integration because we have been working with it for awhile and there is a roadmap. There are always new things coming out.

Unknown. We are too new to the product.

Unknown. We are too new to the product.

The IBM technical support staff are good.

Have a look at the competitors as well. There is more than one vendor in the market. I would definitely do your due diligence.

It is used as a last check before moving code to production. Therefore, it is used as a developer tool.

With AppScan, we are now deploying less defects to production.

We leverage it as a quality check against code.

No stability issues.

We have a strong partnership with IBM. Their tech support is very knowledgeable.

We were using something else (a competing product of IBM), but we switched to AppScan because it is reliable.

Most important criteria when selecting a vendor: At the end of the day, it would have to be the support and relationship. There are a lot of smart people out there building products which do things. However, not everyone can use them, and without having someone to call, it is sort of its own disadvantage. 

External and internal web application vulnerability scan.

• We were able to easily diagnose a large number of web applications automatically.
• The depth was low, but the part that the user could miss was also diagnosed.

AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation.

It would be nice to be able to specify the parameter values ​​used in the login sequence function.

The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.

This solution saves us time due to the low number of false positives detected. Other scanners have an issue with respect to reporting false positives.

The most valuable feature is that it achieves a very low false-positive detection rate.

While I did not identify any specific bugs in this application. I did find that sometimes a restart was needed to deal with unresponsiveness means when AppScan is in a hang situation, this happens usually when you select a large number of sources. 

IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.

We previously used Burp Suite. This application is best for static scanning.

Complex

We also evaluated Acunetix and Nexpose.

The benefits are that we that we can find security vulnerabilities fast, get that back to development teams, and report on those. They can then act, fix the issues, and we'll have a secure code in place.

It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings.

We would like to be able to integrate to some of the other tools that we are using. That would be great. We would like to integrate with some of the other reporting tools that we're planning to use in the future.

I think it's quite stable.

So far scalability is pretty good.

We're really happy with technical support. They are great and very responsive.

I was not involved in the initial setup.

What I look for most in a vendor is the product, the offer, the service, the vendor service, and after sale support.

I would definitely recommend this product.

It is an application for security assessment or scanning for static environments.

With all customers, it is performing well.

The static scans are good, and the SaaS as well. 

There is not a central management for static and dynamic. This would be great, at least with competition such as Micro Focus.

The technical support is knowledgeable. However, our issue is not enough resources supporting our region. For Dubai, which is in the Gulf region, we need more technical support resources.

The initial setup is not that complex.

Most important criteria when choosing to partner with a company: I started working with IBM only one year back. When I started a partnership with them, IBM had the security portfolio which covered most of the region where my customers were. IBM has a name with the support along the quality of its products.