We performed a comparison between HCL AppScan, Ixia BreakingPoint, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."The security and the dashboard are the most valuable features."
"We use it as a security testing application."
"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"It has certainly helped us find vulnerabilities in our software, so this is priceless in the end."
"The most valuable feature of the solution is the scanning or security part."
"The UI was very intuitive."
"AppScan is stable."
"For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
"The solution has many protocols and options, making it very flexible."
"The DDoS testing module is useful and quick to use."
"I like that we can test cloud applications."
"We use Ixia BreakingPoint for Layer 7 traffic generation. That's what we like."
"It is a scalable solution."
"The most valuable feature of Ixia BreakingPoint is the ransomware and malware database for simulated attacks."
"There is a virtual version of the product which is scaled to 100s of virtual testing blades."
"The CSCA vulnerability scanning is useful."
"The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers."
"Ad-hoc scanning during the development cycle and reports for audits are valuable features."
"The most valuable feature is detecting security vulnerabilities in the project."
"I like the way the flaws are reported in the system."
"It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed."
"Veracode provides faster scans compared to other static analysis security testing tools."
"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"AppScan is too complicated and should be made more user-friendly."
"The solution's scalability can be a matter of concern because one license runs on one machine only."
"The solution could improve by having a mobile version."
"It has crashed at times."
"HCL AppScan needs to improve security."
"Sometimes it doesn't work so well."
"The tool should improve its output. Scanning is not a challenge anymore since there are many such tools available in the market. The product needs to focus on how its output is being used by end users. It should be also more user-friendly. One of the major challenges is in the tool's integration with applications that need to be scanned. Sometimes, the scanning is not proper."
"We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."
"I would appreciate some preconfigured network neighborhoods, which are predefined settings for testing networks."
"The production traffic simulations are not realistic enough for some types of DDoS attacks."
"The solution originally was hard to configure; I'm not sure if they've updated this to make it simpler, but if not, it's something that could be streamlined."
"The price could be better."
"The integration could improve in Ixia BreakingPoint."
"The quality of the traffic generation could be improved with Ixia BreakingPoint, i.e. to get closer to being accurate in what a real user will do."
"They should improve UI mode packages for the users."
"I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."
"Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."
"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
"The UI could be better. Also, there are some scenarios where there is no security flaw, but the report indicates that there is a security flaw. The report is not perfectly accurate. So, the accuracy of the scanning reports needs improvement."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"The scanning takes a lot of time to complete."
"There were some additional manual steps or work involved that we should not have needed to do."
"They could improve how they fix vulnerabilities. They could have more support in place to help the developers."
