HCL AppScan Review

Offers many support languages, scans in a decent amount of time and is easy to set up


What is our primary use case?

We primarily use the solution for static analysis.

What is most valuable?

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

What needs improvement?

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

For how long have I used the solution?

I've used the solution for the last 12 months or so. It's been about a year at this point.

What do I think about the stability of the solution?

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

What do I think about the scalability of the solution?

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

How are customer service and technical support?

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

Which solution did I use previously and why did I switch?

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

How was the initial setup?

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

What's my experience with pricing, setup cost, and licensing?

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

What other advice do I have?

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More HCL AppScan reviews from users
...who work at a Government
...who compared it with Checkmarx
Find out what your peers are saying about HCL, Micro Focus, Veracode and others in Application Security. Updated: June 2021.
512,711 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest