IBM Security AppScan Review
We use it to find breaches in apps while they are in development.

Improvements to My Organization

Before we had this solution, our security team was doing manual reviews with the scripts. This would take us a lot of work hours and a lot of people were involved in the process.

Now we just send it to AppScan and we can do other stuff like defining processes or dealing with management issues. We can focus on other aspects of our security.

It helps us avoid any downtime in the applications when they are already in production. It also prevents any vulnerability or security breaches.

Valuable Features

We are currently using it in the integration of our agile process so we can find any breaches in the apps while they're in the development process. We can then fix breaches before they go into a production environment.

It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply.

That being said, we have to be very rigorous about what we are protecting, such as the type of data and the code itself. Having those features in the app is a huge must.

Room for Improvement

We are moving a lot into mobile. While the solution does have a lot of functionalities in mobile, we are trying to expand it more aggressively.

We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices.

We would like to see what type of exposure we have in those specific devices.

Stability Issues

There have been no stability issues so far. It has handled anything that we have sent to it.

The number of events we receive per day depends on many factors. The events mostly occur when we charge a new code into AppScan to find the vulnerabilities.

For example, we found ten vulnerabilities with the solution. We can see what our mistakes were and we can try to avoid them the next time.

This solution makes our job a lot easier for continuous vulnerability assessments and development processes.

Customer Service and Technical Support

We used technical support a couple months ago when we migrated from another version. We didn’t use them for an issue, but we got support to help us make the transition. They were very good.

The whole migration process was done in just a couple of weeks. It was fast and it went according to our expectations. After a couple of weeks, we were operational and it was up and running.

Other Advice

At the beginning, you need to know the reach and what you are expecting. The solution is not going to be a silver bullet that will fix everything in your app.

You have to have a mature SDLC process for developers to follow. If they don't have that, AppScan could provide great insight in order to develop it. Once you have both things in motion, it runs automatically.

When looking for a vendor, we want to know if they will go beyond that what is out-of-the-box. We want to see if they will tell us what additional features we can exploit in the solution.

We want to know if they will provide us with knowledge about apps or code for a specific matter and if they can support our expectancy of growth in the near future.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Add a Comment

Anonymous avatar x30
Why do you like it?

Sign Up with Email