What is our primary use case?
We use it prior to product releases. The web scan portion is used to find vulnerabilities, for example, if we have opened up any ports that we should not have. The source scan is used to look for similar types of vulnerabilities. However, at the source code level, it is scanning the source code, whereas the web scan is hitting ports trying to overload it. Thus, we use both of these types of scans before every product release of several of our products.
We have it installed on-premise, although we have a guy who is looking at the cloud version.
How has it helped my organization?
It has certainly helped us find vulnerabilities in our software, so this is priceless in the end.
IBM Application Security has contributed to the maturity of our AppScan risk management program.
While it depends on the product, on average ten percent of our code is open source. Many products are either zero percent open source or maybe up to ten percent. They could possible be up to twenty percent open source, but never more than that.
What is most valuable?
The most valuable feature is the web scan from our perspective. Being able to quickly find the vulnerabilities if any developer has inadvertently put them in. The source scan is of value, but it is so hard to use that it is of less value.
What needs improvement?
IBM Security AppScan Source is rather hard to use. Some improvements need to be made to the usability for AppScan Source, specifically. Our biggest problem, we have a lot of code and everything just ends up looking like spaghetti after we run an AppScan Source. It is hard to evolve from one rev to the next. Trying to reuse the things we have found in a previous release to the next release is too hard.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
Scalability is good. However, this ties into the usability a little bit, because we have a million lines of code in one product and this is part of what makes AppScan Source so difficult to use. There are so many lines of code with so many different categories that I am likely to get lost.
What other advice do I have?
AppScan Web is a good, and it does a good job.
For AppScan Source, you might find a better solution out there. We are not actively looking for a better solution right now, and are just using it. However, if somebody else was starting from scratch, that is what I would tell them.
Most important criteria when selecting a vendor: quality of the software.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Mar 25 2018