What is our primary use case?
We develop software, and the software is property of our clients. So we want to ensure the highest quality possible, and assist the financial side. We want the application to be as secure as possible. AppScan has helped us to identify a lot of issues; we can find them before they reach a new environment. We catch them, we fix them, and we can offer a higher quality product to our clients.
We test on cloud.
In terms of the transition process from on-prem solutions, it was not so hard because we've been IBM partners for eight years. From the beginning, we started developing on those platforms. So it was natural migration, we were "born" with those applications on those platforms.
How has it helped my organization?
Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production.
AppScan has absolutely contributed to the maturity of our AppSec risk management. I would rate that maturity at only nine out of 10 because there are things that we could be doing better. Not only because of our internal processes, but because we need to adopt to the clients' processes, and that adopting always has small gaps. But generally, it's pretty awesome.
We don't use it to security test open-source applications but we do use it for open-source models, or libraries.
What is most valuable?
It helps you to enforce security practices, beyond the reach of just operations and training. So give the training, but besides that you can detect some deviations in the development process. I think that's the most valuable of all the features.
What needs improvement?
I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers.
What do I think about the stability of the solution?
I'm not sure what it like on the current version but the previous version had some small issues, some crashes.
With the latest upgrade - I'm not sure what version, I think it was 8, I've seen no major issues; some small glitches, but nothing really major.
What do I think about the scalability of the solution?
Since we're development, we don't usually have issues with scalability because it's only one application.
How is customer service and technical support?
Generally speaking, their tech support is good.
Which solutions did we use previously?
Usually our clients want to build in-house, but when we present the benefits of a product already built and, out of the box, it can offer a lot of features and can solve the problem right now...
Sometimes the cost is equivalent to development, but it's more your product.
A key factor for decision making is the release time. I can release in two months. or it can be released in six months, so that's a critical factor: price versus release date.
How was the initial setup?
It's complex. Our main client is Citigroup. It's complicated because of the size of the client and all of the internal processes. So it's really a pain, not to blame IBM, not to blame us, not to blame them, but all of the ecosystem is complex.
Which other solutions did I evaluate?
Our clients evaluate Oracle, sometimes Microsoft. Our clients go with IBM, in Mexico, mainly because of the support. You can get more hands-on experienced people on IBM platforms than Oracle's, so if there is an issue - we always have issues - they get fixed more quickly on IBM than Oracle.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Mar 26 2018