IBM Security AppScan vs. SonarQube

As of May 2019, IBM Security AppScan is ranked 5th in Application Security with 14 reviews vs SonarQube which is ranked 2nd in Application Security with 15 reviews. The top reviewer of IBM Security AppScan writes "The ease of use is key, the developers can actually use it and get results from dynamic testing". The top reviewer of SonarQube writes "Great birds-eye view dashboard with detailed code metrics in the drill-down". IBM Security AppScan is most compared with Veracode, Micro Focus Fortify on Demand and Checkmarx. SonarQube is most compared with Veracode, Micro Focus Fortify on Demand and Checkmarx. See our IBM Security AppScan vs. SonarQube report.
Cancel
You must select at least 2 products to compare!
IBM Security AppScan Logo
18,893 views|9,307 comparisons
SonarQube Logo
54,545 views|37,651 comparisons
Most Helpful Review
Find out what your peers are saying about IBM Security AppScan vs. SonarQube and other solutions. Updated: May 2019.
340,752 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
This solution saves us time due to the low number of false positives detected.The static scans are good, and the SaaS as well.It provides a better integration for our ecosystem.You can easily find particular features and functions through the UI.We leverage it as a quality check against code.We are now deploying less defects to production.Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production.It has certainly helped us find vulnerabilities in our software, so this is priceless in the end.

Read more »

We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.The most valuable function is its usability.Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).This has improved our organization because it has helped to find Security Vulnerabilities.It is very good at identifying technical debt.It easily ties into our continuous integration pipeline.With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas.

Read more »

Cons
IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.There is not a central management for static and dynamic.Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products.I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources.I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers.​IBM Security AppScan Source is rather hard to use​.There are so many lines of code with so many different categories that I am likely to get lost. ​It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good.

Read more »

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major.A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product.The product's user documentation can be vastly improved.I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.I find it is light on the security side.An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case.

Read more »

Pricing and Cost Advice
AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost.

Read more »

We're using their free Community Edition version.Some of the plugins that were previously free are not free now.The price point on SonarQube is good.The licence is standard open source licensingThis product is open source and very convenient.People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it.Get the paid version which allows the customized dashboard and provides technical support.We did not purchase a license (required for C++ support), but this option was considered.

Read more »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
340,752 professionals have used our research since 2012.
Ranking
5th
Views
18,893
Comparisons
9,307
Reviews
12
Average Words per Review
402
Avg. Rating
7.9
2nd
Views
54,545
Comparisons
37,651
Reviews
9
Average Words per Review
407
Avg. Rating
8.1
Top Comparisons
Compared 17% of the time.
Compared 15% of the time.
Compared 26% of the time.
Compared 19% of the time.
Also Known As
Rational AppScan, AppScanSonar
Learn
IBM
SonarQube
Video Not Available
Overview

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution
Offer
Learn more about IBM Security AppScan
Learn more about SonarQube
Sample Customers
Essex Technology Group Inc., Cisco, West Virginia University, APIS ITBank of America, Siemens, Cognizant, Thales, Cisco, eBay
Top Industries
REVIEWERS
Government29%
Manufacturing Company14%
Insurance Company14%
Financial Services Firm14%
VISITORS READING REVIEWS
Government26%
Financial Services Firm14%
Healthcare Company13%
Transportation Company10%
REVIEWERS
Financial Services Firm33%
Comms Service Provider11%
Agriculture11%
Wireless Company11%
VISITORS READING REVIEWS
Financial Services Firm27%
Retailer10%
Government9%
Comms Service Provider9%
Company Size
REVIEWERS
Small Business16%
Midsize Enterprise16%
Large Enterprise68%
VISITORS READING REVIEWS
Midsize Enterprise2%
Large Enterprise98%
REVIEWERS
Small Business23%
Midsize Enterprise27%
Large Enterprise50%
VISITORS READING REVIEWS
Small Business16%
Midsize Enterprise2%
Large Enterprise83%
Find out what your peers are saying about IBM Security AppScan vs. SonarQube and other solutions. Updated: May 2019.
340,752 professionals have used our research since 2012.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.

Sign Up with Email