HCL AppScan Competitors and Alternatives

Get our free report covering SonarSource, Veracode, Checkmarx, and other competitors of HCL AppScan. Updated: January 2021.
455,164 professionals have used our research since 2012.

Read reviews of HCL AppScan competitors and alternatives

Don Robbins
Software Configuration Manager at a tech vendor with 501-1,000 employees
Real User
Popular
Jun 19, 2019
Works well with Windows servers but no Linux support and takes too long to scan files

What is our primary use case?

The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities. We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same. The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.

Pros and Cons

  • "Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
  • "Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"

What other advice do I have?

From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. I would rate Checkmarx with an eight on the user side and a five on the admin side. Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan…
reviewer1428837
Security Consultant at a tech services company with 11-50 employees
Consultant
Oct 1, 2020
Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines

What is our primary use case?

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that. I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom… more »

Pros and Cons

  • "The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
  • "It should be easier to specify your own validation routines and sanitation routines."

What other advice do I have?

My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their…
Rishi Kant
Senior Security Engineer at a insurance company with 10,001+ employees
Real User
May 18, 2019
More accurate than other solutions we are using but can sometimes be slow to perform

What is our primary use case?

Our primary use case for this solution is to perform application security testing.

Pros and Cons

  • "This tool is more accurate than the other solutions that we use, and reports fewer false positives."
  • "There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual."

What other advice do I have?

They are steadily improving things and adding features to this product. It was only three months ago when they added the dashboard support. Before that, they only had passive and active scanning to perform the testing part. It now has a complete website of scanning features which were previously not there. I would rate this solution a seven out of ten.
Kiran Gujju
Cyber Security Architect (USDA) at a government with 10,001+ employees
Real User
Top 20
Jun 20, 2019
Easily integrates with Jenkins and the information on the dashboard makes it easy for the developers to work on

What is our primary use case?

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in.

Pros and Cons

  • "The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
  • "Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."

What other advice do I have?

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it. I would rate this solution an eight out of ten.
reviewer1268340
Assoc. Director at a tech services company with 10,001+ employees
Real User
Feb 12, 2020
Easy to use and has good cost/value

What is our primary use case?

We use WebInspect for dynamic application security testing, and integrating that into all our needs.

Pros and Cons

  • "It is scalable and very easy to use."
  • "The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."

What other advice do I have?

Yes, I would recommend WebInspect. It is a good product, comparable to AppScan. It is quite scalable, and good cost/value with the support and backing from Micro Focus. It's good and I definitely recommend it. On a scale of one to ten, I would give it an eight.
Get our free report covering SonarSource, Veracode, Checkmarx, and other competitors of HCL AppScan. Updated: January 2021.
455,164 professionals have used our research since 2012.