We are evaluating other options like Fortify and Checkmarx. We have worked with Fortify before. The advantage of this solution over HCL is its cloud setup. It is a solution that integrates well with other products. It also provides less false positives. Our main use case is that it should easily integrate with the CI/CD pipeline. The second requirements is that it should be easily integrate with the developer environment. These were the two main things which HCL AppScan does not provide.

We have experience working with multiple security testing tools, including Fortify, Vericode, and Checkmarx.

Vericode provides more efficient mobile application security testing features than other tools in this domain. Checkmarx is recognized for its market presence and technical capabilities.

I used Fortify WebInspect in my previous company. They were more manual and time-consuming, and we often got more false positives. The result was very vast, and we needed to find everything and check over and over. We didn't find it very user-friendly.  

Fortify WebInspect was okay, but not as good. If we get the same result, it takes more time to understand the output and how to remediate it. It leaks more time. We need to reduce time nowadays and get things done.

AppScan is much faster and more reliable.  

We also used Burp Suite before, which was also user-friendly and allowed for manual testing. It's good for auto-mesh, but it takes longer and doesn't offer as much satisfactory results.

We are working with tools that are all related to application security, such as Qualys, SAST, DAST, open-sourced software scan, and penetration test tools. 

Some of the penetration test tools we work with are Burp Suite, and OWASP Zap which is an open-source product.

I also use SonarQube. We also use SonarQube for code quality.

We did not previously use any other solution.

We have used solutions like Acunetix. HCL was better. The UI was pretty good. It was intuitive, easy to understand, and reliable.

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

Here I have an unfair advantage. I came out of a large security company, and because of my experience and the fact that we had a need, I looked around for the best solutions that were available. There were a lot of competitors. The question was, how well it would integrate with our process, since we were developing a full SDL with security tool check-points. AppScan fit that very well.

The most important criteria when selecting a vendor were that it had a great product, but I had to have a product that I could integrate and automate. For me, it wasn't a matter if it was best in breed, they had the neatest slice of cheese. What I was looking for was, could it integrate and automate? If it couldn't, they weren't on the selection list.

We did not previously use a different solution. This was our first. 

Usually our clients want to build in-house, but when we present the benefits of a product already built and, out of the box, it can offer a lot of features and can solve the problem right now... 

Sometimes the cost is equivalent to development, but it's more your product. 

A key factor for decision making is the release time. I can release in two months. or it can be released in six months, so that's a critical factor: price versus release date.

I previously used HP WebInspect and Qualys.

I prefer Appscan, as it much more user friendly, and it detects cross-site scripting and SQL injection issues much better than other tools in the market. Also, it has a lower false-positive count than others.

Yes. We switched because they made our work easier, with fewer false positives.

We were using something else (a competing product of IBM), but we switched to AppScan because it is reliable.

We previously used Burp Suite. This application is best for static scanning.