HCL AppScan Overview

HCL AppScan is the #15 ranked solution in our list of AST tools. It is most often compared to SonarQube: HCL AppScan vs SonarQube

What is HCL AppScan?

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCL AppScan is also known as IBM Security AppScan, Rational AppScan, AppScan.

HCL AppScan Buyer's Guide

Download the HCL AppScan Buyer's Guide including reviews and more. Updated: January 2021

HCL AppScan Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT

HCL AppScan Video

HCL AppScan Reviews

Filter by:
Filter Reviews
Filter Unavailable
Company Size
Filter Unavailable
Job Level
Filter Unavailable
Filter Unavailable
Filter Unavailable
Order by:
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Showingreviews based on the current filters. Reset all filters
General Manager at a tech company with 1,001-5,000 employees
Real User
Top 5
Nov 9, 2020
Allows for dynamic scanning but lacks easy CI/CD integration

What is our primary use case?

We perform more dynamic scanning using AppScan. We set up a scan, perform it and get the results, and then give the results back to our customer. Within our organization, there are four members of the team who are using it. Currently, we are satisfied with AppScan but I am sure there are better alternatives available because this is a very old product. It's been on market for more than ten years now. I am sure there are a lot of new age products that are more scalable and cloud-based. Although we are using it and will probably continue to do so moving forward, I think there are better… more »

Pros and Cons

  • "It identifies all the URLs and domains on its own and then performs tests and provides the results."
  • "One thing which I think can be improved is the CI/CD Integration"

What other advice do I have?

I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely. On a scale from one to ten, I would give this solution a rating of seven. If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little…
Owner/ Consultant at a tech services company with 1-10 employees
Dec 9, 2020
Offers many support languages, scans in a decent amount of time and is easy to set up

What is our primary use case?

We primarily use the solution for static analysis.

Pros and Cons

  • "There's extensive functionality with custom rules and a custom knowledge base."
  • "The solution often has a high number of false positives. It's an aspect they really need to improve upon."

What other advice do I have?

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL. I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired. Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx…
Find out what your peers are saying about HCL, Micro Focus, Veracode and others in Application Security. Updated: January 2021.
457,459 professionals have used our research since 2012.
Shaikh Jamal Uddin
Cybersecurity Architecture and Technology Lead at Appxone
May 15, 2019
A low rate of false positives translates to a savings in time

What is our primary use case?

The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.

Pros and Cons

  • "This solution saves us time due to the low number of false positives detected."
  • "IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
Sungmin Chun
Chief researcher at INSEC Security
Real User
Mar 18, 2019
The depth was low, but the part that the user could miss was also diagnosed

What is our primary use case?

External and internal web application vulnerability scan.

How has it helped my organization?

We were able to easily diagnose a large number of web applications automatically. The depth was low, but the part that the user could miss was also diagnosed.

What is most valuable?

AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation.

What needs improvement?

It would be nice to be able to specify the parameter values ​​used in the login sequence function.
Buyer's Guide
Download our free Application Security Report and find out what your peers are saying about HCL, Micro Focus, Veracode, and more!