HCL AppScan Overview

HCL AppScan is the #14 ranked solution in our list of AST tools. It is most often compared to SonarQube: HCL AppScan vs SonarQube

What is HCL AppScan?

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCL AppScan is also known as IBM Security AppScan, Rational AppScan, AppScan.

Buyer's Guide

Download the Application Security Buyer's Guide including reviews and more. Updated: June 2021

HCL AppScan Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT

HCL AppScan Video

Filter Archived Reviews (More than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
ITCS user
Cybersecurity Architecture and Technology Lead at Appxone
Consultant
Top 10
A low rate of false positives translates to a savings in time

What is our primary use case?

The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.

Pros and Cons

  • "This solution saves us time due to the low number of false positives detected."
  • "IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
SC
Chief researcher at INSEC Security
Real User
The depth was low, but the part that the user could miss was also diagnosed

What is our primary use case?

External and internal web application vulnerability scan.

How has it helped my organization?

We were able to easily diagnose a large number of web applications automatically. The depth was low, but the part that the user could miss was also diagnosed.

What is most valuable?

AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation.

What needs improvement?

It would be nice to be able to specify the parameter values ​​used in the login sequence function.
Find out what your peers are saying about HCL, Micro Focus, Veracode and others in Application Security. Updated: June 2021.
512,221 professionals have used our research since 2012.
it_user840837
Manager at a tech vendor with 501-1,000 employees
Real User
Scalable and powerful, helps find errors in the code base

What is our primary use case?

Our clients use it to try to find errors in base code, and also to find how solutions work together. I believe they have on-premise usage; they are local government, so they are not very used to using the cloud.

How has it helped my organization?

I'm mainly working on the licensing side and not the technical side, so I don't get this kind of feedback.

What is most valuable?

Scalability, and it's a very powerful tool.

What needs improvement?

I believe there are improvements that can be made, but I'm not aware of those kinds of things.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's stable.

What do I think about the scalability of the solution?

For the market in…
it_user841920
Business Development Manager at a tech services company with 10,001+ employees
Reseller
The static scans are good, though there is no central management

What is our primary use case?

It is an application for security assessment or scanning for static environments. With all customers, it is performing well.

What is most valuable?

The static scans are good, and the SaaS as well. 

What needs improvement?

There is not a central management for static and dynamic. This would be great, at least with competition such as Micro Focus.

For how long have I used the solution?

Less than one year.

How is customer service and technical support?

The technical support is knowledgeable. However, our issue is not enough resources supporting our region. For Dubai, which is in the Gulf region, we need more technical support resources.

How was the initial setup?

The initial setup is not that complex.

What other advice do I have?

Most…
MH
Senior Cloud Architect at a tech company with 1,001-5,000 employees
Consultant
Provides a better integration for our ecosystem, but we are still waiting to see the roadmap

What is our primary use case?

We integrate AppSense with Fortinet FortiGate Next-Generation Firewall products. This integration is new for us, but so far, we have had good results. However, it is a new integration. Fortinet has a lot of potential and integrations going on with IBM: QRadar, AppSense, and IBM Cloud.

Pros and Cons

  • "It provides a better integration for our ecosystem."
  • "You can easily find particular features and functions through the UI."
  • "Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
  • "I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."

What other advice do I have?

Have a look at the competitors as well. There is more than one vendor in the market. I would definitely do your due diligence.
it_user279198
CEO at a government
Vendor
Easy to use and gives good insights into vulnerabilities

What is our primary use case?

We use it for all website development and web-based applications, as part of our development test cycle and QA. We also routinely use it on existing applications in production because, in terms of security and vulnerabilities, some of the latter exist on some of the platforms that we run. So we run it from time to time, to do some security checks, etc.

What other advice do I have?

We've had a relationship for some time, over 20 years now, with IBM. It's really about the products, in terms of what we are looking for. That's really the deciding factor in deciding whether we'd use them for a particular solution.
it_user844479
People Leader Of Cyber Strategy And Solutions at a insurance company with 10,001+ employees
Real User
We are now deploying less defects to production

What is our primary use case?

It is used as a last check before moving code to production. Therefore, it is used as a developer tool.

Pros and Cons

  • "We leverage it as a quality check against code."
  • "We are now deploying less defects to production."

    What other advice do I have?

    Most important criteria when selecting a vendor: At the end of the day, it would have to be the support and relationship. There are a lot of smart people out there building products which do things. However, not everyone can use them, and without having someone to call, it is sort of its own disadvantage.
    it_user842904
    CTO at Anzen
    Real User
    Ethical hacking during application deployment is almost clean, every time

    What is our primary use case?

    We develop software, and the software is property of our clients. So we want to ensure the highest quality possible, and assist the financial side. We want the application to be as secure as possible. AppScan has helped us to identify a lot of issues; we can find them before they reach a new environment. We catch them, we fix them, and we can offer a higher quality product to our clients. We test on cloud. In terms of the transition process from on-prem solutions, it was not so hard because we've been IBM partners for eight years. From the beginning, we started developing on those platforms… more »

    Pros and Cons

    • "Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production."
    • "I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
    TimHill
    Director For Security Products at a manufacturing company with 10,001+ employees
    Real User
    It has helped us find vulnerabilities in our software, though AppScan Source is rather hard to use

    What is our primary use case?

    We use it prior to product releases. The web scan portion is used to find vulnerabilities, for example, if we have opened up any ports that we should not have. The source scan is used to look for similar types of vulnerabilities. However, at the source code level, it is scanning the source code, whereas the web scan is hitting ports trying to overload it. Thus, we use both of these types of scans before every product release of several of our products. We have it installed on-premise, although we have a guy who is looking at the cloud version.

    Pros and Cons

    • "It has certainly helped us find vulnerabilities in our software, so this is priceless in the end."
    • "​IBM Security AppScan Source is rather hard to use​."
    • "There are so many lines of code with so many different categories that I am likely to get lost. ​"

    What other advice do I have?

    AppScan Web is a good, and it does a good job. For AppScan Source, you might find a better solution out there. We are not actively looking for a better solution right now, and are just using it. However, if somebody else was starting from scratch, that is what I would tell them. Most important criteria when selecting a vendor: quality of the software.
    EO
    Senior Security Specialist at a transportation company with 10,001+ employees
    Real User
    Contributes to maturity of our AppSec risk management, but Web Services testing is basic

    What is our primary use case?

    Our use case is that we always test our applications with AppScan before going to the production side. We have been using it for many years. It's honestly one of the best products in the application security the portfolio. We aren't using it on the cloud.

    Pros and Cons

    • "I like the recording feature."
    • "It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."

    What other advice do I have?

    When selecting a vendor we look for * a global brand * support * user friendliness * cost, and the license models. I would recommend AppScan.
    it_user841956
    Director Of Product Cyber Security at a aerospace/defense firm with 10,001+ employees
    Vendor
    The ease of use is key, the developers can actually use it and get results from dynamic testing

    What is our primary use case?

    We use IBM Appscan for a dynamic assessment of development of our code, so we're looking for something that will actually help us through our entire security development lifecycle. It has performed better than we expected. We were able to use it quite often, use the server IDE to help test our code before we go into a full test. And it's helped point out some things we had to correct. We're using it on the cloud. That particular solution we've been using on the cloud because it's a cloud instance, so the transition from going from one to the other wasn't there because we already had our cloud… more »

    Pros and Cons

    • "For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
    • "I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point."

    What other advice do I have?

    In terms of rating it, because I haven't had it installed long enough, and we haven't finished all the integration because of the Professional Services yet, I'd say it's rating really well, toward excellent. But it's just one of those things, until you see all the proof in the pudding... As of right now I would rate it an eight out of 10. The advice I would give to a colleague is, first, know your development process and where it's weak. From there, insert secure development, realize that it's not about the tool, it's about the process of development. Then find the tools that solve that. For…
    it_user840909
    Managing director at Accenture
    Real User
    It indicates several grades of code vulnerabilities, so we can focus on the most severe first

    What is our primary use case?

    It is used for a DevOps environment, to perform a security profile, a code profile assessment. When you are building your software code, before finishing the build process and deploying to production, we run AppScan to figure out any security vulnerabilities in the code. It's called static analysis of the code.

    Pros and Cons

    • "It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."

      What other advice do I have?

      The most important criteria when selecting a vendor, first of all, is their capability to continuously invest in the development and enhancement of the software. We are in a very changing process, software is a very changing environment, in terms of the technology. If you develop a tool, launch this tool, but don't have enough commitment to upgrade, to continuously enhance, it's not worth it. That's why I think IBM has a good presence in this area. My advice would be, don't see only the cost. Try to see the capability of the tools and, besides that, as I have stressed in this review, the…
      Prasoon Nigam
      Security Consultant at a consultancy with 10,001+ employees
      Consultant
      Simplifies our work by allowing us to do multiple website scans together

      How has it helped my organization?

      IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability.

      What is most valuable?

      Many features are valuable but some features stand out, like using our own scripts, and capturing the authentication.

      What needs improvement?

      It has crashed at times Scans become slow on large websites Many silly false positives are produced

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      Yes, sometimes we encounter stability issues.

      What do I think about the scalability of the solution?

      Yes, sometimes we encounter scalability issues.

      How are customer service and technical support?

      I would rate tech…
      it_user634947
      Application Security Consultant at a financial services firm with 10,001+ employees
      Vendor
      We can find security vulnerabilities.

      Pros and Cons

      • "It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."
      • "We would like to integrate with some of the other reporting tools that we're planning to use in the future."

      What other advice do I have?

      What I look for most in a vendor is the product, the offer, the service, the vendor service, and after sale support. I would definitely recommend this product.
      it_user634890
      Chief information with 5,001-10,000 employees
      Vendor
      We use it to find breaches in apps while they are in development.

      Pros and Cons

      • "It comes with all of the templates that we need. For example, we are a company that is regulated by PCI. In order to be PCI compliant, we have a lot of checks and procedures to which we have to comply."
      • "We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices."

      What other advice do I have?

      At the beginning, you need to know the reach and what you are expecting. The solution is not going to be a silver bullet that will fix everything in your app. You have to have a mature SDLC process for developers to follow. If they don't have that, AppScan could provide great insight in order to develop it. Once you have both things in motion, it runs automatically. When looking for a vendor, we want to know if they will go beyond that what is out-of-the-box. We want to see if they will tell us what additional features we can exploit in the solution. We want to know if they will provide us…
      ITCS user
      Security Consultant at a tech vendor with 501-1,000 employees
      Vendor
      It detects cross-site scripting and SQL injection issues better than other tools.
      Buyer's Guide
      Download our free Application Security Report and find out what your peers are saying about HCL, Micro Focus, Veracode, and more!