If you were talking to someone whose organization is considering HCL AppScan, what would you say?
How would you rate it and why? Any other tips or advice?
I don't have information on the relationship HCL has with my company. My understanding is they are just a vendor for us. In general, I would rate them at a six out of ten. There are many areas in which they could improve, including by adding more languages and re-vamping their technical support. They are lacking in a lot of areas.
I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL. I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired. Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now. Overall, I would rate the solution eight out of ten.
I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely. On a scale from one to ten, I would give this solution a rating of seven. If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little faster, then I would give it a higher rating.
We all know it's really hard to get good pricing and cost information.
Please share what you can so you can help your peers.
Is SonarQube is the best tool for static analysis or there are any good tools which compete with SonarQube?