We just raised a $30M Series A: Read our story

HCL AppScan OverviewUNIXBusinessApplication

HCL AppScan is #12 ranked solution in AST tools and #18 ranked solution in application security tools. IT Central Station users give HCL AppScan an average rating of 8 out of 10. HCL AppScan is most commonly compared to SonarQube:HCL AppScan vs SonarQube. The top industry researching this solution are professionals from a computer software company, accounting for 35% of all views.
What is HCL AppScan?

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCL AppScan is also known as IBM Security AppScan, Rational AppScan, AppScan.

Buyer's Guide

Download the Application Security Buyer's Guide including reviews and more. Updated: November 2021

HCL AppScan Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT

HCL AppScan Video

HCL AppScan Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
TD
General Manager at a consultancy with 51-200 employees
Real User
Top 5
Allows for dynamic scanning but lacks easy CI/CD integration

Pros and Cons

  • "It identifies all the URLs and domains on its own and then performs tests and provides the results."
  • "One thing which I think can be improved is the CI/CD Integration"

What is our primary use case?

We perform more dynamic scanning using AppScan. We set up a scan, perform it and get the results, and then give the results back to our customer.

Within our organization, there are four members of the team who are using it.

Currently, we are satisfied with AppScan but I am sure there are better alternatives available because this is a very old product. It's been on market for more than ten years now. I am sure there are a lot of new age products that are more scalable and cloud-based. Although we are using it and will probably continue to do so moving forward, I think there are better alternatives on the market now.

How has it helped my organization?

It takes care of our dynamic scanning needs. 

What is most valuable?

It's a good product. It's automated crawler identifies all urls and performs security tests. It has a very rich test cases which ensures pretty good coverage in terms of security testing. The UI is user friendly and intuitive. 

What needs improvement?

There are some false positives, which need to be removed, but this is common with all types of scanners.

One thing which I think can be improved is the CI/CD Integration. There is a CI/CD Integration model, but I guess they are deliberately not using it currently. There are challenges when integrating AppScan with CI/CD because sometimes the activation plus the login mechanism provided doesn't work properly. Sometimes a login mechanism fails and then the whole scan fails. It's difficult to integrate with CI/CD.

For how long have I used the solution?

I have been using this solution for almost two years.

What do I think about the scalability of the solution?

Scalability-wise, I'm not sure because you can buy the licenses depending on how many scans you want to do, but yes, it's scalable. I can do multiple scans simultaneously, but we have not tried more than that. I cannot tell you whether it can scale up to more than maybe two, three, or four simultaneous scans. We have not tested that.

How are customer service and technical support?

The technical support is quite good. They always respond quickly.

How was the initial setup?

Installation is pretty straightforward. Deployment only took a day or two.

What about the implementation team?

We deployed it ourselves. Even one person can manage it so that's not an issue, but currently, we have four users who perform the activities and scans because of the volume of requests that we received from different businesses.

What other advice do I have?

I would recommend AppScan to other businesses. In a small-scale setup, it works perfectly fine, but if you are a larger organization with a lot of applications and you need to do CI/CD, then it's probably not the solution for you. Conversely, in a small organization with less than 20 applications, this will work pretty nicely.

On a scale from one to ten, I would give this solution a rating of seven.

If they can integrate with CI/CD and make the log-in mechanism a little smoother, they should be able to scale it up. If they could integrate with the CI/CD pipeline and make the scans a little faster, then I would give it a higher rating.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SH
Owner/ Consultant at a tech services company with 1-10 employees
Consultant
Top 20
Offers many support languages, scans in a decent amount of time and is easy to set up

Pros and Cons

  • "There's extensive functionality with custom rules and a custom knowledge base."
  • "The solution often has a high number of false positives. It's an aspect they really need to improve upon."

What is our primary use case?

We primarily use the solution for static analysis.

What is most valuable?

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

What needs improvement?

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

For how long have I used the solution?

I've used the solution for the last 12 months or so. It's been about a year at this point.

What do I think about the stability of the solution?

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

What do I think about the scalability of the solution?

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

How are customer service and technical support?

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

Which solution did I use previously and why did I switch?

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

How was the initial setup?

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

What's my experience with pricing, setup cost, and licensing?

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

What other advice do I have?

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about HCL, Micro Focus, Veracode and others in Application Security. Updated: November 2021.
552,695 professionals have used our research since 2012.
FM
Senior Manager, IT Test Automation Engineering at a outsourcing company with 10,001+ employees
Real User
Offers a few specific development languages but needs more languages and lacks good technical support services

Pros and Cons

  • "The solution offers services in a few specific development languages."
  • "They have to improve support."

What is most valuable?

The solution offers services in a few specific development languages.

What needs improvement?

They have to improve support. Their support before, when it was IBM, was very good technical support. However, now, it's very bad.

They could add more language coverage. They don't cover so many development languages. They really should be covering more. If they did, it would be a huge improvement.

How are customer service and technical support?

The technical support is no longer any good. It's gone downhill since they were under IBM. Now, we are no longer satisfied with their level of service and we hope they will improve their services in the future.

Which other solutions did I evaluate?

I'm currently looking into Checkmarx. I'm evaluating their offering to see how it compares. This product lacks in many areas, and so we are looking at other options.

What other advice do I have?

I don't have information on the relationship HCL has with my company. My understanding is they are just a vendor for us.

In general, I would rate them at a six out of ten. There are many areas in which they could improve, including by adding more languages and re-vamping their technical support. They are lacking in a lot of areas.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Application Security Report and find out what your peers are saying about HCL, Micro Focus, Veracode, and more!