We performed a comparison between HCL AppScan and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The solution offers services in a few specific development languages."
"We leverage it as a quality check against code."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"The UI was very intuitive."
"The static scans are good, and the SaaS as well."
"The most valuable feature of the solution is the scanning or security part."
"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"The product has valuable features for static and dynamic testing."
"I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
"The pricing is worth it."
"The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws."
"It provides security of different Shadow IT activities in our environment, especially around application development and website hosting."
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"It gives feedback to developers on the effectiveness of their secure coding practices."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"The source composition analysis had very good reporting."
"The penetration testing feature should be included."
"They should have a better UI for dashboards."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."
"They have to improve support."
"The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices."
"Veracode scans provide a higher number of false positives."
"We have approximately 900 people using the solution. The solution is scalable, but there is a high cost attached to it."
"In the future, I would like to see the RASP capability built-in."
"It would help to have more training for developers to help them set it up."
"It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture."
"The documentation is poor and the technical support isn't helpful."
"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
"Their scanning engine is sometimes a little bit slow. They can improve the scan time."
HCL AppScan is ranked 15th in Application Security Tools with 40 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. HCL AppScan is rated 7.6, while Veracode is rated 8.2. The top reviewer of HCL AppScan writes " A stable and scalable product useful for application security scanning". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". HCL AppScan is most compared with SonarQube, Acunetix, OWASP Zap, PortSwigger Burp Suite Professional and Checkmarx One, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and GitLab. See our HCL AppScan vs. Veracode report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
