AppScan (formerly Rational AppScan) is an application security testing solution acquired by HCL Technologies from IBM in late 2018. Appscan supports both dynamic (DAST) and static (SAST) application security testing.
N/A
PortSwigger Burp Suite
Score 9.7 out of 10
N/A
The Burp Suite, from UK-based alcohol-themed software company PortSwigger Web Security, is an application security and testing solution.
I would say that HCL AppScan is very simple to understand and use since it uses a user-friendly interface and the terminologies that are used in the interface of the application is very clear. We can automate a scan with any third party like Jenkins. The fact, I don't like is the time takes to execute the application, it should be better.
It's great for intercepting and changing login request. For one client i had done testing of their website, and after intercepting and changing the request, I got IDOR vulnerability and it's a very high vulnerability i gave it in the report, and with the BAPP store, I downloaded the IIS TILDE enumeration and got a vulnerability.
AppScan works well in finding application vulnerabilities such as SQL injection, cross-site scripting and all of the OWASP top 10.
Flexible reporting allows us to generate executive reports for application owners as well as separate technical reports for developers and system engineers.
Technical reports include remediation information and cross reference CVSS scores
Because it maintains data on all repeated assessments it helps us to do trending and metrics on compliance
The functions you want, the points that are difficult to understand.
Issues presented in the vulnerability diagnostic report may not be fully explained and not well understood.
You may think it is very basic and natural, "diagnose screen after login" "diagnose according to input transition ⇒ confirmation ⇒ completion" but to do all this, you need regular expressions, and macros, there are many products that require you to write scripts.
The interface is a big problem: No matter how many features a software provides you, if the features are not well presented, you will miss most of them when they are actually required. The presentation of the software should be improvised and made more presentable.
Tutorial videos for beginners: This software lacks a lot in tutorials. A beginner almost wastes most of the time in finding and understanding the features and the implementation of the same. The software vendor should work on providing more in-depth videos so that people can learn and understand the concepts.
Easy to use once you learn it; however, the user interface is not very intuitive at first view. Port Swigger does provide a lot of video resources for self-paced learning which helps. Most of the end users for PortSwigger Burp Suite will be technical and should be able to learn the product with the free resources.
BurpSuite does not have an amazing customer support. All the major help that you will find is from public forums and Google. Although you will find all the required information on Google, still at time professional support helps you solve the problem in much less time and make your operations go smoothly.
When we used Veracode, it takes a-lot of time to run a source code analysis. It's user interface is also bit clumsy. So we switched to HCL AppScan. It enables enterprises to scan internal and external applications for vulnerabilities. It provides quick and easy access to the most updated security guidelines by scanning applications against the OWASP Top 10 vulnerabilities.
Burp Suite stacks up fairly well against these other two products both of which are quite expensive to license. The best other product I would suggest is OWASP Zed Attack Proxy or ZAP. It performs quite well and the cost of the product is free. ZAP is an Open Source product. If, however, you do not want to use an open source product I would either go with Burp Suite or look into the more expensive Rapid7 AppSpider.
