CAST Highlight vs. HCL AppScan

I think CAST is a great tool to give insight into your applications. The tool can be met with resistance from team members as the tool is going to expose defects that should be addressed. Out of the box, it may need some tailoring to focus on certain areas so that you are not overwhelmed with defects the first time you scan your code. But ultimately, you will want to eliminate all defects in the code and have all violations turned on.

Incentivized

In HCL AppScan automation maintain a reasonable pace of review and remediation of flaws for our apps. HCL AppScan is a cloud-based enterprise mobile application security testing solution for Android and iOS applications developed using Java, .Net or Objective-C. So it covers all our area and It consists of three components: AppScan Source Edition for developing and testing apps internally, AppScan Standard Edition for testing internally or externally, and AppScan Enterprise Edition for large enterprises who need to secure their entire mobile application portfolio across the organization with multiple device types.

Incentivized

• Identifies common coding vulnerabilities.
• Compares code to industry best practices.
• Assesses the code for data privacy compliance.

Incentivized

• AppScan works well in finding application vulnerabilities such as SQL injection, cross-site scripting and all of the OWASP top 10.
• Flexible reporting allows us to generate executive reports for application owners as well as separate technical reports for developers and system engineers.
• Technical reports include remediation information and cross reference CVSS scores
• Because it maintains data on all repeated assessments it helps us to do trending and metrics on compliance

Incentivized

• Code scans could be faster. A large application may need to be broken down into smaller sub-applications in order to facilitate faster code scans.
• We spent a lot of time trying to figure out how to best structure our code base in the application for ultimate performance.

Incentivized

• It can have a FAQ session in the Application itself.
• It can recommend the fix for the error that occurred during the scan.
• Like its storing multiple manuals explore, It should have the capability of storing multiple logins.

Incentivized

Tech support and pro services are top-notch.

Incentivized

These other tools only do a part of what CAST does. CAST gives a comprehensive view into the code looking at all aspects, code quality, security, maintainability, vulnerability, privacy, reuse, etc. These other tools only focus on one or two dimensions.

Incentivized

Both solutions are decent, however, I had team members who had the experience working with HCL AppScan. Also, the product was priced nominally which suited our budget. Further, HCL AppScan's user community was bigger and many learning resources were freely available which helped junior peers learn quickly and eliminate any issues

Incentivized

• I believe once we had the tool working for our code base, we immediately saw positive ROI.
• We spent some time getting to where our code code be scanned efficiently but some of that was trying to do things ourselves instead of fully utilizing Cast Professional Services. I highly recommend to do an engagement with CAST to have them help setup the tool in your environment or to run it in the cloud for you.

Incentivized

• There are countless implementations to accomplish the same thing, and so many configurations are required.
• Even if you test it finished and find no vulnerabilities, there is no point if you just get the error screen.
• Until now, I was worried about vulnerabilities and security in software development, but I think it was good to find the vulnerability problem quickly with HCL AppScan.

Incentivized