We performed a comparison between Coverity and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, Micro Focus Fortify on Demand comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is very expensive and has slow support.
"The product is easy to use."
"The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time."
"The security analysis features are the most valuable features of this solution."
"Coverity is easy to set up and has a less lengthy process to find vulnerabilities."
"The solution has improved our code quality and security very well."
"The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
"The features I find most valuable is that our entire company can publish the analysis results into our central space."
"One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."
"One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
"It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support."
"The solution is user-friendly."
"Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
"The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
"The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
"We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
"Fortify on Demand is easy to use and the reporting is good."
"Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."
"Coverity takes a lot of time to dereference null pointers."
"The setup takes very long."
"Reporting engine needs to be more robust."
"We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system."
"The solution is a bit complex to use in comparison to other products that have many plugins."
"I would like to see integration with popular IDEs, such as Eclipse."
"We'd like it to be faster."
"Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve."
"Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."
"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."
"Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive."
"Micro Focus Fortify on Demand can improve by having more graphs. For example, to show the improvement of the level of security."
"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."
"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."
"It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while Fortify on Demand is ranked 9th in Static Application Security Testing (SAST) with 56 reviews. Coverity is rated 7.8, while Fortify on Demand is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". Coverity is most compared with SonarQube, Klocwork, Checkmarx One, Veracode and Polyspace Code Prover, whereas Fortify on Demand is most compared with SonarQube, Veracode, Checkmarx One, Fortify WebInspect and Snyk. See our Coverity vs. Fortify on Demand report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.