OpenText Static Application Security Testing Reviews

Our main use cases for Fortify Static Code Analyzer typically involve trying to figure out the critical vulnerabilities. It depends on the type of scans that we are doing, whether it is a release scan or an agile scan, so that affects the amount of data we give them and the timeline for those severity levels. Therefore, it contains all sorts of vulnerabilities.

In terms of Fortify Static Code Analyzer's automation capabilities, it has been fine. I have used it in some projects. We haven't onboarded all the projects yet, since we have a very large number of applications in my company. We have only taken the proprietary code for that matter and are running dry runs periodically. We consume reports from disaster control and SSCP. It basically saves us from needing to run multiple scans and not having to provide every time the development team asks for it. We have set it up in a way where they can log in and see the open issues, saving our time by not requiring extra effort.

We have utilized Fortify Static Code Analyzer's remediation guidance feature. It has helped our development team effectively address vulnerabilities by allowing us to forward the remediation information to them. We create reports and outline how the issues were created and found, detailing the analysis trace and all. We draft the remediation steps in a single report and provide it to them, utilizing Fortify's features.

Fortify Static Code Analyzer has the capability of giving fewer false positives compared to other tools. Since I have come across tools from Synopsis and other SCA tools, Fortify can really give fewer of these false positives, saving the effort of auditing, finding true positives, and reporting it.

We check for injection flaws and cryptographic issues. The tool does report many issues which we need to audit. For example, if we audit 50 reported SQL injections, I try to find 10 to 15 that are true positives, while the rest might be false positives. Even for cryptographic issues, when the tool sees in the code what algorithm has been used, it is often a true positive, highlighting issues such as using MD5 or SHA1 algorithms.

We are still working with Fortify solution. Everything is all right with Fortify On Demand and Software Security Center, Application Defender. We are satisfied with this solution. We are using dynamic scanning and static scanning from this vendor. We utilize Static Code Analyzer and dynamic DAST with WebInspect.

The most impactful feature of Fortify Static Code Analyzer in identifying vulnerabilities is the ratio of total number of vulnerabilities to false positives. All solutions of this class are very similar, and the difference between solutions is mainly in price and interface.

We manage the overall software development security organization, encompassing assistance to all developers across our organization worldwide. Our 10,000 developers help identify vulnerabilities in their code. We use Fortify Static Code Analyzer to explore methods to expedite vulnerability detection and remediation through a self-service pipeline.

Initially, we utilized Just Cloud, but subsequently, we developed our on-premises tools over the ensuing year. This resulted in substantial cost savings, as on-premises security solutions are generally more economical than their cloud-based counterparts.

Fortify Software Security Center, often abbreviated as SSC, offers both an on-premises and cloud-based version. The cloud-based version is called Fortify On Demand or FOD. FOD is a popular choice for organizations that want a flexible and scalable solution, while the on-premises version is preferred by organizations that require more control over their security infrastructure. OpenText, the vendor of Fortify, offers various consumption models for its solutions. Users can pay per scan or opt for an annual subscription with unlimited scans. However, annual subscriptions can be expensive, with some organizations paying millions of dollars per year. Using the on-premises tools can provide significant cost savings compared to cloud-based solutions, but it also requires a dedicated team of IT professionals to manage and maintain the infrastructure. If an organization lacks the resources to manage on-premises tools, FOD is often the most affordable and robust solution available. In comparison, competitors like Synopsys and Checkmarx typically charge even more for their cloud-based solutions.

The Fortify portal is well-suited for managing and tracking risks associated with the open-source components used in our software projects. The increasing availability of open-source options has been beneficial. OpenText's acquisition of Debricked a couple of years ago has further enhanced its capabilities in this domain. They continue to utilize Sonatype within the FOD, providing customers with a choice. For existing Sonatype customers who have been using the tool as Micro Focus' and OpenText's partner for FOD for many years, continuing with Sonatype remains a viable option. However, for new users or those seeking an alternative to Sonatype, Debricked, now OpenText's open-source security tool, is an excellent choice, seamlessly integrated into FOD.

Utilizing Fortify to identify vulnerabilities has become remarkably effortless. Based on my experience, I've observed a significant increase in user satisfaction with the tool. Over the years, we've acquired several companies that initially held negative perceptions of Fortify, stemming from its previous reputation as a cumbersome and resource-intensive tool. However, with the introduction of FOD and the enhanced capabilities of the on-premises tools, we've witnessed a dramatic shift. The availability of lightweight on-premises tools, coupled with seamless IDE plugins for Visual Studio, Eclipse, and other intelligent IDEs, alongside integrations into Azure and Jenkins pipelines, has significantly empowered users to conduct self-service vulnerability scans in minutes, a stark contrast to the time-consuming hours it previously required.

Fortify enhances our vulnerability remediation efforts by providing more reliable results. Secure Code Warrior integration plays a significant role by providing developers with access to secure coding training, which I believe positions them better to identify and resolve issues promptly. Many companies lack access to this level of guidance and often rely on standard verbiage. I appreciate that users can leverage Secure Code Warrior's guidance for their Fortify findings. This capability is not offered by any other company in the space. Additionally, they have recently partnered with MAB to offer automated code remediation solutions. Automated code remediation means that if I'm a developer and Fortify identifies a vulnerability, instead of manually fixing it, MAB, their partner, can automatically resolve the issue by providing a prebuilt fix and incorporating it into our build pipeline.

Fortify enables our developers to build secure code from the beginning. I can speak with confidence that without Fortify, we wouldn't have fixed thousands of vulnerabilities, and it is helping to streamline that process for developers, whereas Many other security teams rely on traditional PAN testers, Fortify has given our developers the confidence to be able to find, fix, and remediate issues, and a fully self-service mechanism that few other companies have.

Both Fortify and Sonatype have excellent integrations with compliance frameworks such as GDPR, PCI, and DSS, providing comprehensive reporting capabilities that help us meet regulatory requirements. These integrations enable us to stay abreast of evolving regulatory requirements and ensure that our vendor partners promptly address any changes. For example, when the OWASP categories were updated two years ago, both Fortify and Sonatype quickly released support for the updated categories, allowing us to seamlessly update our reporting without delay.

Fortify mitigates risk exposure in applications by identifying vulnerabilities and weaknesses. It pinpoints all the issues that developers need to address and provides comprehensive guidance for remediation.

It provides robust details about the issues, along with comprehensive insights into what needs to be fixed. The ability to see all of the different versions in Sonatype results has been particularly helpful as an indicator.

Fortify's expansion into shift-left security for cloud-native applications has been an exciting development. I wasn't expecting them to venture into this area, but I'm pleasantly surprised by their progress. It appears that they are well-positioned to gain significant market share.

Fortify has helped free up our staff time for other projects by improving our automation capabilities. As a result, we have been able to significantly reduce our turnaround time for remediation tasks. This has allowed our developers to focus on more strategic initiatives, such as automation and engineering, instead of being bogged down with manual remediation work. We have saved over $40 million in headcount expenses by automating these tasks. It would have taken over 100 years to fix all of these issues manually, using our previous processes. In other words, Fortify has automated millions of hours of work, equivalent to the work of hundreds of thousands of people over decades. This is one of the most significant automation projects we have ever undertaken.

Identifying vulnerabilities using Fortify early in the software development life cycle has resulted in significant cost savings compared to discovering them later on. Fortify has enabled us to detect and remediate these types of issues at the beginning of the SDLC. As a result, we can prevent potential problems from reaching the production stage.

Fortify integrates seamlessly with other solutions, which is a significant advantage in our opinion. As I mentioned earlier, Synopsys has struggled with third-party integrations. In contrast, Fortify has taken the lead in collaborating with Secure Code Warrior, reconciled, and MOB to facilitate these integrations. This has allowed us to establish an ecosystem of solutions from various providers that are at the forefront of innovation.

We have integrated Fortify with Sonatype, Secure Code Warrior, and MOB. The integrations take no more than a few hours.

We use Fortify SCA or SAST for scanning the source code, and we use Sonatype Nexus to scan libraries for any vulnerabilities. We get secure code and libraries by combining these two solutions. If we find any issues, we can fix them.

We use Fortify SAST to scan our code. It is used for the static code and not the running code. It finds vulnerabilities, and it finds bad practices. If you are using something that can be exploited in the code, it highlights that and gives you recommendations on that. It gives you ideas on how to fix that.

We have a more secure code because it is based on top security standards. Before we moved to Fortify SAST, we already had code running in production. When we moved to Fortify SAST, we had to rescan our code running in production. We got more and more vulnerabilities, which made people upset, but overall, our security was enhanced. It also enhanced the knowledge of our developers. Our developers are learning more. Many developers were frustrated in the beginning because there were many vulnerabilities, but as time went on, they liked its features. They find it straightforward now. They read about it, and they can fix their code easily. Without any back-and-forth communication, they can find the line, the recommendation, and what to do about it in one place. That is awesome.

Fortify Software Security Center gives a good overview of how the application is implemented, but it is not a 360-degree view. Sometimes we have false positives, and sometimes, it does not catch the design flows. It will mark something as vulnerable because it does not have the full picture. The highlighted code might be a part of another module, so it cannot see the full picture, but it is a very good tool. It is better than the ones we had before.

I have not yet used Fortify Software Security Center for managing and tracking risks associated with the open-source components used in our software project. We recently started to use Fortify SAST and are still exploring and discovering things. We usually do that through Sonatype Nexus, but I have seen it catching vulnerabilities. Some users have scanned the library by mistake, and I have seen it catching vulnerable code in the library. It points out why we wrote the code this way, and the code should have been that way. If there is a variable that has a sensitive name, such as a key, password, or something else, it catches that. After we have integrated it with Sonatype, we will have more exposure, but we are not yet at that stage.

I really like Fortify Software Security Center. We can scan the code and push the results. I can also see all the applications. I know the portfolio of the applications that we have. I can see all the information about the organizations, the code, and the developers in one spot. It is good for the management and also for the development teams. If their supervisors want to know the security status of their applications, they can go there straight away and check that information. It is very good in this aspect.

Fortify SAST has helped in the remediation of potential vulnerabilities by using accurate and reliable results. I like that they use standards such as OWASP Top 10 or SANS Top 25. They are very good at this. When it finds any vulnerabilities, it shows you by the rank. You can filter by so many standards. It gives you a description of the vulnerability as well as recommendations on how to fix it. It also gives you some references if you want to read more. It is very good.

Fortify SAST has helped a lot to enable developers to build secure code from the start. We have many developers. They have the development skills, but they do not have security skills. Now, there is something that tells them how to write the code properly. For instance, they use a function, and then they get the recommendation to use another function. They do not know the other function. They go ahead and use it, and the code still runs as before, but it is safer. With time, people avoid these issues. It is like a spelling checker. You get recommendations while writing the code.

Fortify and Sonatype solutions help to maintain compliance with applicable regulations. Fortify SAST is built on top of very high standards such as OWASP Top 10, SANS Top 25, PCI DSS, etc. These are very repeatable security standards. It includes over a thousand vulnerability categories. It covers a lot of vulnerabilities.

Fortify SAST helps us reduce our risk exposure on applications through the discovery of vulnerabilities and weaknesses. They have something called rulepacks that are the guidelines. There are rulepacks for different languages. They are the security standards that the code will follow. These rulepacks are updated frequently by the Fortify team themselves, and we just have to feed them into Fortify Software Security Center so that it has updated information about vulnerabilities, and it can discover more. The more you discover and fix, the more secure and resilient code you will have.

Fortify SAST provides real-time feedback on security issues. When you scan, you get the results instantly. Sometimes, for certain code languages, it takes a little more time to scan, which can be frustrating, but it provides real-time feedback. You get a small description, and you also have the details. There is one tab for recommendations, and there is also a tab for references.

We recently had this activity where we wanted to integrate the tool with a pipeline. We are using Azure DevOps, and we managed to integrate that. It was straightforward. You get a plugin or an extension, and the code is pushed and scanned, and you get the results. It is straightforward. I can see it functional for such deployments. We are ready for the cloud and automation, but we are still in the testing phase.

Fortify SAST has helped free up our staff for other projects or tasks. Because it is very informative and clear, we have a lot fewer issues for which people come back to us. They come back to us if they think it is a false positive or if they need a waiver because they cannot fix it due to some limitations, but in the majority of cases, they can control and learn, and they can do it on their own. It helped us a lot in this aspect, but I do not have the metrics. We have been using it only for a few months, and we have a shortage of people. It has saved the communication time that we were spending on emails and reporting. We now have less of that. We all go to one place. Instead of sending me an email or having a phone call, developers now go to Fortify Software Security Center and put in what they think. For example, they will say that it is a false positive because of this and that. They will send it to me, and I will go to Fortify Software Security Center. I will read it and review it, and if I find it okay, I will give the go-ahead to get rid of it. Otherwise, we would need more discussion. It improves communication big time for me.

We use Fortify Static Code Analyzer and Sonatype in conjunction with Azure DevOps to view all code processes, from scheduling to deployment in production. This is typically included in the build. Therefore, when a colleague performs a build, all scans are automatically done, and they can see the results through the Fortify and Sonatype web portals.

Fortify Static Code Analyzer enables developers to identify and fix broken references within the code. We sought to understand how to write secure code by design.

Finding vulnerabilities using Fortify SAST is not difficult.

Fortify SAST helps our remediation of potential vulnerabilities with accurate and reliable results. While this practice does not allow our developers to build secure code from the outset, as they are currently notified of issues only after the initial build, it does facilitate the creation of secure code before deployment to the customer environment and production.

Fortify SAST has been instrumental in our growth. As a result, I now have a team that consistently writes more secure code without relying on scans. By addressing the same issues repeatedly, we learn to write code correctly the first time, fostering a culture of knowledge sharing. This is facilitated by our weekly meetings where the team discusses key issues and collaborates on solutions.

I can use the dashboard and portal to see our compliance in real-time and address any compliance issues before they become a problem.

The Fortify SAST portal helps me identify vulnerabilities and weaknesses to reduce our risk exposure.

Real-time feedback isn't necessary for us because we receive scan results once a week or on demand. However, the feedback has been incredibly valuable. I can perform a scan and immediately see our current situation. This allows me to quickly assess if our coding practices are effective or if we need to stop and address any issues before they become bigger problems.

Fortify SAST has helped free up around 20 percent of our employees' time to work on other projects.

Fortify SAST's ability to identify vulnerabilities early in the development lifecycle has helped us save significant costs equalling around 40 percent as well as time, as it allows us to catch issues before they reach production. Before using Fortify SAST, we could only identify problems manually, which often resulted in code being deployed with vulnerabilities.

Integrating Fortify SAST is simple and takes around two hours.

We use the product as a SaaS analysis tool. We review static code. It allows you to find vulnerabilities.

The value that combining Fortify and Sonatype is that we use Fortify as a SaaS analysis tool. We review static code and Sonatype allows you to find vulnerabilities. 

I use it as a security center. I review it for any kind of issues, whether for proof or to deny, the source code, the findings, and then the enterprise can go back and provide their recommendation for how to fix the issue. It is used to scan the code base. 

As a security analyst, I like the management view. From there, you can review the code and review findings in order to approve, deny, or recommend. Their Software Security Center, which acts as a portal, is quite useful. It's a good overview. You can really see what's happening after you've developed something.

Fortify's AppSec testing is great for application portfolio inventory and project releases. It works both at a portfolio level and also at a project level.

They also give you the capability to click train of all your vulnerabilities that happened within Apache Crossroads support. You give them a history to keep track of them, how they've been developed, how they've been saved, to give you a way of tracking your issues and how they get resolved.

It's pretty easy to find vulnerabilities. Then, you go to the source. It is very good at tracking to see where the data or the issue enters into your source code so you can track it or go back to where it started.

Fortify helps remediate potential vulnerabilities by using more accurate, reliable results. They offer recommended remediation. I can go to the website tools to resolve issues and search for remediations. This helps our developers to build more secure code from the start.

It has reduced vulnerabilities. We've never had issues when we ran our scans. We're notified, and we're able to identify most of our vulnerabilities and fix them before anything goes to production. If you're running this on your CI/CD pipeline, notifications are in real-time.

The level of detail is very informative. It provides you with recommendations on how to fix items. And they provide you with other resources available for how to address the issues. You can also see the root cause.

It works well with cloud-native applications.

Fortify helped us to free up staff time since it helps us resolve issues faster. 

It's helped us save costs as, if we catch a vulnerability faster, it's easier to fix than later. 

Fortify and Sonatype help maintain compliance with the applicable regulations. We mostly use Sonatype for compliance and licenses. By combining both solutions together, it enables you to solve a lot of issues that may occur in the future.

Fortify SAST performs static code analysis, which means it reviews the source code or compiled binary code without executing the application. This helps in identifying vulnerabilities, coding errors, and security issues within the codebase.
Fortify SAST supports a wide range of programming languages, including popular ones like Java, C/C++, C#, Python, and more. This broad language support makes it suitable for various development environments.

It comes with a comprehensive set of security rules and patterns to identify vulnerabilities, including issues related to OWASP Top Ten, CWE (Common Weakness Enumeration), and other industry standards

Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines. This allows developers to scan code seamlessly.