"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"Veracode is a valuable tool in our secure SDLC process."
"The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"The user interface is modern and nice to use."
"The solution is scalable, but other solutions are better."
"From my point of view, it is the best product on the market."
"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
"The UI is very intuitive and simple to use."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"The most valuable feature is the application tracking reporting."
"The user interface is excellent. It's very user friendly."
"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
"There is not one feature we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do. We were working with a different solution called SolarCloud previously and it was limited. We are trying to find the right level of security for our needs."
"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
"It's a stable and scalable solution."
"The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
"Being able to reduce risk overall is a very valuable feature for us."
"Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
"The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
"If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
"When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."
"Micro-services need to be included in the next release."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"Checkmarx could improve the REST APIs by including automation."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"They could work to improve the user interface. Right now, it really is lacking."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
"Reporting could be improved."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."
"The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."
"Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve."
"They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it."
"During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us."
More Micro Focus Fortify on Demand Pricing and Cost Advice →
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Checkmarx is ranked 5th in Application Security with 20 reviews while Micro Focus Fortify on Demand is ranked 7th in Application Security with 13 reviews. Checkmarx is rated 7.6, while Micro Focus Fortify on Demand is rated 8.0. The top reviewer of Checkmarx writes "Easy interface that is user friendly, quick scanning, and good technical support". On the other hand, the top reviewer of Micro Focus Fortify on Demand writes "Makes it easy to discover hidden vulnerabilities in our open source libraries". Checkmarx is most compared with SonarQube, Snyk, Coverity, WhiteSource and Sonatype Nexus Lifecycle, whereas Micro Focus Fortify on Demand is most compared with SonarQube, Coverity, Fortify WebInspect, HCL AppScan and Sonatype Nexus Lifecycle. See our Checkmarx vs. Micro Focus Fortify on Demand report.
See our list of best Application Security vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
