We performed a comparison between CodeSonar and Fortify on Demand based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."What I like best about CodeSonar is that it has fantastic speed, analysis and configuration times. Its detection of all runtime errors is also very good, though there were times it missed a few. The configuration of logs by CodeSonar is also very fantastic which I've not seen anywhere else. I also like the GUI interface of CodeSonar because it's very user friendly and the tool also shows very precise logs and results."
"The most valuable features of CodeSonar were all the categorized classes provided, and reports of future bugs which might occur in the production code. Additionally, I found the buffer overflow and underflow useful."
"There is nice functionality for code surfing and browsing."
"It has been able to scale."
"CodeSonar’s most valuable feature is finding security threats."
"The tool is very good for detecting memory leaks."
"The most valuable feature of CodeSonar is the catching of dead code. It is helpful."
"The licensing was good."
"It improves future security scans."
"Provides good depth of scanning and we get good results."
"Fortify on Demand can be scaled very easily."
"The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product)."
"The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
"Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."
"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
"There could be a shared licensing model for the users."
"It was expensive."
"CodeSonar could improve by having better coding rules so we did not have to use another solution, such as MISRA C."
"In a future release, the solution should upgrade itself to the current trends and differentiate between the languages. If there are any classifications that can be set for these programming languages that would be helpful rather than having everything in the generic category."
"The scanning tool for core architecture could be improved."
"It would be beneficial for the solution to include code standards and additional functionality for security."
"In terms of areas for improvement, the use case for CodeSonar was good, but compared to other tools, it seems CodeSonar isn't a sound static analysis tool, and this is a major con I've seen from it. Right now, in the market, people prefer sound static analysis tools, so I would have preferred if CodeSonar was developed into a sound static analysis tool formally, in terms of its algorithms, so then you can see it extensively used in the market because at the moment, here in India, only fifty to sixty customers use CodeSonar. If the product is developed into a sound static analysis tool, it could compete with Polyspace, and from its current fifty customers, that number could go up to a hundred."
"Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."
"There are many false positives identified by the solution."
"With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."
"There is room for improvement in the integration process."
"We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."
"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."
"Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."
"There are lots of limitations with code technology. It cannot scan .net properly either."
CodeSonar is ranked 22nd in Application Security Tools with 7 reviews while Fortify on Demand is ranked 11th in Application Security Tools with 56 reviews. CodeSonar is rated 8.2, while Fortify on Demand is rated 8.0. The top reviewer of CodeSonar writes "Nice interface, quick to deploy, and easy to expand". On the other hand, the top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". CodeSonar is most compared with SonarQube, Coverity, Klocwork, Polyspace Code Prover and Semgrep Code, whereas Fortify on Demand is most compared with SonarQube, Checkmarx One, Veracode, Coverity and Fortify WebInspect. See our CodeSonar vs. Fortify on Demand report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.