We performed a comparison between Fortify Application Defender, Fortify on Demand, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The product saves us cost and time."
"The most valuable feature is that it analyzes data in real-time."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"Its ability to find security defects is valuable."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"The vulnerability detection and scanning are awesome features."
"Provides good depth of scanning and we get good results."
"Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
"Fortify on Demand is easy to use and the reporting is good."
"The solution is very fast."
"I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
"It improves future security scans."
"It has saved us a lot of time as we focus primarily on programming rather than tool operational work."
"Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."
"It's good at identifying security issues. It can pinpoint issues very effectively."
"The best feature of Veracode is that we can do static and dynamic scans."
"The product’s policy reporting for ensuring compliance with industry standards and regulations is great."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."
"Veracode offers various security features."
"The most valuable feature is the SAST capability and its integration into the Veracode pipelines."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"The licensing can be a little complex."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"The solution is quite expensive."
"I encountered many false positives for Python applications."
"The workbench is a little bit complex when you first start using it."
"Support for older compilers/IDEs is lacking."
"Fortify Application Defender gives a lot of false positives."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."
"There are many false positives identified by the solution."
"Takes up a lot of resources which can slow things down."
"Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."
"With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."
"The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."
"If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."
"It will be beneficial for developers if Veracode Greenlight includes Python."
"A high number of false positives are reported and this should be reduced."
"It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share."
"The documentation is poor and the technical support isn't helpful."
"We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"I've found that Veracode is not particularly suitable for Dynamic Application Security Testing."
"Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."