We performed a comparison between Fortify Application Defender, SonarQube, and Trustwave App Scanner [EOL] based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"The product saves us cost and time."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"The most valuable feature is that it analyzes data in real-time."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"SonarQube is scalable. My company has 50 users."
"It is very good at identifying technical debt."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"The product has a friendly UI that is easy to use and understand."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"The stability is great. We haven't had any issues at all with it."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"The false positive rate should be lower."
"The solution is quite expensive."
"The workbench is a little bit complex when you first start using it."
"The licensing can be a little complex."
"Fortify Application Defender gives a lot of false positives."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"The interface could be a little better and should be enhanced."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"There could be better integration with other products."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
"I would like to see a little more flexibility with regards to setting up profiles for vulnerabilities."
Earn 20 points
