Fortify WebInspect vs Fortify on Demand vs Veracode comparison

Read 201 Veracode reviews

14,613 Views
9,530 Comparison Views

90% willing to recommend

Fortify on Demand

Fortify WebInspect

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Fortify on Demand, Fortify WebInspect, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools.

To learn more, read our detailed Application Security Tools Report (Updated: June 2025).

Application Security Tools

Download the complete report

Helped 857,162 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

Application Security Tools

Dynamic Application Security Testing (DAST)

Application Security Tools

Featured Reviews

Jonathan Steyn

Principal Technical Consultant at EOH

Source code analyzer, FPR file generation, reduction of false positives and generates compliance reports, for in-depth analysis

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve. That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively. So training is required. All skills are needed to learn how to use the tool. I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool. It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

Read full review

Navin N

Global ISO 27001 Program Lead at DXC Technology

Effective scanning of diverse file extensions with fast reporting and issue resolution

We develop software packages for clients, and these clients are mostly in the BFSI sector. The packages need to be scanned, and we engage Fortify WebInspect for this. Customers typically perform their own application pen tests, but in some cases, we have engagements where customers want us to scan…

Read full review

David-Robertson

Director Enterprise Architecture at Exeter Finance Corp.

Static scanning and software composition analysis are very helpful, but the usability needs improvement

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables. They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"It is an extremely robust, scalable, and stable solution."

"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."

"Fortify on Demand is easy to use and the reporting is good."

"t's a cloud-based solution, so there was no installation involved."

"It helps deploy and track changes easily as per time-to-time market upgrades."

"I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"

"What stands out to me is the user-friendliness of each feature."

"We have the option to test applications with or without credentials."

More Fortify on Demand pros

"I've found the centralized dashboard the most valuable. For the management, it helps a lot to have abilities at the central level."

"Good at scanning and finding vulnerabilities."

"The most valuable feature is the static analysis."

"Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features."

"Fortify WebInspect is a scalable solution, it is good for a lot of applications."

"The most valuable feature of this solution is the ability to make our customers more secure."

"The user interface is ok and it is very simple to use."

"The feature that has been most influential in identifying vulnerabilities is its ability to crawl the website, understand the structure, and analyze the network packets sent and received."

More Fortify WebInspect pros

"With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."

"Static scanning and software composition analysis are very helpful. I and my colleagues don't need to be an expert on all of those ancillary things, so we can focus more on the business deliverables."

"Veracode allows us to easily summarize issues and provide quick, actionable insights."

"With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."

"We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."

"I like the sandbox, the ability to upload compiled code, and how easy it is."

"The Veracode support team is excellent."

"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."

More Veracode pros

Cons

"They have very good support, but there is always room for improvement."

"Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."

"There were some regulated compliances, which were not there."

"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."

"Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive."

"The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."

"It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."

"The cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions."

More Fortify on Demand cons

"The scanner could be better."

"A localized version, for example, in Korean would be a big improvement to this solution."

"There are some file extensions, like .SER, that Fortify WebInspect doesn't scan."

"Not sufficiently compatible with some of our systems."

"Lately, we've seen more false negatives."

"We have often encountered scanning errors."

"Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."

"The initial setup was complex."

More Fortify WebInspect cons

"The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer."

"The documentation is poor and the technical support isn't helpful."

"The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."

"They should improve on the static scanning time."

"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."

"Straightforward to set up, but the configuration of the rules engine is difficult and complicated."

"Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."

"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."

More Veracode cons

Pricing and Cost Advice

"Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings."

"Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten."

"The price is fair compared to that of other solutions."

"It's a yearly contract, but I don't remember the dollar amount."

"Fortify on Demand is moderately priced, but its pricing could be more flexible."

"The licensing was good because the licenses have the heavy centralized server."

"There are different costs for Micro Focus Fortify on Demand depending on the assessments you want to use. There is only a standard license needed to use the solution."

"The pricing model it's based on how many applications you wish to scan."

More Fortify on Demand pricing and cost advice

"The price is okay."

"Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."

"It’s a fair price for the solution."

"Our licensing is such that you can only run one scan at a time, which is inconvenient."

"This solution is very expensive."

"Fortify WebInspect is a very expensive product."

"The pricing is not clear and while it is not high, it is difficult to understand."

"From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."

"Negotiate some, but their prices are reasonable."

"The pricing is fair. You get a lot out of the product."

"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."

"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."

"We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides."

"Veracode's price is high. I would like them to better optimize their pricing."

"Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

857,162 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

20%

Manufacturing Company

15%

Computer Software Company

11%

Government

Financial Services Firm

17%

Government

14%

Manufacturing Company

12%

Computer Software Company

12%

Computer Software Company

17%

Financial Services Firm

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about Micro Focus Fortify on Demand?

It helps deploy and track changes easily as per time-to-time market upgrades.

What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?

In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing...

What needs improvement with Micro Focus Fortify on Demand?

There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the ...

What do you like most about Fortify WebInspect?

The solution's technical support was very helpful.

What is your experience regarding pricing and costs for Fortify WebInspect?

The price of Fortify WebInspect is high, with the cost depending on the number of virtual users. It is approximately ...

What needs improvement with Fortify WebInspect?

The main area for improvement in Fortify WebInspect is the price, as it is too high compared to the market rate. The ...

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...

SonarQube Server (formerly SonarQube) vs Fortify on Demand

Comparisons

Compared 18% of the time

Checkmarx One vs Fortify on Demand

Compared 13% of the time

Coverity vs Fortify on Demand

Compared 11% of the time

GitHub Advanced Security vs Fortify on Demand

Compared 8% of the time

Snyk vs Fortify on Demand

Compared 3% of the time

More Fortify on Demand Competitors

PortSwigger Burp Suite Professional vs Fortify WebInspect

Compared 21% of the time

OWASP Zap vs Fortify WebInspect

Compared 13% of the time

Acunetix vs Fortify WebInspect

Compared 10% of the time

Qualys Web Application Scanning vs Fortify WebInspect

Compared 9% of the time

HCL AppScan vs Fortify WebInspect

Compared 6% of the time

More Fortify WebInspect Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 19% of the time

Checkmarx One vs Veracode

Compared 10% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

Snyk vs Veracode

Compared 4% of the time

Fortify Static Code Analyzer vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Fortify on Demand

Download Fortify on Demand product report

Fortify WebInspect

Download Fortify WebInspect product report

Download Veracode product report

May 2025

Also Known As

Micro Focus Fortify on Demand

Micro Focus WebInspect, WebInspect

Crashtest Security , Veracode Detect

Overview

Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.

Fortify on Demand Features

Fortify on Demand has many valuable key features. Some of the most useful ones include:

Deployment flexibility
Scalability
Built for DevSecOps
Ease of use
Supports 27+ languages
Real-time vulnerability identification with
Security Assistant
Actionable results in less than 1 hour for most applications with DevOps automation
Expanded coverage, accuracy and remediation details with IAST runtime agent
Continuous application monitoring of production applications
Virtual patches
Supports iOS and Android mobile applications
Security vulnerability identification
Behavioral and reputation analysis

Fortify on Demand Benefits

There are several benefits to implementing Fortify on Demand. Some of the biggest advantages the solution offers include:

Fast remediation: With Fortify on Demand you can achieve fast remediation throughout the software lifecycle with robust assessments by a team of security experts.

Easy integration: The solution’s integration ecosystem is easy to use, creating a more secure software supply chain.

Security testing: Fortify on Demand covers in-depth mobile app security testing, open-source analysis, and vendor application security management, in addition to static and dynamic testing.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Fortify on Demand solution.

Dionisio V., Senior System Analyst at Azurian, says, "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that." He goes on to add, “Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.”

A Security Systems Analyst at a retailer mentions, “Being able to reduce risk overall is a very valuable feature for us.”

Jayashree A., Executive Manager at PepsiCo, comments, “Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning. When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.”

A Principal Solutions Architect at a security firm explains, “Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.”

PeerSpot user Mamta J., Co-Founder at TechScalable, states, "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."

OpenText

Fortify WebInspect is an automated DAST solution that helps security professionals and QA testers uncover security vulnerabilities and configuration concerns by providing complete vulnerability detection. This is accomplished by mimicking real-world external security attacks on a live application in order to discover and prioritize concerns for root-cause study. Fortify WebInspect provides a number of REST APIs for easier integration, as well as the ability to be maintained via an intuitive UI or totally automated.

Fortify WebInspect may be used as a completely automated solution to suit DevOps and scaling requirements, and it integrates seamlessly with the SDLC. REST APIs aid in closer integration by automating scans and ensuring that compliance standards are satisfied. Users can make use of pre-built integrations for Micro Focus Lifecycle Management (ALM) and Quality Center, as well as other security testing and management platforms.

Teams may reuse current scripts and tools thanks to powerful connectors. Any Selenium script can be simply integrated with Fortify WebInspect. Fortify WebInspect supports Swagger and OData formats via the WISwag command line tool, allowing it to work with any DevOps workflow. A scan template can be pre-configured by ScanCentral Admin and sent to users to scan their apps, with zero security knowledge required.

Fortify WebInspect Features

Fortify WebInspect has many valuable key features. Some of the most useful ones include:

Security testing of functional applications (FAST): FAST can use all of the functional tests in the same way as IAST does, but it will continue crawling. FAST will not miss anything that a functional test misses.

Insights from a hacker's perspective: View discoveries such as client-side frameworks and version number. These are findings that, if not addressed, could lead to vulnerabilities.

Workflow macros HAR files: Fortify WebInspect can scan workflows with HAR files, ensuring that crucial content is not missed.

Management of compliance: Preconfigured policies and reports for all key online application security compliance regulations, such as PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, and HIPAA.

Horizontal scaling can help you speed up your work: Using Kubernetes, horizontal scaling creates little versions of WebInspect that only process JavaScript. This allows the scans to run in parallel, resulting in significantly faster scans.

Scan any API for better accuracy: Get the complete picture on APIs, including SOAP, Rest, Swagger, OpenAPI, and Postman.
Managing the security of enterprise applications: To meet DevOps requirements, monitor trends within an application and take action on the most critical issues first.

Deployment options: With the flexibility of on-premise, SaaS, or AppSec-as-a-service, you can get started immediately and scale as needed.

Fortify WebInspect Benefits

There are many benefits to implementing Fortify WebInspect. Some of the biggest advantages the solution offers include:

Vulnerabilities are discovered faster and earlier.
Automation and agent technology can help you save time.
Users can utilize crawl web technologies and modern frameworks.
ScanCentral DAST helps you manage enterprise app security risk.

Reviews from Real Users

Fortify WebInspect stands out among its competitors for a number of reasons. One major one is its robust centralized dashboard, which gives insight into all vulnerabilities.

Milin S., an Information Security Architect at a real estate/law firm, writes of the product, “Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features. The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.”

OpenText

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Aaron's

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Application Security Tools