We performed a comparison between OWASP Zap and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Micro Focus Fortify on Demand. Although both products have valuable features and ROI, our reviewers found that Micro Focus Fortify on Demand has a more complex installation process and slower support response times.
"The vulnerability detection and scanning are awesome features."
"Provides good depth of scanning and we get good results."
"The user interface is good."
"What stands out to me is the user-friendliness of each feature."
"Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud."
"The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place."
"The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution."
"The solution is very fast."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"It updates repositories and libraries quickly."
"You can run it against multiple targets."
"The product discovers more vulnerabilities compared to other tools."
"The most valuable feature is scanning the URL to drill down all the different sites."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"We have some stability issues, but they are minimal."
"They have very good support, but there is always room for improvement."
"An improvement would be the ability to get vulnerabilities flowing automatically into another system."
"I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple."
"The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."
"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."
"Takes up a lot of resources which can slow things down."
"There are many false positives identified by the solution."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"There are too many false positives."
"The product reporting could be improved."
"Lacks resources where users can internally access a learning module from the tool."
"The solution is unable to customize reports."
"There isn't too much information about it online."
Fortify on Demand is ranked 9th in Application Security Testing (AST) with 19 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 11 reviews. Fortify on Demand is rated 8.0, while OWASP Zap is rated 7.2. The top reviewer of Fortify on Demand writes "Seamless integration with various platforms and products, providing a centralized and comprehensive security analysis solutionand". On the other hand, the top reviewer of OWASP Zap writes "Stable dynamic testing solution with unreliable manual processes". Fortify on Demand is most compared with SonarQube, Checkmarx, Veracode, Coverity and Snyk, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, SonarQube, Acunetix, Qualys Web Application Scanning and Invicti. See our Fortify on Demand vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.