We performed a comparison between OWASP Zap and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Micro Focus Fortify on Demand. Although both products have valuable features and ROI, our reviewers found that Micro Focus Fortify on Demand has a more complex installation process and slower support response times.
"Fortify on Demand can be scaled very easily."
"I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
"One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
"The licensing was good."
"The scanning capabilities, particularly for our repositories, have been invaluable."
"The installation was easy."
"The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution."
"Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA."
"Automatic updates and pull request analysis."
"The solution has tightened our security."
"Automatic scanning is a valuable feature and very easy to use."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The solution is scalable."
"Simple and easy to learn and master."
"Micro Focus Fortify on Demand can improve by having more graphs. For example, to show the improvement of the level of security."
"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."
"Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive."
"The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."
"With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."
"I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"It would be nice to have a solid SQL injection engine built into Zap."
"There isn't too much information about it online."
Fortify on Demand is ranked 9th in Application Security Testing (AST) with 56 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews. Fortify on Demand is rated 8.0, while OWASP Zap is rated 7.6. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Fortify on Demand is most compared with SonarQube, Checkmarx One, Veracode, Coverity and HCL AppScan, whereas OWASP Zap is most compared with SonarQube, Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning and HCL AppScan. See our Fortify on Demand vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.