FOSSA vs Fortify Static Code Analyzer comparison

Fortify Static Code Analyzer
Read 15 Fortify Static Code Analyzer reviews
  • 2,074 Views
  • 1,359 Comparison Views
93% willing to recommend
FOSSA
Read 12 FOSSA reviews
  • 2,750 Views
  • 1,714 Comparison Views
100% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Fortify Static Code Analyzer and FOSSA based on real PeerSpot user reviews.

Find out what your peers are saying about Veracode, Checkmarx, OpenText and others in Static Code Analysis.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Static Code Analysis Report (Updated: July 2024).
Buyer's Guide
Static Code Analysis
July 2024
Download the complete report
Helped 793,295 peers since 2012
 

Categories and Ranking

Fortify Static Code Analyzer
Average Rating
8.4
Number of Reviews
15
Ranking in other categories
Static Code Analysis (3rd)
FOSSA
Average Rating
8.6
Number of Reviews
12
Ranking in other categories
Software Composition Analysis (SCA) (9th)
 

Mindshare comparison

As of July 2024, in the Static Code Analysis category, the mindshare of Fortify Static Code Analyzer is 20.8%, up from 9.6% compared to the previous year. The mindshare of FOSSA is 4.2%, down from 5.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Code Analysis
Unique Categories:
No other categories found
Software Composition Analysis (SCA)
5.5%
 

Featured Reviews

VF
Dec 6, 2023
Helps to identify and remediate potential vulnerabilities and saves us costs
Finding vulnerabilities using Fortify SAST is not difficult. Fortify SAST helps our remediation of potential vulnerabilities with accurate and reliable results. While this practice does not allow our developers to build secure code from the outset, as they are currently notified of issues only after the initial build, it does facilitate the creation of secure code before deployment to the customer environment and production. Fortify SAST has been instrumental in our growth. As a result, I now have a team that consistently writes more secure code without relying on scans. By addressing the same issues repeatedly, we learn to write code correctly the first time, fostering a culture of knowledge sharing. This is facilitated by our weekly meetings where the team discusses key issues and collaborates on solutions. I can use the dashboard and portal to see our compliance in real-time and address any compliance issues before they become a problem. The Fortify SAST portal helps me identify vulnerabilities and weaknesses to reduce our risk exposure. Real-time feedback isn't necessary for us because we receive scan results once a week or on demand. However, the feedback has been incredibly valuable. I can perform a scan and immediately see our current situation. This allows me to quickly assess if our coding practices are effective or if we need to stop and address any issues before they become bigger problems. Fortify SAST has helped free up around 20 percent of our employees' time to work on other projects. Fortify SAST's ability to identify vulnerabilities early in the development lifecycle has helped us save significant costs equalling around 40 percent as well as time, as it allows us to catch issues before they reach production. Before using Fortify SAST, we could only identify problems manually, which often resulted in code being deployed with vulnerabilities. Integrating Fortify SAST is simple and takes around two hours.
Read full review
BF
Oct 5, 2020
Compatibility with a wide range of dev tools, web and "C-type", enables us to scan across our ecosystem, including legacy software
The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from. That would give me a better idea of where to look, rather than just generically searching the web. They do provide more information than they used to, which is good, but I still think that they have a ways to go with it. Another topic is the components tab of FOSSA. It has a couple of reports that tell me the packages that are being tracked and that allow me to look up packages. That could be expanded in several ways and fixed up in several ways. It could be expanded in that, right now, you can only search for and find packages that are in use in the organization. There is no way to search for all packages, even packages that we're not using. That would be really useful to my developers, for them to be able to come into FOSSA and get more information about components before they use them. The other thing on that tab, regarding the reports, is something that I've been working on with them for a while. The reports don't really work that well for us. They do provide good information but they perform poorly with either the number of projects, or components, in the system. Reports that worked when the load was low, are now timing out before finishing. Unfortunately, that makes it a feature that I can't really roll out to the rest of the organization. For example, the due diligence report and the audit report FOSSA has would be very beneficial to my teams, but until they work for all the teams, I can't roll it out. So there is work that needs to be done on this page for reporting. If they're going to provide reports they should function and they should provide actionable information. They do provide actionable information but because they don't function, they're not really useful to me, and I need them to be. So the components tab needs work, or it needs to be removed, but I prefer that it gets the work. There are other little things that could be improved as well. On the issues tab, there is a problem with resolving issues that have been identified and that occur in a larger number of projects. It doesn't even have to be that many. We've got one component that is tied to 61 projects and we have tried to resolve it for all but it never actually works. It spins for a while, but it doesn't do anything. These aren't things that happen on a regular basis. They're not so much of an issue that the system doesn't work. There are a few other usability issues in the system, UI concerns that I have, and I bring those up on the Slack channel with them as I run into them. Quite often they address them very quickly.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"You can really see what's happening after you've developed something."
"It's helped us free up staff time."
"The integration Subset core integration, using Jenkins is one of the good features."
"The Software Security Center, which is often overlooked, stands out as the most effective feature."
"I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
"Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between."
"We've found the documentation to be very good."
"Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines."
More Fortify Static Code Analyzer pros
"I found FOSSA's out-of-the-box policy engine to be accurate and that it was tuned appropriately to the settings that we were looking for. The policy engine is pretty straightforward... I find it to be very straightforward to make small modifications to, but it's very rare that we have to make modifications to it. It's easy to use. It's a four-category system that handles most cases pretty well."
"The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."
"The scalability is excellent."
"Being able to know the licenses of the libraries is most valuable because we sell products, and we need to provide to the customers the licenses that we are using."
"FOSSA provided us with contextualized, easily actionable intelligence that alerted us to compliance issues. I could tell FOSSA exactly what I cared about and they would tell me when something was out of policy. I don't want to hear from the compliance tool unless I have an issue that I need to deal with. That was what was great about FOSSA is that it was basically "Here's my policy and only send me an alert if there's something without a policy." I thought that it was really good at doing that."
"The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product."
"Policies and identification of open-source licensing issues are the most valuable features. It reduces the time needed to identify open-source software licensing issues."
"I am impressed with the tool’s seamless integration and quick results."
More FOSSA pros
 

Cons

"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date."
"Fortify's software security center needs a design refresh."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"It comes with a hefty licensing fee."
"The price can be improved."
"The generation of false positives should be reduced."
"The product shows false positives for Python applications."
More Fortify Static Code Analyzer cons
"Security scanning is an area for improvement. At this point, our experience is that we're only scanning for license information in components, and we're not scanning for security vulnerability information. We don't have access to that data. We use other tools for that. It would be an improvement for us to use one tool instead of two, so that we just have to go through one process instead of two."
"I want the product to include binary scanning which is missing at the moment. Binary scanning includes code and component matching through dependency management. It also includes the actual scanning and reverse engineering of the boundaries and finding out what is inside."
"On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying."
"One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has. The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential."
"We have seen some inaccuracies or incompleteness with the distribution acknowledgments for an application, so there's certainly some room for improvement there. Another big feature that's missing that should be introduced is snippet matching, meaning, not just matching an entire component, but matching a snippet of code that had been for another project and put in different files that one of our developers may have created."
"The technical support has room for improvement."
"The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from."
"For open-source management, FOSSA's out-of-the-box policy engine is easy to use, but the list of licenses is not as complete as we would like it to be. They should add more open-source licenses to the selection."
More FOSSA cons
 

Pricing and Cost Advice

"The price of Fortify Static Code Analyzer could be reduced."
"It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform."
"The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements."
"There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost. I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use."
"Although I am not responsible for the budget, Fortify SAST is expensive."
"From our standpoint, we are significantly better off with Fortify due to the favorable pricing we secured five years ago."
"The licensing is expensive and is in the 50K range."
"FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it."
"Its price is reasonable as compared to the market. It is competitively priced in comparison to other similar solutions on the market. It is also quite affordable in terms of the value that it delivers as compared to its alternative of hiring a team."
"FOSSA is not cheap, but their offering is top-notch. It is very much a "you get what you pay for" scenario. Regardless of the price, I highly recommend FOSSA."
"The solution's cost is a five out of ten."
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Code Analysis solutions are best for your needs.
See recommendations
793,295 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
29%
Computer Software Company
14%
Manufacturing Company
11%
Government
7%
Manufacturing Company
26%
Computer Software Company
17%
Financial Services Firm
11%
Healthcare Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Fortify Static Code Analyzer?
Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like pa...
See all answers
What is your experience regarding pricing and costs for Fortify Static Code Analyzer?
The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements.
See all answers
What needs improvement with Fortify Static Code Analyzer?
The product could be improved by upgrading and compatibility with databases such as MySQL. Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our secur...
See all answers
What do you like most about FOSSA?
I am impressed with the tool’s seamless integration and quick results.
See all answers
What is your experience regarding pricing and costs for FOSSA?
FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it.
See all answers
What needs improvement with FOSSA?
I want the product to include binary scanning which is missing at the moment. Binary scanning includes code and component matching through dependency management. It also includes the actual scannin...
See all answers
 

Comparisons

Black Duck vs Fortify Static Code Analyzer Logo
Black Duck vs Fortify Static Code Analyzer
Compared 33% of the time
Snyk vs Fortify Static Code Analyzer Logo
Snyk vs Fortify Static Code Analyzer
Compared 21% of the time
Veracode vs Fortify Static Code Analyzer Logo
Veracode vs Fortify Static Code Analyzer
Compared 11% of the time
Sonatype Lifecycle vs Fortify Static Code Analyzer Logo
Sonatype Lifecycle vs Fortify Static Code Analyzer
Compared 10% of the time
CodeSonar vs Fortify Static Code Analyzer Logo
CodeSonar vs Fortify Static Code Analyzer
Compared 1% of the time
More Fortify Static Code Analyzer Competitors
Black Duck vs FOSSA Logo
Black Duck vs FOSSA
Compared 51% of the time
Snyk vs FOSSA Logo
Snyk vs FOSSA
Compared 16% of the time
Mend.io vs FOSSA Logo
Mend.io vs FOSSA
Compared 10% of the time
JFrog Xray vs FOSSA Logo
JFrog Xray vs FOSSA
Compared 7% of the time
Sonatype Lifecycle vs FOSSA Logo
Sonatype Lifecycle vs FOSSA
Compared 4% of the time
More FOSSA Competitors
 

Product Reports

Buyer's Guide
Fortify Static Code Analyzer
July 2024
Fortify Static Code Analyzer reportDownload Fortify Static Code Analyzer product report
Buyer's Guide
FOSSA
July 2024
FOSSA reportDownload FOSSA product report
 

Also Known As

Fortify Static Code Analysis SAST
No data available
 

Learn More

OpenText
Video not available
FOSSA
 

Overview

Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible vulnerabilities. Fortify SCA allows users to create safe and secure software quickly. Users are able to discover potential security gaps more quickly with precise outcomes and repair them immediately.

Fortify Static Code Analyzer Benefits

  • CI/CD pipeline security: Fortify SCA integrates well with third-party tools such as ALM Octane, Atlassian Bamboo, Azure DevOps, Eclipse, Jenkins, and Jira. It offers real-time scan results, immediate recommendations, and collaborative auditing, and finds threats faster. It also discovers and prioritizes weaknesses to reduce risk.

  • Cost-effective: Improves coding actions by training users as they work to better understand the relationship of static application security testing (SAST). Fortify SCA is able to find more vulnerabilities than other solutions and delivers significantly fewer false positives.

  • Quick and reliable scanning: Fortify SCA will discover and eradicate weaknesses in byte, binary, or source code. SAST is able to stop the bulk of code issues at the start of development. The solution is able to discover 815 specific categories of risk, works through 27 programming languages and more than one million different APIs. Fortify SCA has a positive rate of 100% in the OWASP 1.2 benchmark.

Fortify Static Code Analyzer Features

  • Flexible deployment: Using Fortify On Demand, users can work in a complete SaaS environment. Fortify Hosted allows users to use on-premises and SaaS to work in a secure virtual space with complete control. Fortify-On-Prem gives users absolute control of the Fortify SCA solution.

  • Security assistant: Users have an interactive guide as they create code that provides risk analysis and anticipated outcomes. Security Assistant is an outstanding immediate feedback tool that gives instant results with significantly fewer false positives.

  • Audit assistant: This feature uses machine learning to reduce manual audit time while prioritizing the most important risks to users' networks. It provides automated audits in minutes. Any manual examinations are reduced, all issues are prioritized in accordance with organizational needs, and Fortify SCA consistently provides audit results to all projects.

Results from Real Users

Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it.” - Arun D., Senior Architect at a healthcare company.

“Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.” - Tom H., Director of Security at Merito

Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for legal teams to maintain license compliance, security to fix vulnerabilities, and engineering to improve code quality across the entire software supply chain. As the only developer-native open source management platform, FOSSA fully integrates with your existing CI/CD pipeline to provide complete visibility and context earlier in the software development lifecycle. For the first time, teams can collaboratively shift left and audit, analyze, control, and remediate license issues and vulnerabilities right in their existing workflows.
 

Sample Customers

Information Not Available
AppDyanmic, Uber, Twitter, Zendesk, Confluent
Buyer's Guide
Static Code Analysis
July 2024
Download Free Report
Find out what your peers are saying about Veracode, Checkmarx, OpenText and others in Static Code Analysis. Updated: July 2024.
DOWNLOAD NOW
793,295 professionals have used our research since 2012.

We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.