We performed a comparison between Fortify Static Code Analyzer and Mend.io based on real PeerSpot user reviews.
Find out what your peers are saying about Veracode, OpenText, JetBrains and others in Static Code Analysis."We've found the documentation to be very good."
"It's helped us free up staff time."
"I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
"The reference provided for each issue is extremely helpful."
"Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between."
"We write software, and therefore, the most valuable aspect for us is basically the code analysis part."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"You can really see what's happening after you've developed something."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
"The results and the dashboard they provide are good."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two."
"The product shows false positives for Python applications."
"Not all languages are supported in Fortify."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"The generation of false positives should be reduced."
"The price can be improved."
"The pricing is a bit high."
"The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
"The UI is not that friendly and you need to learn how to navigate easily."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"The dashboard UI and UX are problematic."
Fortify Static Code Analyzer is ranked 2nd in Static Code Analysis with 13 reviews while Mend.io is ranked 4th in Software Composition Analysis (SCA) with 29 reviews. Fortify Static Code Analyzer is rated 8.4, while Mend.io is rated 8.4. The top reviewer of Fortify Static Code Analyzer writes "Seamless to integrate and identify vulnerabilities and frees up staff time". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Fortify Static Code Analyzer is most compared with Black Duck, Snyk, Veracode, Sonatype Lifecycle and JFrog Xray, whereas Mend.io is most compared with SonarQube, Black Duck, Snyk, Checkmarx One and FOSSA.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.