We changed our name from IT Central Station: Here's why

Fortify Static Code Analyzer vs WhiteSource comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"We write software, and therefore, the most valuable aspect for us is basically the code analysis part.""We've found the documentation to be very good.""Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between."

More Fortify Static Code Analyzer Pros →

"Its ease of use and good results are the most valuable.""The solution is scalable.""The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).""The results and the dashboard they provide are good.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""Our dev team uses the fix suggestions feature to quickly find the best path for remediation.""The solution boasts a broad range of features and covers much of what an ideal SCA tool should."

More WhiteSource Pros →

Cons
"It comes with a hefty licensing fee.""The pricing is a bit high.""I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two."

More Fortify Static Code Analyzer Cons →

"The initial setup could be simplified.""The dashboard UI and UX are problematic.""The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.""We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.""The solution lacks the code snippet part.""I would like to see the static analysis included with the open-source version.""It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."

More WhiteSource Cons →

Pricing and Cost Advice
  • "It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform."
  • More Fortify Static Code Analyzer Pricing and Cost Advice →

  • "The solution involves a yearly licensing fee."
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • "WhiteSource is much more affordable than Veracode."
  • More WhiteSource Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Static Code Analysis solutions are best for your needs.
    564,599 professionals have used our research since 2012.
    Questions from the Community
    Top Answer: 
    Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It… more »
    Top Answer: 
    It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing… more »
    Top Answer: 
    I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know… more »
    Top Answer: 
    Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy… more »
    Top Answer: 
    We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »
    Top Answer: 
    The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.
    Ranking
    1st
    Views
    2,408
    Comparisons
    1,486
    Reviews
    3
    Average Words per Review
    660
    Rating
    7.7
    Views
    19,539
    Comparisons
    15,497
    Reviews
    10
    Average Words per Review
    413
    Rating
    8.3
    Comparisons
    Also Known As
    Fortify Static Code Analysis SAST
    Learn More
    Overview

    Static Application Security Testing (SAST) is a frequently used Application Security (AppSec) tool, which scans an application’s source, binary, or byte code. A white-box testing tool, it identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. SAST solutions analyze an application from the “inside out” and do not reed a running system to perform a scan.

    The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

    It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

    We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

    Offer
    Learn more about Fortify Static Code Analyzer
    Learn more about WhiteSource
    Sample Customers
    Information Not Available
    Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates
    Top Industries
    VISITORS READING REVIEWS
    Computer Software Company29%
    Financial Services Firm19%
    Comms Service Provider12%
    Manufacturing Company8%
    REVIEWERS
    Computer Software Company33%
    Media Company11%
    Energy/Utilities Company11%
    Consumer Goods Company11%
    VISITORS READING REVIEWS
    Computer Software Company34%
    Comms Service Provider20%
    Financial Services Firm7%
    Manufacturing Company5%
    Company Size
    No Data Available
    REVIEWERS
    Small Business33%
    Midsize Enterprise7%
    Large Enterprise60%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise13%
    Large Enterprise71%

    Fortify Static Code Analyzer is ranked 1st in Static Code Analysis with 3 reviews while WhiteSource is ranked 3rd in Software Composition Analysis (SCA) with 7 reviews. Fortify Static Code Analyzer is rated 7.6, while WhiteSource is rated 7.6. The top reviewer of Fortify Static Code Analyzer writes "Super scalable, fairly stable, very flexible, and can do anything you want it to do". On the other hand, the top reviewer of WhiteSource writes "Good reporting and trace analysis allows us to find and solve open-source concerns quickly". Fortify Static Code Analyzer is most compared with Black Duck, Snyk, JFrog Xray, Veracode Static Analysis and Veracode Software Composition Analysis, whereas WhiteSource is most compared with SonarQube, Black Duck, Snyk, Sonatype Nexus Lifecycle and Veracode.

    We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.