We performed a comparison between OWASP Zap and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Micro Focus Fortify on Demand. Although both products have valuable features and ROI, our reviewers found that Micro Focus Fortify on Demand has a more complex installation process and slower support response times.
"Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA."
"The licensing was good."
"This product is top-notch solution and the technology is the best on the market."
"Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud."
"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."
"Fortify helps us to stay updated with the newest languages and versions coming out."
"It improves future security scans."
"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
"Automatic updates and pull request analysis."
"The interface is easy to use."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"It's great that we can use it with Portswigger Burp."
"The application scanning feature is the most valuable feature."
"Automatic scanning is a valuable feature and very easy to use."
"They offer free access to some other tools."
"It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."
"Micro Focus Fortify on Demand can improve by having more graphs. For example, to show the improvement of the level of security."
"Fortify on Demand could be improved with support in Russia."
"We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."
"Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"There isn't too much information about it online."
"It doesn't run on absolutely every operating system."
"OWASP Zap needs to extend to mobile application testing."
"Too many false positives; test reports could be improved."
"The port scanner is a little too slow."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"The technical support team must be proactive."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
Fortify on Demand is ranked 9th in Application Security Testing (AST) with 56 reviews while OWASP Zap is ranked 7th in Application Security Testing (AST) with 37 reviews. Fortify on Demand is rated 8.0, while OWASP Zap is rated 7.6. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Fortify on Demand is most compared with SonarQube, Veracode, Checkmarx One, Coverity and HCL AppScan, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and SonarCloud. See our Fortify on Demand vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.