We compared Fortify on Demand and SonarQube based on our user's reviews in several parameters.
In summary, Fortify on Demand is praised for its robust security, comprehensive scanning capabilities, and prompt vulnerability reporting, with positive feedback on customer service and pricing. SonarQube stands out for its support for multiple languages, seamless integration, and comprehensive features, with exceptional customer service and positive feedback on pricing and ROI. Areas for improvement include enhancing performance and usability for Fortify on Demand, while SonarQube could focus on analysis speed, UI navigation, setup instructions, documentation, performance, and integration options.
Features: Fortify on Demand is highly appreciated for its robust security, comprehensive scanning capabilities, user-friendly interface, and timely vulnerability reporting. SonarQube stands out with its support for multiple languages, simplified design, integration with DevOps pipelines, and ability to detect vulnerabilities and code smells. Additionally, SonarQube offers configurability, flexibility, and a user-friendly interface.
Pricing and ROI: Fortify on Demand's users have found the setup costs to be manageable and appreciate the flexible licensing options. On the other hand, SonarQube's pricing is considered reasonable and competitive, and its setup cost is straightforward and easy. SonarQube also offers flexible licensing options to cater to different needs., Fortify on Demand users expressed satisfaction with the platform's effectiveness and value for their investment. SonarQube helped improve code quality, detect vulnerabilities, and ensure code compliance, resulting in cost savings and increased productivity.
Room for Improvement: Fortify on Demand could benefit from enhancements in performance, scanning capabilities, customization options, reporting features, and user interface. SonarQube should focus on improving analysis speed, user interface, setup instructions, documentation, performance, and integration options.
Deployment and customer support: The user reviews for Fortify on Demand and SonarQube show that the duration required to establish a new tech solution can vary between users. While both products have similar timeframes mentioned by users, Fortify on Demand has a wider range of deployment and setup durations compared to SonarQube., Fortify on Demand's customer service is praised for its prompt and helpful assistance. Users appreciate the attentiveness and expertise of the support team. SonarQube also receives praise for its exceptional customer service and support, with users acknowledging the prompt and knowledgeable assistance provided. The support team is commended for their responsiveness and willingness to go above and beyond.
The summary above is based on 51 interviews we conducted recently with Fortify on Demand and SonarQube users. To access the review's full transcripts, download our report.
"Speed and efficiency are great features."
"Fortify helps us to stay updated with the newest languages and versions coming out."
"The scanning capabilities, particularly for our repositories, have been invaluable."
"The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
"One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
"The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
"I do not remember any issues with stability."
"The static code analyzers are the most valuable features of this solution."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"I like that it covers most programming languages for source code review."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
"We've configured it to run on each commit, providing feedback on our software quality. ]"
"The overall quality of the indicator is good."
"The most valuable features are code scanning and Quality Gates."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability."
"We have some stability issues, but they are minimal."
"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."
"An improvement would be the ability to get vulnerabilities flowing automatically into another system."
"Not fully integrated with CIT processes."
"It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
"There were some regulated compliances, which were not there."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"Technical support and the price could be better."
"SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"There are limitations to the free version that limit development options as far as languages."
"This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."
"Dynamic scanning is missing and there are some issues with security scanning."
Fortify on Demand is ranked 11th in Application Security Tools with 56 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Fortify on Demand is rated 8.0, while SonarQube is rated 8.0. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Fortify on Demand is most compared with Checkmarx One, Veracode, Coverity, Fortify WebInspect and Snyk, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and OWASP Zap. See our Fortify on Demand vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.