We changed our name from IT Central Station: Here's why
Get our free report covering SonarSource, Checkmarx, Synopsys, and other competitors of Fortify Application Defender. Updated: January 2022.
563,148 professionals have used our research since 2012.

Read reviews of Fortify Application Defender alternatives and competitors

Security Consultant at a tech services company with 11-50 employees
Consultant
Top 20
Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines
Pros and Cons
  • "The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
  • "It should be easier to specify your own validation routines and sanitation routines."

What is our primary use case?

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

What is most valuable?

The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at.

What needs improvement?

It should be easier to specify your own validation routines and sanitation routines.

For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. 

Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web.

Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database.

So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice.

Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it.

The speed of Coverity can be improved, although that is true for any similar product.

What do I think about the stability of the solution?

It never crashed so stability has not been an issue.

What do I think about the scalability of the solution?

I have never used it for more than four relatively small to medium-sized projects at a time, so I've never needed to scale it.

How are customer service and technical support?

I have dealt with sales engineering, rather than technical support. They would sometimes provide a liaison to tech support if they didn't know the answer, but really, they guided us through the proof of concept and they knew that they were under a competitive evaluation against the other tools. They were able to resolve any issues that we came across and got us up and running fairly quickly, as far as I recall.

How was the initial setup?

Coverity is on the good side when it comes to setting it up. I think that it is pretty straightforward to get up and running.

What about the implementation team?

We implement Coverity on our own, with guidance from Coverity.

What's my experience with pricing, setup cost, and licensing?

The price is competitive with other solutions.

Which other solutions did I evaluate?

In addition to Coverity, I have experience with Checkmarx, Fortify, Veracode, and HCL AppScan, which was previously known as IBM AppScan.

Checkmarx is probably the most extensible and customizable of these products, and you're able to use the C# language to do so, which a lot of developers are familiar with.

HCL AppScan is another tool that has customization capabilities. They are not as powerful but they are easier to implement because you don't need to write any code.

I cannot give an endorsement for any particular one. They all have their merits and it just depends on the requirements. Generally, however, all of these tools are getting better.

What other advice do I have?

My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their experience.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Devops Engineer at a financial services firm with 10,001+ employees
Real User
Top 20
Security hotspot feature identifies where your code is prone to have security issues
Pros and Cons
  • "The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
  • "In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."

What is our primary use case?

We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.

What is most valuable?

The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.

It also gives you a very good highlight of what's changed, and what has to be changed in the future.

Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.

Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.

What needs improvement?

There are various standards that are followed. Awareness is a must.

Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.

For how long have I used the solution?

I have been using SonarQube for three years. 

What do I think about the stability of the solution?

It is quite stable. There are no kind of issues that we face on SonarQube. It's just about the awareness where the users are not aware of a feature and that's where we need to jump in and explain some of the features about how it works.

What do I think about the scalability of the solution?

It's definitely easy to scale. 

How are customer service and technical support?

We do contact them based on the project team requirement. We contact them if they have to set up any specific kind of portfolio application and such application et cetera, internal.

Their support is good. They respond quickly. The response time is very good. They answer the queries within 24 to 48 hours. That's a plus for them. It's a very costly product, so we use the enterprise-level product. It does consume a lot of license cost for that.

Which solution did I use previously and why did I switch?

We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work. 

How was the initial setup?

The initial setup is simple. It's basically an orchestration platform on which I manage around 400 SonarQube incentives.

It's a mass production environment. I'm currently managing around 400 plus teams who are using the product. We are trying to migrate it onto Kubernetes.

The setup takes around five to ten minutes as I have created automation. 

It requires maintenance on the platform side, but not on the SonarQube side. Because there is a DB cleanup automatically inbuilt in Sonar, it does not require much to maintain within SonarQube itself.

It eats up a lot of memory. For a stack it's around 2.5GB. We use it on a daily basis. 

What's my experience with pricing, setup cost, and licensing?

Everything is included in the standard licensing. 

What other advice do I have?

Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects

The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. 

In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.

I would rate it an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Owner/ Consultant at a tech services company with 1-10 employees
Consultant
Top 20
Offers many support languages, scans in a decent amount of time and is easy to set up
Pros and Cons
  • "There's extensive functionality with custom rules and a custom knowledge base."
  • "The solution often has a high number of false positives. It's an aspect they really need to improve upon."

What is our primary use case?

We primarily use the solution for static analysis.

What is most valuable?

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

What needs improvement?

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

For how long have I used the solution?

I've used the solution for the last 12 months or so. It's been about a year at this point.

What do I think about the stability of the solution?

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

What do I think about the scalability of the solution?

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

How are customer service and technical support?

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

Which solution did I use previously and why did I switch?

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

How was the initial setup?

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

What's my experience with pricing, setup cost, and licensing?

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

What other advice do I have?

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering SonarSource, Checkmarx, Synopsys, and other competitors of Fortify Application Defender. Updated: January 2022.
563,148 professionals have used our research since 2012.