The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time.

I encountered many false positives for Python applications. 

Fortify Application Defender gives a lot of false positives and would be improved by using rule-based scanning to reduce this.

The product does not work well with Java coding. The false positive rate should be lower. The product should introduce more licensing models and reduce the licensing cost.

The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours.

In an upcoming release, they could improve how they apply the automation.

The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java. They need better support for applications written in Python or more advanced web service-type implementations. Better support for other architectures is critical.

Technical support needs to be improved.

It would be helpful to include agent deployment as part of the Azure DevOps marketplace. This would make it really easy for customers to get this plugin and install it within their application centers.

There are a couple of vulnerabilities not covered by the solution and we are working on how we can improve on these things. An example of this is when we have a static value that is stored in a database. We need to use a workaround when a value is not exposed directly to the code base, where we check that code dynamically.

The workbench is a little bit complex when you first start using it.

The licensing can be a little complex.

The solution is quite expensive.

There could be little improvements made in the solution's performance, reporting, management, interface, dashboard, etc. 

Their level of support could also be better.  They should be more qualified and quicker to respond, for example. 

It would be beneficial if the dashboard integrated with JIRA.

Support for older compilers/IDEs is lacking. Many developers are still using environments that are known for having security issues. For example, Visual Studio 2005, 2008, and older, gcc 1.x, etc. are still being used. However, we cannot analyze a project using these older compilers because they are no longer supported by Fortify. If I can't find security issues injected by the development environment because I'm forced to use a newer compiler, then I cannot make recommendations to use an updated compiler. This is a particularly thorny issue wherein development environments of mission critical systems do not change and yet we need to recommend usage of newer development environments.

Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy.