Coming October 25: PeerSpot Awards will be announced! Learn more

Fortify Application Defender OverviewUNIXBusinessApplication

Fortify Application Defender is #22 ranked solution in application security solutions. PeerSpot users give Fortify Application Defender an average rating of 8.0 out of 10. Fortify Application Defender is most commonly compared to SonarQube: Fortify Application Defender vs SonarQube. Fortify Application Defender is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Buyer's Guide

Download the Application Security Tools Buyer's Guide including reviews and more. Updated: October 2022

What is Fortify Application Defender?

Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps you manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time.

Fortify Application Defender was previously known as HPE Fortify Application Defender, Micro Focus Fortify Application Defender.

Fortify Application Defender Customers

ServiceMaster, Saltworks, SAP

Fortify Application Defender Video

Archived Fortify Application Defender Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Tom Haakma - PeerSpot reviewer
Director of Security at Merito
Real User
Top 10Leaderboard
Straightforward to deploy and integrates well with WebInspect to secure against application-specific threats
Pros and Cons
  • "The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
  • "The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."

What is our primary use case?

I do not use this product personally. Rather, I implement it for other people.

The general use case is application-specific threat blocking. Most of our customers use it as an augment to their WAF.

How has it helped my organization?

When our customers turn on the app defender, they can see the things that it's blocking that are getting by their WAF. This is the reason that most people implement it.

What is most valuable?

The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology. The rules that are created are very specific to the application that it's defending. In a typical WAF, out of the box, it comes with a set of standard rules that work reasonably well. However, if you want rules that are specific to vulnerabilities that you know are in the application, the application defender is superior at defending against these. 

What needs improvement?

The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java. They need better support for applications written in Python or more advanced web service-type implementations. Better support for other architectures is critical.

Technical support needs to be improved.

It would be helpful to include agent deployment as part of the Azure DevOps marketplace. This would make it really easy for customers to get this plugin and install it within their application centers.

Buyer's Guide
Application Security Tools
October 2022
Find out what your peers are saying about Micro Focus, Sonar, Synopsys and others in Application Security Tools. Updated: October 2022.
635,513 professionals have used our research since 2012.

For how long have I used the solution?

I have been dealing with Fortify Application Defender for about seven years.

What do I think about the stability of the solution?

I have not seen too many issues that would impact stability. It is very much a "deploy it and forget it" type solution.

How are customer service and support?

Technical support is an area that can be improved and I think that it's been a known issue since the Fortify team was acquired by HP, many years ago. It's still a problem now, even though they are now part of the Micro Focus team. I recently communicated with one of the senior managers and they are aware of the issues, and they are working on them, but I'd say that it's still an area that needs improvement.

How was the initial setup?

The initial setup is fairly straightforward. It does require the deployment of an agent, but this is not unlike every other platform that is application-specific.

The deployment requires collaboration between the security team, who's typically running the application security program, and the operations team, who's responsible for the deployment and management of the hardware that the applications run on. These two teams really have to be engaged from an implementation standpoint to make sure that the plan fits and has input from both perspectives.

What about the implementation team?

We deploy this product for our clients.

In the SaaS platform, the Fortify teams are responsible for maintenance. The agents that are deployed within the customer's environment simply ping back to the console for updates, which is an automated tasks. The number of people and the time it takes to perform updates is minimal.

What's my experience with pricing, setup cost, and licensing?

The base licensing costs for the SaaS platform is about $900 USD per application, per year. Some larger companies have different pricing based on scale and the size of their implementation.

I believe they have a trial period, where they allow you to use it for free.

What other advice do I have?

My advice for anybody who is considering Fortify Application Defender is to try it before you buy it. It is one of those things that once you see it in action, it is pretty impressive. Considering there is a free trial available, I think that more people should try it.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
DevOps Engineer at a energy/utilities company with 10,001+ employees
Real User
Static code analysis helps identify security issues and maintain compliance
Pros and Cons
  • "The most valuable feature is that it analyzes data in real-time."
  • "The workbench is a little bit complex when you first start using it."

What is our primary use case?

We use this solution for inspecting our security, such as checking to see if our developers are securing their code properly. For example, we have to ensure that they are not inadvertently exposing any IP addresses or passwords. We have to be cautious because most of our applications are related to banking and the financial domain.

Fortify Application Defender accomplishes this by performing source code analysis, and it scans using agents. The source code check involves static code analysis to see if things like passwords are exposed.

What is most valuable?

The most valuable feature is that it analyzes data in real-time.

The Audit Workbench allows us to analyze and see if things are okay on our end, giving us the option to manipulate the rules if needed.

The intelligence behind the static code analysis is really amazing. When we used to do code reviews we did not get that level of depth, in terms of identifying security concerns.

The user interface is really simple to use.

What needs improvement?

There are a couple of vulnerabilities not covered by the solution and we are working on how we can improve on these things. An example of this is when we have a static value that is stored in a database. We need to use a workaround when a value is not exposed directly to the code base, where we check that code dynamically.

The workbench is a little bit complex when you first start using it.

For how long have I used the solution?

I have been using Fortify Application Defender for around three months.

What do I think about the stability of the solution?

We are satisfied with the stability.

What do I think about the scalability of the solution?

This is a scalable solution. To this point, we have had no trouble with scalability.

How are customer service and technical support?

Technical support from Micro Focus is good.

Which solution did I use previously and why did I switch?

I have been using SonarQube for about a year and a half.

How was the initial setup?

The initial setup is straightforward but the length of time required for deployment depends on the environment. In our development environment, we can deploy this solution in five minutes. However, in our pre-production and production environments, it takes more time because the platform needs to be more mature.

What about the implementation team?

We had our in-house team implement this solution.

What other advice do I have?

This is a great tool and the kind of support it provides is very helpful. It is easy to adopt for any technology and integrates well with any kind of small platform.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Application Security Tools
October 2022
Find out what your peers are saying about Micro Focus, Sonar, Synopsys and others in Application Security Tools. Updated: October 2022.
635,513 professionals have used our research since 2012.
Assistant Consultant at a logistics company with 10,001+ employees
Real User
Top 20
Helped us to improve the code quality of our organization
Pros and Cons
  • "The solution helped us to improve the code quality of our organization."
  • "The solution is quite expensive."

What is our primary use case?

We use the solution for static code analysis. We do static code analysis on our application project code and we use the solution to check the product quality.

How has it helped my organization?

The solution helped us to improve the code quality of our organization.

What needs improvement?

The solution is quite expensive.

There could be little improvements made in the solution's performance, reporting, management, interface, dashboard, etc. 

Their level of support could also be better.  They should be more qualified and quicker to respond, for example. 

It would be beneficial if the dashboard integrated with JIRA.

For how long have I used the solution?

I've been using the solution for a few months.

What do I think about the stability of the solution?

The solution is very stable. We find it pretty robust.

What do I think about the scalability of the solution?

We used it for more than 70-80 products for doing standard code analysis and the scalability was pretty good. We didn't see any performance issues.

How are customer service and technical support?

Technical support is pretty helpful.

How was the initial setup?

The initial setup is pretty straightforward. You need less than three people to maintain the solution after implementation.

What other advice do I have?

We've been using the private cloud deployment model.

If you need a huge impact, a business impact, then I think I would recommend HP Fortify. However, if a user is looking for a small scale application with less business impact, I would go with a free solution.

I would rate the solution ten out of ten. Aside from the cost, the application is pretty good.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Principle Engineer at MTSI
Real User
Its ability to find security defects is valuable. However, support for older compilers/IDEs is lacking
Pros and Cons
  • "Its ability to find security defects is valuable."
  • "Support for older compilers/IDEs is lacking."

What is our primary use case?

Used for multiple environments, compilers, and operating systems, including Altera, Xilinx, Linux, Windows, and cross-compiler environments.

How has it helped my organization?

It is a good product when support for environments is included. It finds several items and is also good at not reporting false positives.

What is most valuable?

Its ability to find security defects is valuable. The elimination of security defects is my top priority. Of secondary importance is finding coding defects.

What needs improvement?

Support for older compilers/IDEs is lacking. Many developers are still using environments that are known for having security issues. For example, Visual Studio 2005, 2008, and older, gcc 1.x, etc. are still being used. However, we cannot analyze a project using these older compilers because they are no longer supported by Fortify. If I can't find security issues injected by the development environment because I'm forced to use a newer compiler, then I cannot make recommendations to use an updated compiler. This is a particularly thorny issue wherein development environments of mission critical systems do not change and yet we need to recommend usage of newer development environments.

For how long have I used the solution?

More than five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about Micro Focus, Sonar, Synopsys, and more!
Updated: October 2022
Product Categories
Application Security Tools
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about Micro Focus, Sonar, Synopsys, and more!