Fortify on Demand Reviews

We use the tool for static code analysis. 

The solution is user-friendly. One feature I find very effective is the tool's automatic scanning capability. It scans replicas of the code developers write and automatically detects any vulnerabilities. The integration with CI/CD tools is also useful for plugins.

The tool's AI feature analyzes security threats and recommends updating the code accordingly. One major issue that AI detected for us was logging issues and hardware vulnerabilities. Fortify On Demand identified these, allowing our developers to address and fix the issues.

Fortify on Demand needs to improve its pricing. 

I have been working with the product for two years. 

I rate Fortify on Demand's stability an eight out of ten. 

I rate the tool's scalability an eight out of ten. My company has around 25 users. 

The initial setup experience with Fortify On Demand was straightforward for us. We installed the plugin and integrated it with our existing tools and logins. There was no need for configuration or setup—it was quite simple. The deployment time varies based on the code complexity. Once vulnerabilities are identified, the support team provides the necessary fixes. 

Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten.  

We use Burpsuite for dynamic code analysis. Fortify on Demand is a good tool for static code analysis. I rate it a nine out of ten. 

We use Fortify on Demand to look at dependency vulnerabilities and vulnerabilities in the source code. We are customers of Micro Focus. 

We've found the depth of scanning that the product provides and the results we get are the most valuable features. 

We need something that's going to be fully integrated with CIT processes from setting up a new microservice to scanning and managing other vulnerabilities. As of now, we don't have that which makes it a painful process. 

I've been using this solution for three years. 

The solution is stable. 

The solution was implemented prior to my joining the company so I have no information regarding the initial setup. 

We're changing our licensing model because we currently pay 1,000 euro per scan which is ridiculous. We're working on changing it to a flat rate.

Whether or not this solution will be useful depends on the maturity of your organization. If you understand what all the messages and the analysis mean, and you can usefully react to it then I think you should absolutely use it. If you're still working out these things, you should probably first go through some learning process and start with some simpler tooling that gives you some insights.

The challenge is always how to make things actionable and that is lacking to some extent. If, for example, there is something that depends on scans for vulnerability for all your dependencies and just pulls requests for you, Fortify doesn't action anything. It leaves all the actioning things to you so in a sense, it creates more work for the developers, but it doesn't help them to do the work.

We're not happy with the solution as a process because of the way it's internally implemented in the bank. On the other hand, the features are quite good so I would rate that aspect higher. On average, I rate this solution seven out of 10. 

I use the solution to check the software, as the development is done internally, to detect any security breaches. If there is something in the code that could lead to SQL injections or other vulnerabilities, it will be detected.

The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place.

There are many false positives identified by the solution. Perhaps this could be improved by refining the defects. There are numerous defects and I need to identify the underlying cause for many of them.

I have been using the solution for a couple of years.

The solution is stable.

The solution is scalable.

We have ten people within our IT department that use the solution.

I used technical support during the integration between Fortify and ALM, but the support staff was not adequately prepared to assist me. I identified that there is a need for development between Fortify on Demand and ALM.net. They initially said that it was working with ALM, but after reading the documentation, I discovered that it only works with Octane, not with ALM.net.

The initial setup was not straightforward because I had the ALM.net, not the .com version, and Fortify on Demand was configured to be integrated with ALM.com, not with ALM.net. This caused me some issues with the integration. When I scanned and identified the defects, these were not automatically raised in ALM, which was a major problem for me. I understood that they needed to do some development in order to make it work with ALM.net. The deployment took no more than one business day.

I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities.

I give the solution an eight out of ten.

I recommend the solution to others.

Our use case of Fortify is for the more than 200 applications that we need to certify as a security team. We certify them for all possible vulnerabilities using Micro Focus to check codes for vulnerabilities and then deploying to a reproduction environment. Once all the vulnerabilities are fixed, we can proceed to production. So we're using it as a kind of DevSecOps model. We are customers of Micro Focus. 

To my mind, the best features of this product are its speed and efficiency. It covers a wide variety of languages and even has an option for checking different Java versions.

Micro Focus is a bit heavy on resources and uses up a lot of my RAM. My machine tends to slow down when I use it. A beneficial additional feature would be scanning executable files. Currently, it scans the uncompiled code only. I'd also like to see support for additional languages and support for scanning libraries whether they're outdated or not. The solution scans for security vulnerabilities but not for outdated versions or policy violations.

I've been using this solution for eight months. 

This is a stable product. 

Scalability is lacking in the sense that I cannot run multiple scans at once. It only accepts one scan at a time. On the other hand, if I want to scan two 3GB programs, it will handle that.

We've only contacted customer support once when we had a problem with an update. They were helpful and resolved the issue. 

Positive

The initial setup is moderately complex and takes a couple of hours. We have 20 users who are developers and ops staff. 

We carried out a POC on multiple products and Fortify came out on top.

If you're a beginner, give Fortify a go. If you're a professional, it might be worth looking at other tools because Fortify does have limitations when it comes to scalability and executable codes.

Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

We previously only did the testing and scanning after deploying applications in production, but now we are doing it in development. We are making sure the code is safe to use in all the environments, not only in production. It has been valuable for us.

Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.

When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.

Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve.

Currently, when we are running a security scan or Azure DevOps pipeline Micro Focus Fortify on Demand will give an overall status. People have to click on the link to read the in-depth results. If there could be some output of the report that can be passed in the pipeline and based on that we can control the next step of the pipeline. For example, if Micro Focus Fortify on Demand is saying the report is critical, do not go any further. If we can have that critical variable as a pipeline output that can be used later it would be really helpful.

I have been using Micro Focus Fortify on Demand for one year.

We have approximately 50 applications that are using this solution and we are expanding our operation to increase usage.

We have developers, DevOps, and engineers using this solution in my organization.

We use SonarQube alongside Micro Focus Fortify on Demand.

The difference between the two is Micro Focus Fortify on Demand handles the security testing and SonarQube does more in-depth level code testing.

The initial setup was simple.

We have an internal DevSecOps team of approximately 15 people that does the implementation of the solution.

Micro Focus Fortify on Demand has saved our company money from the use of automation features. We are able to run the scans automatically from the pipeline saving us a lot of time and communication. Previously it would have taken a few days whereas now it can be completed in 10 minutes.

We make an annual purchase of the licenses we need.

Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us.

I rate Micro Focus Fortify on Demand a seven out of ten.

We are the central team that manages Fortify end-to-end and provides it as a solution to internal users. We are using SonarQube for code review, but we use Fortify and Nexus IQ  for DevOps.

The vulnerability detection and scanning are awesome features. 

The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE. 

That will help us understand what's affecting the CVE. Initially, it's about finding the safer package version. Fortify should automatically recommend the safest version, so we can go to the vendor and request that. Once we identify the vulnerability, we can implement a remediation plan.

We just started using Fortify on Demand. 

Fortify is stable.

Fortify is scalable enough. We have 10,000-plus users on it.

Micro Focus support is slow, and they should improve that.

We've been working with SonarQube for five years. SonarQube can show us the initial test and how your code is developed over time. It gives us insight into how a specific project is progressing. That's the great thing about SonarQube. Once the code goes into the Fortify or Nexus, it's mostly a safety check. SonarQube catches most of the vulnerabilities in Python at the development stage.

The product itself is easy to set up, but establishing the necessary culture and structure is a bit complex. We need to develop a culture and create sub-teams within the teams. Each team needs a security coordinator who can relate what new things are coming in, such as CVEs or new scans that need to be done.

For maintenance, we have a team of two product owners who are heavily involved with the product itself. We have around three or four people with a good understanding of deploying and maintaining the solution.

I rate Micro Focus Fortify on Demand eight out of 10. It's a great product, and I recommend it. You should deploy it as part of the TechOps implementation. 

Micro Focus Fortify on Demand can be deployed on-premise or in the cloud.

We are mainly using Micro Focus Fortify on Demand for security.

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive.

I have been using Micro Focus Fortify on Demand for approximately five years.

The stability of Micro Focus Fortify on Demand is good. I did not face any problems. If we had 100 products then we would have many teams using it.

We have some expansion plans and once that falls in place may increase the number of users using Micro Focus Fortify on Demand.

Micro Focus Fortify on Demand is scalable. Our product team was using the solution but not all of them

We did not need to contact support because we did not have any problems.

We have used many different solutions five years ago.

Micro Focus Fortify on Demand was implemented and managed by our IT team.

Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based.

I would recommend the solution to others.

I rate Micro Focus Fortify on Demand a nine out of ten.

Micro Focus Fortify on Demand is used for detecting vulnerabilities in code, looking at libraries, and finding where there are vulnerabilities within unpatched code.

The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution.

The allocations to different members of a team are good. If you find a problem, you can delegate the task to patch the particular code.

Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly.

I have been using Micro Focus Fortify on Demand for approximately two years.

I have found Micro Focus Fortify on Demand stable.

Micro Focus Fortify on Demand is a scalable solution.

We have several customers using this solution. There are approximately 1,000 developers using the solution.

The support from Micro Focus Fortify on Demand is great. They have been very good to answer our questions. They have their own Fortify on Demand team and they will help you resolve your problems.

The initial setup is straightforward. 

The installation can take a couple of hours depending on what the deployment is, such as, on cloud or on-premise. Additionally, the size of the code that will be put on the system can impact the time, but it does not take long. 

We did the implementation ourselves. I was able to use YouTube to help me with the process, there's quite a lot of information on there with Micro Focus going through tutorials on how to use the solution. 

The pricing model it's based on how many applications you wish to scan.

I have evaluated other solutions, such as Contrast Security.

I would recommend Micro Focus Fortify on Demand to others.

I rate Micro Focus Fortify on Demand a seven out of ten.

The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.