Robertino Catalin Ionescu - PeerSpot reviewer
Department Manager of Testing Automation Centre at a energy/utilities company with 10,001+ employees
Real User
Top 5
Stable, scalable, and the solution includes a lot of information
Pros and Cons
  • "The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place."
  • "There are many false positives identified by the solution."

What is our primary use case?

I use the solution to check the software, as the development is done internally, to detect any security breaches. If there is something in the code that could lead to SQL injections or other vulnerabilities, it will be detected.

What is most valuable?

The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place.

What needs improvement?

There are many false positives identified by the solution. Perhaps this could be improved by refining the defects. There are numerous defects and I need to identify the underlying cause for many of them.

For how long have I used the solution?

I have been using the solution for a couple of years.

Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,066 professionals have used our research since 2012.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is scalable.

We have ten people within our IT department that use the solution.

How are customer service and support?

I used technical support during the integration between Fortify and ALM, but the support staff was not adequately prepared to assist me. I identified that there is a need for development between Fortify on Demand and ALM.net. They initially said that it was working with ALM, but after reading the documentation, I discovered that it only works with Octane, not with ALM.net.

How was the initial setup?

The initial setup was not straightforward because I had the ALM.net, not the .com version, and Fortify on Demand was configured to be integrated with ALM.com, not with ALM.net. This caused me some issues with the integration. When I scanned and identified the defects, these were not automatically raised in ALM, which was a major problem for me. I understood that they needed to do some development in order to make it work with ALM.net. The deployment took no more than one business day.

What's my experience with pricing, setup cost, and licensing?

I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities.

What other advice do I have?

I give the solution an eight out of ten.

I recommend the solution to others.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Prasenjit Roy - PeerSpot reviewer
Sr. Cloud Solution Architect - SAP on Azure at Accenture
Real User
Top 5
Has a good user interface but code technology needs improvement
Pros and Cons
  • "The user interface is good."
  • "There are lots of limitations with code technology. It cannot scan .net properly either."

What is our primary use case?

We use it as the source for code review for static code analysis.

What is most valuable?

The user interface is good.

What needs improvement?

There are lots of limitations with code technology. It cannot scan .net properly either.

For how long have I used the solution?

I've been using it for the last five to six years.

How was the initial setup?

The initial setup of this solution on-premises is easy; however, we have had difficulties installing it online in our clients' environments.

What about the implementation team?

We used both in-house and vendor teams for deployment.

What other advice do I have?

On a scale from one to ten, I would rate Micro Focus Fortify on Demand at five because we get better scan results from other tools.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,066 professionals have used our research since 2012.
Project Manager at Everis
Real User
Great cost benefit with good stability and reduces exposure and remediation issues
Pros and Cons
  • "The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
  • "There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."

What is our primary use case?

We're implementing DevSecOps in Fortify only a part of the big picture. We are implementing the entire secure development lifecycle.

What is most valuable?

The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

What needs improvement?

There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

The initial setup is a bit complex.

We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

For how long have I used the solution?

I've used this solution over the last 12 months at least.

What do I think about the stability of the solution?

The solution is stable. It's reliable. It doesn't crash or freeze. There aren't bugs or glitches.

What do I think about the scalability of the solution?

We haven't tried to scale the solution just yet. As we didn't take the SaaS solution, scalability may be limited for us. I'm unsure. I can't really comment on that.

Currently, we have about 20 people on the development team.

Right now, we don't plan to increase usage.

How are customer service and technical support?

The technical support is fine, however, it would be very helpful, especially during implementation, if there was more documentation and help surrounding setup.

Which solution did I use previously and why did I switch?

We did not use a different solution previously. Before we had this solution, we were just evaluating other solutions and looking at the costs, and trying to bring in something newer, like an integrated automated secure stack, or something like that.

How was the initial setup?

We found that the initial setup a bit complex. It's not exactly straightforward. For a newbie, there's a learning curve, and that can slow things down a bit.

Our deployment took about three to four months.

What about the implementation team?

We only deployed in our company and we didn't use a consultant or integrator. We handled it completely in-house.

What was our ROI?

At this time, I don't have an answer on the return of investment. As far as I can see, it's necessary. If we got exposed or had a data leak it would cost the company dearly. With that in mind, while I can see there's an ROI, I can't provide an exact number.

What's my experience with pricing, setup cost, and licensing?

We pay for licensing. We do pay an extra cost for implementing the infrastructure into the cloud. 

Which other solutions did I evaluate?

I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

What other advice do I have?

We're just a customer and we offer consulting services.

We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors.

The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad.

I'd rate the solution ten out of ten. It's the best on the market for me.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jason Lebrecht US - PeerSpot reviewer
Jason Lebrecht USSr. Manager 5G & MEC (Edge) Strategy at Verizon
Real User

Hello Fernando, great to see that the Fortify solution continues to provide value by reducing risk. Great honest review.



Jason Lebrecht

PeerSpot user
Sr. Manager 5G & MEC (Edge) Strategy at Verizon
Real User
We can load the details and within a few days, receive the results of intrusion attacks, although it needs to have better packaged reporting capabilities.
Pros and Cons
  • "I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
  • "With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."

How has it helped my organization?

The HP FoD effort allowed my client to utilize this service anytime their internal IT team was overwhelmed with workloads. FoD gives them an option to utilize the additional HP Services when they are overwhelmed with other IT Security needs across the company.

What is most valuable?

  • The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time
  • I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification
  • The process was easy to follow and we were supported by 24/7 by TAM personnel to help with any fire drills. This was helpful many times when I needed a quick answer late at night or early in the morning

What needs improvement?

  • I believe that sales packages should be posted for single applications, and packages of multiple applications. For example, we have one-time a package for single applications, and 12 month unlimited use for static and a package for static & dynamic testing. It would be nice to see packages posted for a single application, and groups of three, five, or 10 applications. More than 10 applications would need to be custom pricing like you have today.
  • I would like it to be easier to understand, and have better packaged reporting capabilities. For most of the reporting I needed, I exported to Excel and then had to produce more visually accepted reports for Executive Clients. With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities.

What do I think about the stability of the solution?

Because the product is based on HP’s Fortify Platform, the product is great.

What do I think about the scalability of the solution?

I can’t answer this question appropriately yet as I only utilized the service for one application so far.

How are customer service and technical support?

Customer Service:

10/10 - Christine Bobba, Gerald and the whole TAM Team were very supportive. Stuart Ward does a great job running his TAM Team focused on customer service.

Technical Support:

Jason Powell was really support from a technical perspective. He was able to quickly gather the details we needed to resolve security issues with the code or set up.

Which solution did I use previously and why did I switch?

I’ve used Rapid7 and Qualys Security Solutions in Managed Service Environments for previous clients. Both are really good solutions, but I’ve not utilized any other On-Demand Solution.

I switched because my client uses HP as its core product set. I needed to use Fortify and the FoD Solution allowed me to be up and running within a few short days.

How was the initial setup?

Super easy deployment and usage of the scanning capabilities. The setup was straightforward, and the ability to enter data and start the correct scan was intuitive.

What was our ROI?

We did not charge for the product, we charged for our PMO Services to run the product.

What's my experience with pricing, setup cost, and licensing?

We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.

I would suggest, and I have, that companies should utilize the 12 month unlimited test package.

Which other solutions did I evaluate?

I searched online and FoD allowed me the best opportunity for success due to my client’s timeline.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user897402 - PeerSpot reviewer
it_user897402Works at a comms service provider with 10,001+ employees
Real User

Thanks

ShubhamJoshi - PeerSpot reviewer
Senior Software Engineer at a consultancy with 10,001+ employees
Real User
Top 20
Speedy and efficient but lacks ability to scan executable files
Pros and Cons
  • "Speed and efficiency are great features."
  • "Takes up a lot of resources which can slow things down."

What is our primary use case?

Our use case of Fortify is for the more than 200 applications that we need to certify as a security team. We certify them for all possible vulnerabilities using Micro Focus to check codes for vulnerabilities and then deploying to a reproduction environment. Once all the vulnerabilities are fixed, we can proceed to production. So we're using it as a kind of DevSecOps model. We are customers of Micro Focus. 

What is most valuable?

To my mind, the best features of this product are its speed and efficiency. It covers a wide variety of languages and even has an option for checking different Java versions.

What needs improvement?

Micro Focus is a bit heavy on resources and uses up a lot of my RAM. My machine tends to slow down when I use it. A beneficial additional feature would be scanning executable files. Currently, it scans the uncompiled code only. I'd also like to see support for additional languages and support for scanning libraries whether they're outdated or not. The solution scans for security vulnerabilities but not for outdated versions or policy violations.

For how long have I used the solution?

I've been using this solution for eight months. 

What do I think about the stability of the solution?

This is a stable product. 

What do I think about the scalability of the solution?

Scalability is lacking in the sense that I cannot run multiple scans at once. It only accepts one scan at a time. On the other hand, if I want to scan two 3GB programs, it will handle that.

How are customer service and support?

We've only contacted customer support once when we had a problem with an update. They were helpful and resolved the issue. 

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is moderately complex and takes a couple of hours. We have 20 users who are developers and ops staff. 

Which other solutions did I evaluate?

We carried out a POC on multiple products and Fortify came out on top.

What other advice do I have?

If you're a beginner, give Fortify a go. If you're a professional, it might be worth looking at other tools because Fortify does have limitations when it comes to scalability and executable codes.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Acquisitions Leader at a healthcare company with 10,001+ employees
Real User
Outstanding support, efficient API, and one of the best tools for the Shift Left approach
Pros and Cons
  • "It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support."
  • "It is an extremely robust, scalable, and stable solution."
  • "It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers."
  • "We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."

What is our primary use case?

We are using it for application security testing. We have microservices and applications within the organization, and the testing is being done on a continuous basis right through the development cycle or the development chain.

We are using its latest version. It is deployed on the cloud and on-premises.

What is most valuable?

It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

It is an extremely robust, scalable, and stable solution.

It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

What needs improvement?

It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.

It doesn't do software composition analysis. We've asked their product management team to look into that as well.

We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.

For how long have I used the solution?

I have been using this solution for four years.

What do I think about the stability of the solution?

It is very stable. 

What do I think about the scalability of the solution?

It is very scalable.

How are customer service and technical support?

Their tech support is absolutely outstanding. Their tech support is the most responsive tech support I've ever seen.

How was the initial setup?

It is very straightforward to set up. You can set it up in minutes.

What other advice do I have?

If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available.

I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Vishal Karanjkar - PeerSpot reviewer
Site Head - IOT NW Products & Solutions at Itron, Inc.
Real User
Top 5Leaderboard
Beneficial report results, reliable, and scalable
Pros and Cons
  • "While using Micro Focus Fortify on Demand we have been very happy with the results and findings."
  • "Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive."

What is our primary use case?

Micro Focus Fortify on Demand can be deployed on-premise or in the cloud.

We are mainly using Micro Focus Fortify on Demand for security.

What is most valuable?

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

What needs improvement?

Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive.

For how long have I used the solution?

I have been using Micro Focus Fortify on Demand for approximately five years.

What do I think about the stability of the solution?

The stability of Micro Focus Fortify on Demand is good. I did not face any problems. If we had 100 products then we would have many teams using it.

We have some expansion plans and once that falls in place may increase the number of users using Micro Focus Fortify on Demand.

What do I think about the scalability of the solution?

Micro Focus Fortify on Demand is scalable. Our product team was using the solution but not all of them

How are customer service and support?

We did not need to contact support because we did not have any problems.

Which solution did I use previously and why did I switch?

We have used many different solutions five years ago.

What about the implementation team?

Micro Focus Fortify on Demand was implemented and managed by our IT team.

What's my experience with pricing, setup cost, and licensing?

Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based.

What other advice do I have?

I would recommend the solution to others.

I rate Micro Focus Fortify on Demand a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
Real User
Easy to use and the reporting is good, but does not support dynamic application security testing
Pros and Cons
  • "Fortify on Demand is easy to use and the reporting is good."
  • "The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood."

What is our primary use case?

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

What is most valuable?

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

What needs improvement?

This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.

This solution would benefit from having more customization available for the reports. 

For how long have I used the solution?

We have been evaluating Fortify on Demand for close to a year.

What do I think about the stability of the solution?

Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.

What do I think about the scalability of the solution?

In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.

How are customer service and technical support?

I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.

Which solution did I use previously and why did I switch?

We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.

How was the initial setup?

My understanding is the this is not a difficult solution to manage and maintain.

What about the implementation team?

Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.

Which other solutions did I evaluate?

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

What other advice do I have?

Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.

Overall, it is a very good tool and it works well for what it is designed for. 

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.