Fortify on Demand Reviews

All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.

Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.

Being able to reduce risk overall is a very valuable feature for us.

They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.

It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.

It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.

Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.

This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.

The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.

It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.

I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.

Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.

Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.

We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.

The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.

The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.

I would rate Micro Focus Fortify on Demand a nine out of ten.

We use Micro Focus Fortify on Demand to check the vulnerabilities of developments that we perform.

The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them.

The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools.

I have been using this product for four years. 

It is stable.

It is scalable. However, it poses a challenge in terms of pricing and licensing.

I haven't contacted their support, but I know that a team was in touch with Fortify technical support because they do get to have a lot of questions about migrating the software, licensing, and other stuff. They contact the support quite often. I know that they get responses, not always the ones they would like, but they do get a response from them.

I have used SonarQube but not at the same level. It has some functionalities that are related to security. It does not go as deep as Micro Focus Fortify on Demand. 

We have evaluated other tools that are competitors of Micro Focus Fortify on Demand, but we still decided to keep Micro Focus Fortify on Demand.

I wasn't responsible for setting it up. 

We have a team that works with the product. All development teams work with this team to accomplish the goals. Everything was set up by this team, and afterward, the development team just has to look at the reports and vulnerabilities so that they can run scans.

It is quite expensive. Pricing and the licensing model could be improved. 

Before using it, evaluate other possibilities because it's quite expensive if you don't have the need to use it. For example, replace it with SonarQube or another competitor's tool that may not do quite the same thing, but it is enough for what you want for your objectives. It could be a cheaper way to get to those goals.

I would rate Micro Focus Fortify on Demand a seven out of ten. Improvement in pricing would be the biggest thing that would improve the scoring.

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.

This solution would benefit from having more customization available for the reports. 

We have been evaluating Fortify on Demand for close to a year.

Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.

In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.

I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.

We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.

My understanding is the this is not a difficult solution to manage and maintain.

Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.

Overall, it is a very good tool and it works well for what it is designed for. 

I would rate this solution a seven out of ten.

We use this solution for our web applications. 

We have the option to scan web applications on demand. We have the option to do dynamic analysis. We also have an on-premise solution for static code analysis.

We have the option to test applications with or without credentials.

Overall, it's very good. They have very good support, but there is always room for improvement.

I've been using this solution for two to three years.

They are helpful, and we have a good relationship with them. I'd rate them an eight out of ten.

Positive

It was straightforward. It took us two or three months because we had to integrate with our DevOps and pipeline solutions. It took a bit of extra time.

In terms of maintenance, we need to update the version. Micro Focus releases new versions every two months or so.

We had our DevOps manager, and then we had two people from IT. We also had the support of the provider. We also worked with a partner to help us to implement faster.

I'd rate it an eight out of ten in terms of pricing.

Overall, I'd rate it a nine out of ten. We are very satisfied with it.

I mainly use Fortify on Demand for static scanning.

Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud.

An improvement would be the ability to get vulnerabilities flowing automatically into another system.

I've been using Fortify on Demand for over a year.

Fortify on Demand's stability is fantastic - I've never seen slowness, and it performs consistently.

I previously used ShiftLeft, but Fortify on Demand gives me a portal, and it's much easier to get details about the issues affecting us.

The initial setup is very simple because no installation is necessary - you just need to access the application and configure it. 

We used a vendor team.

Fortify on Demand is moderately priced, but its pricing could be more flexible.

I would rate Fortify on Demand nine out of ten.

Fortify is used for static scans — cold-scanning.

Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support.

We have some stability issues, but they are minimal.

We've been using Fortify for two or three years

Fortify is stable. 

Fortify is scalable. 

Whenever we have any issues, Micro Focus support has been helpful. They have lots of products, and they're established in the market. When you open a ticket, you get an immediate response by phone.

The initial setup is straightforward and the second or third-tier support is available whenever we face an issue or something. Most of the components are plug-and-play, so it doesn't take much time. 

I rate Micro Focus Fortify on Demand. This is a good solution for doing static analysis. There is also a dynamic component, but we haven't used it because we are unsure how flexible it is. We are using it only for static scanning.

I use it for SAST, security analysis static code.

The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues.

In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise.

In the next release, we need more reports and more analytic views for all the  applications. There is no enterprise view in Fortify. I would like enterprise views and reports.

I am using Micro Focus Fortify on Demand for one year.

It is very stable.

It is scalable. Micro Focus Fortify on Demand requires a big hardware with a big processing capacity, but it is scalable.

Their customer support is very good. I sometimes need it, and I get the answer quickly. They are very helpful.

The initial setup is not so easy, but not so difficult. I would say it is medium difficulty.

On a scale of one to ten, I would give Micro Focus Fortify on Demand an eight.

We use it for normal, daily source code reviews and code analysis.

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

I would like to see easier integration to CI/CD pipelines. The reporting format could be more user friendly so that it is easy to read.

I've been working with Micro Focus Fortify on Demand for three years.

There were some issues with it before, but I think they have been fixed now.

There were several limitations when I was using it before, but I am sure that they have been fixed by now.

My experience with technical support has been very good.

The initial setup is straightforward and not that complex. We had some support from IT.

The price is fair compared to that of other solutions.

If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security.

I would rate it at eight on a scale from one to ten.