Cyber Security Specialist at a computer software company with 51-200 employees
Real User
Top 20
User-friendly, stable, and scalable
Pros and Cons
  • "The solution is user-friendly."
  • "I would like the solution to add AI support."

What is our primary use case?

The solution is used for web application listing, like, SaaS.

What is most valuable?

The solution is user-friendly.

What needs improvement?

I would like the solution to add AI support.

For how long have I used the solution?

I have been using the solution for one month.

Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,066 professionals have used our research since 2012.

What do I think about the stability of the solution?

I give the stability a nine out of ten.

What do I think about the scalability of the solution?

I give the scalability a nine out of ten.

We have three people using the solution in our organization.

How are customer service and support?

I am satisfied with the technical support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used SonarQube which is an open-source solution. We switched because we needed an easy-to-understand and configure UI.

How was the initial setup?

I give the initial setup a nine out of ten. The deployment took a few hours and required one person to implement.

What other advice do I have?

I give the solution a nine out of ten.

I recommend the solution to others and I am totally satisfied with it.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Principal Solutions Architect at a security firm with 11-50 employees
Real User
A good scanner that performs different types of scans and keeps everything in one place, but it needs more streamlined installation procedure and a bit more automation
Pros and Cons
  • "Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
  • "It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

What is our primary use case?

Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

What is most valuable?

Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

What needs improvement?

It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

For how long have I used the solution?

I have been using this solution for seven or eight months.

What do I think about the stability of the solution?

I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

What do I think about the scalability of the solution?

Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

How are customer service and technical support?

Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

How was the initial setup?

As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

What other advice do I have?

It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

I would rate Micro Focus Fortify on Demand a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,066 professionals have used our research since 2012.
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
Real User
Good development platform integration promotes a culture of Security by design
Pros and Cons
  • "The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
  • "This solution would be improved if the code-quality perspective were added to it, on top of the security aspect."

What is our primary use case?

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

What is most valuable?

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

What needs improvement?

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.

For how long have I used the solution?

We have been using Micro Focus Fortify on Demand over the past four years.

What do I think about the stability of the solution?

This is a very stable solution. Once it is deployed there are not a lot of challenges.

What do I think about the scalability of the solution?

This platform is very much scalable in terms of integrating with other solutions.

We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.

How are customer service and technical support?

I have not been in touch with technical support from the vendor.

Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.

Which solution did I use previously and why did I switch?

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

How was the initial setup?

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

What about the implementation team?

I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.

Which other solutions did I evaluate?

We did not evaluate other vendors beyond the solutions that we are using.

What other advice do I have?

My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Kangkan Goswami - PeerSpot reviewer
Advisor Solution Architect at a tech services company with 10,001+ employees
Real User
Top 5
Moderately priced solution with fantastic stability
Pros and Cons
  • "Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud."
  • "An improvement would be the ability to get vulnerabilities flowing automatically into another system."

What is our primary use case?

I mainly use Fortify on Demand for static scanning.

What is most valuable?

Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud.

What needs improvement?

An improvement would be the ability to get vulnerabilities flowing automatically into another system.

For how long have I used the solution?

I've been using Fortify on Demand for over a year.

What do I think about the stability of the solution?

Fortify on Demand's stability is fantastic - I've never seen slowness, and it performs consistently.

Which solution did I use previously and why did I switch?

I previously used ShiftLeft, but Fortify on Demand gives me a portal, and it's much easier to get details about the issues affecting us.

How was the initial setup?

The initial setup is very simple because no installation is necessary - you just need to access the application and configure it. 

What about the implementation team?

We used a vendor team.

What's my experience with pricing, setup cost, and licensing?

Fortify on Demand is moderately priced, but its pricing could be more flexible.

What other advice do I have?

I would rate Fortify on Demand nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Security Systems Analyst at a retailer with 5,001-10,000 employees
Real User
An extremely scalable, flexible, and stable solution that reduces the overall risk and gives us assurance
Pros and Cons
  • "Being able to reduce risk overall is a very valuable feature for us."
  • "They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it."

What is our primary use case?

All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.

How has it helped my organization?

Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.

What is most valuable?

Being able to reduce risk overall is a very valuable feature for us.

What needs improvement?

They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.

What do I think about the stability of the solution?

It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.

What do I think about the scalability of the solution?

It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.

How are customer service and technical support?

Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.

Which solution did I use previously and why did I switch?

This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.

How was the initial setup?

The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.

What about the implementation team?

It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.

I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.

What was our ROI?

Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.

What's my experience with pricing, setup cost, and licensing?

Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.

What other advice do I have?

We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.

The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.

The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.

I would rate Micro Focus Fortify on Demand a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user326421 - PeerSpot reviewer
Solution Security Architect with 1,001-5,000 employees
Real User
It has added a very quick turnaround for security code reviews, allowing us to integrate this function into the overall development and testing lifecycle.

What is most valuable?

  • It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
  • Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

How has it helped my organization?

It has added a very quick turnaround for security code reviews which allowed us to integrate this (formerly missing) function into the overall development and testing lifecycle.

What needs improvement?

It needs to support more languages.

For how long have I used the solution?

I've used it for three months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Excellent – from the PoC through setup and implementation; we received timely and knowledgeable support whenever we need it.

Which solution did I use previously and why did I switch?

We tried to do it by hand (which was very time consuming and error-prone) and some tools built-in to Visual Studio (which was not widely accepted by individuals).

How was the initial setup?

We had some issue with logins and account setups, but received excellent support.

What about the implementation team?

We implemented it ourselves with the help of HP.

What was our ROI?

Don’t know since the project got cancelled.

What other advice do I have?

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
It provides an independent review of third-party applications, allowing organizations to test software before purchasing. But try the free version first as there's no "right" way to measure ROI.

What is most valuable?

I was able to quickly pass compliance with HIPAA.
Correlated static and dynamic results with detailed priority guidance.
Accurate results, tailored to each application.
All results manually reviewed by application security experts .
Central testing program management for all applications.

How has it helped my organization?

HP Fortify on Demand provides an independent review of third-party applications, allowing organizations to test software before purchasing, and also allowing software vendors to demonstrate the security of their software. Third-party vendors can upload the source code and/or provide a URL, review the results, and then publish a report back to their customer.

This service compels commercial vendors to take action to proactively fix vulnerabilities, while allowing them to remain in control of their applications. Security professionals can demand that high-priority problems be addressed and verified during the procurement or upgrade process, prior to acceptance. HP Fortify on Demand serves as an independent third-party solution to conduct unbiased analysis of applications and provide a detailed tamper-proof report back to the security team.

What needs improvement?

You are going to like the new detailed reporting. It can correlate the results from different forms of testing and prioritize them by severity to present the truest representation of application risk.

For how long have I used the solution?

1 year

What was my experience with deployment of the solution?

It was very easy to install and deploy.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

No. Scalable infrastructure allows for fast turnaround times and it has no limitations based on lines of code, megabytes, or anything else.

How are customer service and technical support?

Customer Service:

Good

Technical Support:

Good

Which solution did I use previously and why did I switch?

I currently use other solutions. We gave HP Fortify on Demand a try and we are very happy with the results.

How was the initial setup?

Yes. Very easy.

What about the implementation team?

We tried the free version first and then we acquired the software the product website.

What was our ROI?

Keep in mind that the calculation for return on investment and, therefore the definition, can be modified to suit the situation. It all depends on what you include as returns and costs. The definition of the term in the broadest sense just attempts to measure the profitability of an investment and, as such, there is no one "right" calculation. But, I have to say the client is very satisfied.

What's my experience with pricing, setup cost, and licensing?

Try the free version first.

Which other solutions did I evaluate?

I am already using other software. We wanted to try it and it works like a charm.

What other advice do I have?

Trust me, you want to be able to do automated and manual testing on a web application that is live.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
PeerSpot user
S S RAMA KRISHNA MURTHY  SURI - PeerSpot reviewer
Senior Manager at valuelabs LLP
MSP
Top 5
It supports most languages and integrates well with other solutions
Pros and Cons
  • "Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support."
  • "We have some stability issues, but they are minimal."

What is our primary use case?

Fortify is used for static scans — cold-scanning.

What is most valuable?

Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support.

What needs improvement?

We have some stability issues, but they are minimal.

For how long have I used the solution?

We've been using Fortify for two or three years

What do I think about the stability of the solution?

Fortify is stable. 

What do I think about the scalability of the solution?

Fortify is scalable. 

How are customer service and support?

Whenever we have any issues, Micro Focus support has been helpful. They have lots of products, and they're established in the market. When you open a ticket, you get an immediate response by phone.

How was the initial setup?

The initial setup is straightforward and the second or third-tier support is available whenever we face an issue or something. Most of the components are plug-and-play, so it doesn't take much time. 

What other advice do I have?

I rate Micro Focus Fortify on Demand. This is a good solution for doing static analysis. There is also a dynamic component, but we haven't used it because we are unsure how flexible it is. We are using it only for static scanning.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.