CISO at a retailer with 1,001-5,000 employees
Real User
Detects vulnerabilities and provides useful suggestions, but doesn't understand complex websites
Pros and Cons
  • "The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
  • "Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."

What is our primary use case?

We use Fortify on Demand to test our e-commerce website. We do static codes testing before it goes live.

How has it helped my organization?

Before we migrate a new code to our production website, it is scanned with Fortify and all security vulnerabilities are identified. Then we try to remediate them so we don't expose ourselves.

I've been involved in deciding what's right or wrong. I've been involved in deciding on the product early on, and then if we should go on-premise or in the cloud, if we should build it into part of the software development life cycle or if we should do it on demand before we go to production. I've been involved in a lot of that. I've been involved in working with the development team to decide what is a vulnerability and what is not, and which vulnerabilities we need to take to heart, regardless if we understand what it is that we should ignore, and regardless of the fact that we think it's highly critical.

What is most valuable?

The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for.

The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it. 

What needs improvement?

Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. And they try to look at it saying, "Okay. From a pure standards perspective, this is a critical vulnerability for you." Which in reality, if you would really try to exploit it, you'd see that we actually did cross a little something around it, and the vulnerability is not there. So they would expect to have a certain type of a formatting requirement around a specific field to avoid being able to put in special characters. They would assume that because we don't have that, it's a vulnerability. But in reality, you actually do have a custom function that has been defined somewhere else in the code and these fields are subject to that function. I don't carry along with that in the same way as the application really does. That's something that we found that needs improvement.

We're actually going to transfer from them, and the main reason is that there is nobody home. We could have tickets open with them for months trying to escalate and have them remediate certain false positives as I described. We have had no success bringing this product to a level that we feel there's not too much noise. It gives you specifically what you need. You could take it at face value and run with it.

We're going to switch to Checkmarx. We're in the middle of the deployment.

Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
767,095 professionals have used our research since 2012.

For how long have I used the solution?

We've been using Fortify on Demand for eight years or so.

What do I think about the stability of the solution?

Stability is good. The product works.

What do I think about the scalability of the solution?

Scalability is irrelevant to us because it's in the cloud. For the past few years, we've been using it in the cloud, so it's a common scanner. It's not handling transactions. It's not a firewall or an antivirus that you have doing real-time transactions. It looks at the code and the volume of code we migrate. We write a lot of code every week, but it's still within reason. We're not talking about thousands of developers sending code at the same time. So I don't think that scalability was much in our conversation.

The product is being used by the e-commerce application development team, and we have senior developers who are responsible to scan and evaluate security concerns that come out of the product. We also have a lead security person and a development team who are responsible to oversee this and ensure that the issues are being addressed.

Deployment and maintenance, are not really applicable because it was somebody at DNH working with the company, setting it up. We did not put it into part of the platform of real-time migration, such that the code automatically goes there, marks it, and allows it to go to production or not. We didn't go that route, so it really didn't need too many people to be involved in the deployment.

How are customer service and support?

The technical support is just not there. We have open tickets. They don't respond. Even if they respond, we don't see eye to eye. As the company got sold and bought, the support got worse.

How was the initial setup?

Our website is complex, so the setup is also complex. By definition, we expected it to be complex, and Checkmarx should also be complex because of the culture, habits, and complexity of our custom-developed website. Our website is not an off-the-shelf product, so there's a lot of complexity that comes with it by nature. But that's okay.

The initial deployment goal was to scan every bit and byte of code on the production e-commerce site. That was the plan. We started rolling this out and then we started sending tests. We went back and forth on whether we should make it in-line automatic that we scan sales, in a way that it would not allow the code to move further, or if we should do it off to the side, such that the application development life cycle continues to run separately, while somebody is scanning it making sure we dissolve all the issues. So we tried both routes. There are benefits to each, and it's definitely safer to do it in-line. Again, the culture, habits, and technology's use mean that it is not always best to do it in-line because it could become too complicated and break too many things. So we actually switched that. There is a person that does that. It's not built into the migration system by default. Somebody is scanning it and then moves to the next one.

What about the implementation team?

We worked with them and they helped us deploy. We tried a few different versions. We tried on-premise, and then we went to the cloud. Fortify on Demand is the cloud-based version, which we're using now.

Our experience with their developer team was good. But now, over time, the company went from a partner to a disconnected environment. Overall, the experience started out with a back and forth and an active relationship but over time, they became very disconnected.

What's my experience with pricing, setup cost, and licensing?

It's a yearly contract, but I don't remember the dollar amount.

Which other solutions did I evaluate?

I don't remember if we evaluated anybody else. I think Fortify was recommended through a consultant. Some years ago, there were not so many vendors at a time playing in this arena. There's not so many today for static analysis, but I don't think that we really evaluated any others.

What other advice do I have?

I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So I would not advise anybody to go to Fortify based on the fact that they really don't have a very forthcoming support team and availability.

Could be the other options would provide professional services, but that's not the point. The point is that if you want to pick up the phone and send them an email, open a ticket saying that, "This is a false positive," somebody should get back to you. So I don't think that Fortify's a viable option still these days based on the fact of where they sit and how they operate.

I would rate the product a four out of ten. It works. The reason why I give it a four is because of the limitations of the product to understand the dynamics of our website and the number of things that are not working smoothly due to the fact that our website is complex.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user692322 - PeerSpot reviewer
Digital Security Integration Lead at a non-tech company with 10,001+ employees
Real User
The quality of application security testing reduces risk and gives very few false positives.
Pros and Cons
  • "The quality of application security testing reduces risk and gives very few false positives."
  • "New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."

How has it helped my organization?

The security of our consumer-facing web sites is better.

What is most valuable?

The quality of application security testing reduces risk and gives very few false positives.

What needs improvement?

New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions. DevOps requires very fast turnaround and I’m not sure HPE Fortify on Demand can do that, although they have a new product in beta for that.

What do I think about the stability of the solution?

We did not have stability issues.

What do I think about the scalability of the solution?

We did not have scalability issues.

How are customer service and technical support?

Technical support is very good.

Which solution did I use previously and why did I switch?

We didn’t have a previous solution.

How was the initial setup?

Setup was not complex, although given our size it was a challenge.

What's my experience with pricing, setup cost, and licensing?

Drive a hard bargain.

Which other solutions did I evaluate?

We evaluated IBM and Veracode.

What other advice do I have?

Go with the SaaS product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user712167 - PeerSpot reviewer
it_user712167General Manager - Application Security at a tech consulting company with 51-200 employees
Consultant

Yes, It does have less positives. After being a premium customer and having taken the annual / 3 yr subscription option, we can opt for + (plus) services by which we can have a manual AUDIT to manually review our code for the 1st time. This helps reduce most of the false positives and developers and team in-charges can concentrate on actual issues / vulnerabilities or the weaknesses in existing application which is assessed. - Manoj Purandare, India

Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
767,095 professionals have used our research since 2012.
Senior Application Security Analyst at a financial services firm with 10,001+ employees
Real User
Has the ability to have related features upgraded on the tools but the tool suffers from latency
Pros and Cons
  • "t's a cloud-based solution, so there was no installation involved."
  • "The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed."

What is most valuable?

What is most useful is how you can have related features upgraded on the tools. The tools themselves have details for the code as well, where the issues have been flagged, and all the vulnerabilities are there, in one place.

What needs improvement?

The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed.

They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is.

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

The solution is okay in terms of scalability. I'm still not really familiar with the tool, and I'm still learning from it. So far, I think it has a good ability to scale.

How are customer service and technical support?

Technical support is okay. They have a platform that you can create tickets on. Once you raise a ticket, support is quick to help you. 

If they wanted to improve technical support they could offer meetings with the developer or security team.

How was the initial setup?

It's a cloud-based solution, so there was no installation involved.

What other advice do I have?

We use the cloud deployment model of the solution.

Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool.

I would rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
Helps us to stay updated with the newest languages and versions coming out
Pros and Cons
  • "It improves future security scans."
  • "Fortify helps us to stay updated with the newest languages and versions coming out."
  • "Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
  • "We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."

What is our primary use case?

We previously used it for static and dynamic scans, but now we use it only for dynamic scans.

We have close to 85 products in-house, so we run a lot of scans.

How has it helped my organization?

We are using lost programming languages, because we have a lot of product development going on because we have a product-based company. Fortify helps us to stay updated with the newest languages and versions coming out. We can run our scans on a timely basis.

What is most valuable?

We can run our scans properly on it. It improves future security scans.

What needs improvement?

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

There are no stability issues. Though, we would like the scans to run faster.

What do I think about the scalability of the solution?

We have no scaling issues.

How are customer service and technical support?

Tech support has been a great help. They always respond to us in a timely manner.

Whenever we contact support, they assist us in running our scans.

Which solution did I use previously and why did I switch?

We did not have another solution before. We tried other solutions, but they were not as good as Fortify.

How was the initial setup?

I was not involved in the initial implementation.

What's my experience with pricing, setup cost, and licensing?

The pricing is expensive.

Which other solutions did I evaluate?

Currently, Checkmarx offers us a graphically, revised run.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user506661 - PeerSpot reviewer
Senior Lead at a computer software company with 1,001-5,000 employees
Real User
Helps us identify security vulnerability earlier in the development.
Pros and Cons
  • "We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
  • "The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."

How has it helped my organization?

Security of our applications is a huge concern for everyone now. Using quality products like HPE’s Fortify helped us minimize issues raised by the clients. Therefore, customer satisfaction in terms of the security was high.

What is most valuable?

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

What needs improvement?

The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.

How are customer service and technical support?

Technical support is very good. We had a few issues in the initial setup and the HPE team’s support was commendable.

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

Initial setup was complex; we ran into lot of memory issues. The Visual Studio plugin was not responsive, either.

What about the implementation team?

An in-house team implemented it. Don’t use the Visual Studio plugin, unless your solution is really small. Otherwise, use the command line setup.

Which other solutions did I evaluate?

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user399378 - PeerSpot reviewer
Director of Information Technology at a tech consulting company with 501-1,000 employees
Consultant
It enforces source-code scanning and finding vulnerabilities in source code. It would be nice if it could manage the false positives better.

Valuable Features

It enforces source-code scanning, finding vulnerabilities in source code.

Improvements to My Organization

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

Room for Improvement

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

Scalability Issues

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Customer Service and Technical Support

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

Initial Setup

The initial setup was pretty easy and straightforward.

Other Advice

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Professor at BitBrainery University
Real User
Saved us a lot of time as we focus primarily on programming rather than tool operational work
Pros and Cons
  • "It has saved us a lot of time as we focus primarily on programming rather than tool operational work."
  • "It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."

What is our primary use case?

I analyzed more than 20 applications implemented in BIT Brainery University. The static analysis has to be done every release before putting it in production.

How has it helped my organization?

Even though it was our final choice, it has saved us a lot of time as we focus primarily on programming rather than tool operational work. We did not need third-party consultants.

What is most valuable?

We shared the easy to use dashboard with our programmers and involved outsourcers for a quick issues fix. 

What needs improvement?

It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Chief Executive & Certified Security Administrator at Boch Systems Company Limited
Reseller
Good for banking and financial institutions to manage and test product lifecycles
Pros and Cons
  • "This product is top-notch solution and the technology is the best on the market."
  • "The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."

What is our primary use case?

We recommend this product to our customers. We act as vendors and resellers. This is actually one of the solutions we often recommend to our customers most often. Usually, this is the best choice for banking and financial institutions. It is deployed by their development team in-house. They use it to manage and test product lifecycles.  

What is most valuable?

We actually find all of the product's features valuable. But at this point, we are trying to upsell by adding additional components like RAFT (Re-usable Automation Framework for Testing) to the test cycle.  

What needs improvement?

Strictly in terms of this product, I think it is a top-notch solution and I think the technology is still the best on the market. What might be improved is maybe just look at the pricing. It is a bit confusing compared to other products that we also sell.  

Whatever innovation they can come up with would be an excellent addition if it adds useful functionality. The only thing I can think of that they might add is something like features you can find in Codebashing that they have not yet implemented. I don't know if it has all of those features. If not, it would be useful for something like that to be added.  

For how long have I used the solution?

We have been suggesting the product since before the merger with Hewlett Packard.  

What do I think about the stability of the solution?

This is a very stable product.  

What do I think about the scalability of the solution?

This product is scalable. Most of our customers are enterprise customers. I can point out three off the top of my head. If the product can scale to the enterprise level, it makes sense that it is quite scalable.  

How are customer service and technical support?

The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to. Micro Focus has a whole lot of solutions that are of value in our region, but it seems that they are not doing a proper job of coordination of knowledge. There is a huge knowledge gap from the Micro Focus team in the way they support businesses. We were hoping that the transition was the thing that affected the lack of better support. But by now we should be able to point to who the person is that is in charge and the person to talk to when it comes to the various products. I really don't know anybody in charge of the technical team to help us properly with issues.  

How was the initial setup?

I think the initial setup for the on-demand product is straightforward. The product installed on-premises is somewhat complex. For this reason, it is better that the on-premises version is installed with the help of integrators or consultants. 

What other advice do I have?

I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.  

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.