Senior Application Security Analyst at a financial services firm with 10,001+ employees
Real User
Has the ability to have related features upgraded on the tools but the tool suffers from latency
Pros and Cons
  • "t's a cloud-based solution, so there was no installation involved."
  • "The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed."

What is most valuable?

What is most useful is how you can have related features upgraded on the tools. The tools themselves have details for the code as well, where the issues have been flagged, and all the vulnerabilities are there, in one place.

What needs improvement?

The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed.

They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is.

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the stability of the solution?

The solution is very stable.

Buyer's Guide
Application Security Tools
January 2024
Find out what your peers are saying about OpenText, Sonar, Checkmarx and others in Application Security Tools. Updated: January 2024.
756,650 professionals have used our research since 2012.

What do I think about the scalability of the solution?

The solution is okay in terms of scalability. I'm still not really familiar with the tool, and I'm still learning from it. So far, I think it has a good ability to scale.

How are customer service and support?

Technical support is okay. They have a platform that you can create tickets on. Once you raise a ticket, support is quick to help you. 

If they wanted to improve technical support they could offer meetings with the developer or security team.

How was the initial setup?

It's a cloud-based solution, so there was no installation involved.

What other advice do I have?

We use the cloud deployment model of the solution.

Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool.

I would rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
Helps us to stay updated with the newest languages and versions coming out
Pros and Cons
  • "It improves future security scans."
  • "Fortify helps us to stay updated with the newest languages and versions coming out."
  • "Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
  • "We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."

What is our primary use case?

We previously used it for static and dynamic scans, but now we use it only for dynamic scans.

We have close to 85 products in-house, so we run a lot of scans.

How has it helped my organization?

We are using lost programming languages, because we have a lot of product development going on because we have a product-based company. Fortify helps us to stay updated with the newest languages and versions coming out. We can run our scans on a timely basis.

What is most valuable?

We can run our scans properly on it. It improves future security scans.

What needs improvement?

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

There are no stability issues. Though, we would like the scans to run faster.

What do I think about the scalability of the solution?

We have no scaling issues.

How are customer service and technical support?

Tech support has been a great help. They always respond to us in a timely manner.

Whenever we contact support, they assist us in running our scans.

Which solution did I use previously and why did I switch?

We did not have another solution before. We tried other solutions, but they were not as good as Fortify.

How was the initial setup?

I was not involved in the initial implementation.

What's my experience with pricing, setup cost, and licensing?

The pricing is expensive.

Which other solutions did I evaluate?

Currently, Checkmarx offers us a graphically, revised run.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Application Security Tools
January 2024
Find out what your peers are saying about OpenText, Sonar, Checkmarx and others in Application Security Tools. Updated: January 2024.
756,650 professionals have used our research since 2012.
it_user399378 - PeerSpot reviewer
Director of Information Technology at a tech consulting company with 501-1,000 employees
Consultant
It enforces source-code scanning and finding vulnerabilities in source code. It would be nice if it could manage the false positives better.

Valuable Features

It enforces source-code scanning, finding vulnerabilities in source code.

Improvements to My Organization

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

Room for Improvement

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

Scalability Issues

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Customer Service and Technical Support

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

Initial Setup

The initial setup was pretty easy and straightforward.

Other Advice

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user506661 - PeerSpot reviewer
Senior Lead at a computer software company with 1,001-5,000 employees
Real User
Helps us identify security vulnerability earlier in the development.
Pros and Cons
  • "We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
  • "The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."

How has it helped my organization?

Security of our applications is a huge concern for everyone now. Using quality products like HPE’s Fortify helped us minimize issues raised by the clients. Therefore, customer satisfaction in terms of the security was high.

What is most valuable?

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

What needs improvement?

The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.

How are customer service and technical support?

Technical support is very good. We had a few issues in the initial setup and the HPE team’s support was commendable.

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

Initial setup was complex; we ran into lot of memory issues. The Visual Studio plugin was not responsive, either.

What about the implementation team?

An in-house team implemented it. Don’t use the Visual Studio plugin, unless your solution is really small. Otherwise, use the command line setup.

Which other solutions did I evaluate?

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Professor at BitBrainery University
Real User
Saved us a lot of time as we focus primarily on programming rather than tool operational work
Pros and Cons
  • "It has saved us a lot of time as we focus primarily on programming rather than tool operational work."
  • "It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."

What is our primary use case?

I analyzed more than 20 applications implemented in BIT Brainery University. The static analysis has to be done every release before putting it in production.

How has it helped my organization?

Even though it was our final choice, it has saved us a lot of time as we focus primarily on programming rather than tool operational work. We did not need third-party consultants.

What is most valuable?

We shared the easy to use dashboard with our programmers and involved outsourcers for a quick issues fix. 

What needs improvement?

It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Chief Executive & Certified Security Administrator at Boch Systems Company Limited
Reseller
Good for banking and financial institutions to manage and test product lifecycles
Pros and Cons
  • "This product is top-notch solution and the technology is the best on the market."
  • "The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."

What is our primary use case?

We recommend this product to our customers. We act as vendors and resellers. This is actually one of the solutions we often recommend to our customers most often. Usually, this is the best choice for banking and financial institutions. It is deployed by their development team in-house. They use it to manage and test product lifecycles.  

What is most valuable?

We actually find all of the product's features valuable. But at this point, we are trying to upsell by adding additional components like RAFT (Re-usable Automation Framework for Testing) to the test cycle.  

What needs improvement?

Strictly in terms of this product, I think it is a top-notch solution and I think the technology is still the best on the market. What might be improved is maybe just look at the pricing. It is a bit confusing compared to other products that we also sell.  

Whatever innovation they can come up with would be an excellent addition if it adds useful functionality. The only thing I can think of that they might add is something like features you can find in Codebashing that they have not yet implemented. I don't know if it has all of those features. If not, it would be useful for something like that to be added.  

For how long have I used the solution?

We have been suggesting the product since before the merger with Hewlett Packard.  

What do I think about the stability of the solution?

This is a very stable product.  

What do I think about the scalability of the solution?

This product is scalable. Most of our customers are enterprise customers. I can point out three off the top of my head. If the product can scale to the enterprise level, it makes sense that it is quite scalable.  

How are customer service and technical support?

The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to. Micro Focus has a whole lot of solutions that are of value in our region, but it seems that they are not doing a proper job of coordination of knowledge. There is a huge knowledge gap from the Micro Focus team in the way they support businesses. We were hoping that the transition was the thing that affected the lack of better support. But by now we should be able to point to who the person is that is in charge and the person to talk to when it comes to the various products. I really don't know anybody in charge of the technical team to help us properly with issues.  

How was the initial setup?

I think the initial setup for the on-demand product is straightforward. The product installed on-premises is somewhat complex. For this reason, it is better that the on-premises version is installed with the help of integrators or consultants. 

What other advice do I have?

I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.  

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
it_user625875 - PeerSpot reviewer
Director Consulting at a tech services company with 10,001+ employees
Real User
It is very configurable. The installation was also very easy.
Pros and Cons
  • "I do not remember any issues with stability."
  • "The licensing was good."
  • "The installation was easy."
  • "There were some regulated compliances, which were not there."

What is our primary use case?

My primary use case is to help the teams in development. It helps us scan.

How has it helped my organization?

First, you don't have very high requirement and we could do it quickly and efficiently. Second, it was easy for us to install the reading bot facing challenges and such, while doing that installation. Third, when we were doing the scan, it was self intuitive and we were able to scan faster while we had two challenges in the other two solutions that we were using. In terms of finding out where to configure, what are the next steps to configure what we are missing and those kind of areas.

Usually what happens, because we were part of the COE, we had to find those faster and go through old ECs and deliver the results to the short duration income. So, that's where it helped us, it helped us setting up that environment quickly on a laptop, do the scan and come back.

What is most valuable?

The features I found most valuable is that it is very configurable. The installation was also very easy. 

What needs improvement?

Yeah, some of the technologies and framework for libraries were not available at that point of time. For example, if it was in the back end, at that point in time we had to look at other tools. There were some analytical compliances so when we had more tools, it took all the technologies frameworks that Fortify was having. We required this because we were widely working with different clients for the different varieties of technology and domains. There were some regulated compliances, which were not there, but these were the factors because of which we had to use some instances of other tools as well.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I do not remember any issues with stability. Of course, it is common that if there is some misconfiguration, it can lead to crashes and the site of the code can crash. But, this is something we have learned to tweak and estimate the length of code before the site of the application. Then, we can consider which technology could be configured, what technology should be excluded, and then scan to optimize some of the related issues.

What do I think about the scalability of the solution?

In terms of the scalability of the solution, we did not have a centralized server connecting to multiple clients. We did not have scalablility issues due to our small-scale use.

How is customer service and technical support?

We had a good tech support experience.

How was the initial setup?

It was very straightforward in comparison to other solutions that we had used in the past.

What's my experience with pricing, setup cost, and licensing?

The licensing was good because the licenses have the heavy centralized server. It connects to the other PTs, or even if it connects to the old EC servers. We had to put it within an old EC, in order for the licensing to be available at all scales.Then, you had to open multiple ports in that scenario that was not possible. But, you can do it at the application level, which is faster. You can buy a license, do a scan at that level, as well as scale up. So we also had multiple requests in terms of helping a client before they start in terms of doing something easy so that you do not require a complete license to be purchased.

Which other solutions did I evaluate?

We were using many other tools like TechAbility, IBM AppScan and I think these were the predominant ones.

What other advice do I have?

Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Co-Founder at TechScalable
Real User
A feature-rich solution for simplified designing and architecting
Pros and Cons
  • "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."
  • "In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication. They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful."

What is our primary use case?

We are architecting applications for e-commerce websites similar to Amazon. Everything is running on the cloud, and Micro Focus Fortify on Demand is totally integrated with our solution at this point in time.

What is most valuable?

Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices.

Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.

What needs improvement?

In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication.

They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful.

For how long have I used the solution?

I have been using this solution for three years.

What do I think about the stability of the solution?

We have not come across anything major. We have been using it for quite a while, and we are happy with it. 

What do I think about the scalability of the solution?

Scalability is good. Our customer bases are not that huge. Bigger enterprises may have trouble in scaling it, but for our load of work, it is working fine.

We have more than ten users. We are a very small startup, and we don't have too many people. 

How are customer service and technical support?

Till now, we have not raised any tickets. If we are stuck with something, we just google and find out. We use their documentation, which is good enough. That's why we didn't raise any technical queries or things like that.

How was the initial setup?

It was good. I don't think we struggled that much.

What about the implementation team?

We implemented it ourselves. We have two people to maintain this solution.

Which other solutions did I evaluate?

We didn't evaluate any other solution. I was trying to find out which solution should I use, and I just saw good reviews of this solution. This was the first solution that we tried out, and we liked it. We started with a trial, and it was doing good. Our necessities were met, so we didn't try to figure out any other competitive tool in the market. 

What other advice do I have?

You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. 

I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about OpenText, Sonar, Checkmarx, and more!
Updated: January 2024
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about OpenText, Sonar, Checkmarx, and more!