Fortify on Demand Reviews

Security defects are captured early in the lifecycle and fixed quicker. Usage of Fortify has made developers more aware about security vulnerabilities and their consequences, as well as various secure programming practices.

• Scan wizard: for configuring large scans
• Audit workbench: for on-the-fly defect auditing
• CLI: to integrate the tool into CI/CD

.NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio.

More conventional reporting formats need to be provided.

Also, a provision should be available to generate customized reports.

For code bases heavy on JavaScript, the static scan takes a long time (as long as two days). Even then, the scan crashes at times. Increasing system memory doesn't seem to improve the situation (tried with 16/32 GB system memory).

It requires a high-end system with 8/16/32 GB RAM for stable performance.

I haven't reached out to HP Support so far.

I did not previously use any product for static application security.

Initial setup is quite easy.

Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).

Before choosing this product, we evaluated Veracode and Checkmarx (among licensed), and FindBugs and Yasca (among free).

If you are already using HPE tools and services such as ALM, then Fortify is a good option, as it provides out-of-the-box support for these. Scanning capability-wise, the tool is decent enough, and is also easy to use. However, it generates a large number of false positives after a scan, which can be tedious to verify manually.

Both editions of the product have their advantages, and they complement each other.

Since we adopted HP Fortify, our organization has added more divisions that focus on penetration testing.

HP Fortify already covers the need for security testing and is easy to use for new users. The only thing that comes to mind regarding room for improvement are the security vulnerability updates.

My company has been using this solution for about one year.

I have not encountered any deployment, stability or scalability issues. I haven't had any complaints about technical issues from our client, either.

I have not yet contacted customer service or technical support.

I do know of some software that have similarities, but I’ve never used any of them before.

Most of our clients use straightforward implementation; we recommend straightforward implementation because of the simplicity of the architecture and usage. For example, installing using the best practices for each product.

We implemented it for our customer.

HP Fortify is perfect for any company that creates their own applications or uses vendor-developed ones; it’s great for QA and development phases.

HP Fortify is easy to use and offers lots of integration options; those options allow us to have more diverse implementations that fit the requirements.

The static code analyzer provides views from a security perspective and it is easy to use compared to others.

We use it to evaluate security from the code and provide results from a security perspective as opposed to a developer’s perspective.

Reports can be better visually with graphics such as charts included. Charts (pie, bar, some graph) could show the percentage of the vulnerability categories identified, as opposed to listing them all in a table. At a higher level, it would be nice to aggregate the analysis.

I have used it for 3.5 years.

I did not encounter any deployment issues. It was fairly simple and easy to install/deploy.

Technical support is 6/10. I find the Internet to be more helpful at times than their own tech support in finding answers.

Initial setup was easy and intuitive: just specify the license path and install the product.

We implemented it in-house.

Quality vs quantity: You pay more for a higher-quality product and meets your needs, compared to others that might be cheaper, but you have to crawl to get what you are looking for.

While I did evaluate others, it depends on the budget.

It is a good product to choose for SCA and cloud deployment. If you choose SSC, don’t always look at the price, as the other products might not conduct the same analysis as HP Fortify does. Not all products are created equal.

The solution simply identifies any security flaws that any of our applications might have.

This identification provides us an advantage in that the service itself works to stay abreast and knowledgeable about emerging threats. Rather than have a security team dedicated to that effort, we don’t have to deal with that in a time consuming, direct manner. We don't need to have these skills in-house.

I find that while it does find a lot of legitimate threats, it tends to have a lot of false positives, and there are more false positives than I would like to see. It flags threats that sometimes are not, and when we have to investigate that it takes time. If they could improve the intelligence then I think it could really help the system function more efficiently. The dynamic time scan takes about seven days, and this could be a bit quicker. We like to incorporate the scan into every build cycle and if we have to wait for a seven day business cycle it has to go into our scheduling. If that could be improved there would be a lot of happy people.

It predates my employment; I’m certain we signed up in 2013 – roughly three years ago.

We have had no issues with the deployment.

I would say it’s fairly stable. It’s a web application so of course there are browser hiccups but I would give it a high score for stability. Once in a while there is a page refresh, but nothing major.

We have four applications and we’ve been able to get them all in there, I don’t see it having a limit.

Customer service has been good once we get attention, which comes back to the false positive issue.

Sometimes the results need clarifications. They could be a bit more responsive as once we get someone the interactions have been good and helpful.

This was our first foray into a hosted service.

The deployment was super easy as the interface is straightforward. It was almost too easy.

If you haven’t run any formal scan be prepared for it to come back and be a bit scary.

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

The results it provides are more than 95% accurate, helping us to focus on the right things first.

Our new software procurement process benefited as well as we use this as a central control to provide security assurance and evaluate the quality of our deliverables.

Its ease-of-use has influenced developer behavior and enabled them to follow security principles.

It would be useful if they could integrate secure design reviews, security user stories in Fortify on Demand Portal, and also look for possible options to get just one view of risks for given services (Covering Application, Infrastructure, Pen. Test, etc.).

I’ve used it since 2010.

We've had no issues with deployment.

It’s a very stable product. We've had no issues with instability.

It’s scaled for our needs. We've had no issues with un-scalability.

Customer service is excellent.

The technical support is very good.

We've used various other tools, including the Fortify on-premise solution. We chose Fortify on Demand as it is cost effective, scalable, easy to deploy, and helps us to manage our vulnerabilities centrally.

The initial setup was very easy and straightforward. We were able to roll out this service to all our business units.

We performed the installation in-house.

There is no setup cost as it is an on-demand solution. However, if there is any firewall change required for an internal application, we would need to raise that from our end.

We considered SonarQube, MSFox, and CodeInspect.

Fully utilize this product and its feature as it covers almost everything required for software security assurance.

It enforces source-code scanning, finding vulnerabilities in source code.

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

We've had no issues with deployment.

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

The initial setup was pretty easy and straightforward.

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

It's one of the leaders in the application security space. I've used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer.

It's forced the incorporation of security in the development process. That's really the biggest benefit for us.

It could use better integration with the incident management processor. This would allow us to understand the vulnerabilities that arise in the software and how they're linked to the incident management center.

The deployment has not had issues.

It is a quite stable solution.

It's quite scalable and addresses a huge volume.

It's good, but could be better to align with other main vendors, such as IBM.

It's not straightforward, but it's not complex either. It could also be improved.

I'm very familiar with IBM and Barracuda and others. I always know HP's competition, but I feel most comfortable with HP.

My advice would be to look not only at the software, but also at the processor and the people who will be using the software. You should buy not just the software, but also the services to train people to use it.

• It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
• Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

It has added a very quick turnaround for security code reviews which allowed us to integrate this (formerly missing) function into the overall development and testing lifecycle.

It needs to support more languages.

I've used it for three months.

No issues encountered.

No issues encountered.

No issues encountered.

Excellent – from the PoC through setup and implementation; we received timely and knowledgeable support whenever we need it.

We tried to do it by hand (which was very time consuming and error-prone) and some tools built-in to Visual Studio (which was not widely accepted by individuals).

We had some issue with logins and account setups, but received excellent support.

We implemented it ourselves with the help of HP.

Don’t know since the project got cancelled.

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).