it_user625875 - PeerSpot reviewer
Director Consulting at a tech services company with 10,001+ employees
Real User
It is very configurable. The installation was also very easy.
Pros and Cons
  • "I do not remember any issues with stability."
  • "The licensing was good."
  • "The installation was easy."
  • "There were some regulated compliances, which were not there."

What is our primary use case?

My primary use case is to help the teams in development. It helps us scan.

How has it helped my organization?

First, you don't have very high requirement and we could do it quickly and efficiently. Second, it was easy for us to install the reading bot facing challenges and such, while doing that installation. Third, when we were doing the scan, it was self intuitive and we were able to scan faster while we had two challenges in the other two solutions that we were using. In terms of finding out where to configure, what are the next steps to configure what we are missing and those kind of areas.

Usually what happens, because we were part of the COE, we had to find those faster and go through old ECs and deliver the results to the short duration income. So, that's where it helped us, it helped us setting up that environment quickly on a laptop, do the scan and come back.

What is most valuable?

The features I found most valuable is that it is very configurable. The installation was also very easy. 

What needs improvement?

Yeah, some of the technologies and framework for libraries were not available at that point of time. For example, if it was in the back end, at that point in time we had to look at other tools. There were some analytical compliances so when we had more tools, it took all the technologies frameworks that Fortify was having. We required this because we were widely working with different clients for the different varieties of technology and domains. There were some regulated compliances, which were not there, but these were the factors because of which we had to use some instances of other tools as well.

Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
767,095 professionals have used our research since 2012.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I do not remember any issues with stability. Of course, it is common that if there is some misconfiguration, it can lead to crashes and the site of the code can crash. But, this is something we have learned to tweak and estimate the length of code before the site of the application. Then, we can consider which technology could be configured, what technology should be excluded, and then scan to optimize some of the related issues.

What do I think about the scalability of the solution?

In terms of the scalability of the solution, we did not have a centralized server connecting to multiple clients. We did not have scalablility issues due to our small-scale use.

How are customer service and support?

We had a good tech support experience.

How was the initial setup?

It was very straightforward in comparison to other solutions that we had used in the past.

What's my experience with pricing, setup cost, and licensing?

The licensing was good because the licenses have the heavy centralized server. It connects to the other PTs, or even if it connects to the old EC servers. We had to put it within an old EC, in order for the licensing to be available at all scales.Then, you had to open multiple ports in that scenario that was not possible. But, you can do it at the application level, which is faster. You can buy a license, do a scan at that level, as well as scale up. So we also had multiple requests in terms of helping a client before they start in terms of doing something easy so that you do not require a complete license to be purchased.

Which other solutions did I evaluate?

We were using many other tools like TechAbility, IBM AppScan and I think these were the predominant ones.

What other advice do I have?

Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Co-Founder at TechScalable
Real User
A feature-rich solution for simplified designing and architecting
Pros and Cons
  • "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."
  • "In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication. They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful."

What is our primary use case?

We are architecting applications for e-commerce websites similar to Amazon. Everything is running on the cloud, and Micro Focus Fortify on Demand is totally integrated with our solution at this point in time.

What is most valuable?

Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices.

Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.

What needs improvement?

In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication.

They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful.

For how long have I used the solution?

I have been using this solution for three years.

What do I think about the stability of the solution?

We have not come across anything major. We have been using it for quite a while, and we are happy with it. 

What do I think about the scalability of the solution?

Scalability is good. Our customer bases are not that huge. Bigger enterprises may have trouble in scaling it, but for our load of work, it is working fine.

We have more than ten users. We are a very small startup, and we don't have too many people. 

How are customer service and technical support?

Till now, we have not raised any tickets. If we are stuck with something, we just google and find out. We use their documentation, which is good enough. That's why we didn't raise any technical queries or things like that.

How was the initial setup?

It was good. I don't think we struggled that much.

What about the implementation team?

We implemented it ourselves. We have two people to maintain this solution.

Which other solutions did I evaluate?

We didn't evaluate any other solution. I was trying to find out which solution should I use, and I just saw good reviews of this solution. This was the first solution that we tried out, and we liked it. We started with a trial, and it was doing good. Our necessities were met, so we didn't try to figure out any other competitive tool in the market. 

What other advice do I have?

You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. 

I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Fortify on Demand
April 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
767,095 professionals have used our research since 2012.
R&D at a tech services company with 51-200 employees
Real User
Effective on-demand feature, easy to use cloud, and great support
Pros and Cons
  • "There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do."

    What is our primary use case?

    We are using Micro Focus Fortify on Demand because in the beginning we were using the on-premise version and it was very limited. We thought we could do everything wanted with the on-premise solution. However, it was not easy to use. 

    We are testing the Micro Focus Fortify on Demand solution to improve security.

    We are using the on-premise version of this solution for the static code for developers. For the dynamic code, we're using Micro Focus Fortify on Demand.

    What is most valuable?

    There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do. We were working with a different solution called SolarCloud previously and it was limited. We are trying to find the right level of security for our needs.

    For how long have I used the solution?

    I have been using Micro Focus Fortify on Demand for approximately eight months.

    How are customer service and support?

    The support is good. Their support is in the Netherlands, sometimes it takes some time for the time zone difference between Latin America and the Netherlands but overall the support is good.

    How was the initial setup?

    The implementation of Micro Focus Fortify on Demand was simple, since it is on the cloud everything is automatic. They give you an account and that is all, you use the product.

    The premise solution is more rentable. However, it is asking for a lot of effort in the implementation, administration, and integration in the pipeline. It takes time until the company comes to the right level to be able to manage this product. Even with the right partners in Latin America that work with us, it took some time.

    What about the implementation team?

    We had partners in Latin America that help us integrate the implementation of the Micro Focus Fortify on Demand.

    What's my experience with pricing, setup cost, and licensing?

    The solution is expensive and the price could be reduced.

    What other advice do I have?

    My advice to others is if you choose Micro Focus Fortify on Demand, it's very simple to use. If they choose the on-premise version for the static code, they will need a person to manage it to be sure that it's integrated with all the pipelines that they developed. 

    I rate Micro Focus Fortify on Demand a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Security Information Manager at a tech services company with 10,001+ employees
    Real User
    Solid usability for security and vulnerability issues
    Pros and Cons
    • "The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues."
    • "In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise. In the next release, we need more reports and more analytic views for all the applications. There is no enterprise view in Fortify. I would like enterprise views and reports."

    What is our primary use case?

    I use it for SAST, security analysis static code.

    What is most valuable?

    The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues.

    What needs improvement?

    In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise.

    In the next release, we need more reports and more analytic views for all the  applications. There is no enterprise view in Fortify. I would like enterprise views and reports.

    For how long have I used the solution?

    I am using Micro Focus Fortify on Demand for one year.

    What do I think about the stability of the solution?

    It is very stable.

    What do I think about the scalability of the solution?

    It is scalable. Micro Focus Fortify on Demand requires a big hardware with a big processing capacity, but it is scalable.

    How are customer service and support?

    Their customer support is very good. I sometimes need it, and I get the answer quickly. They are very helpful.

    How was the initial setup?

    The initial setup is not so easy, but not so difficult. I would say it is medium difficulty.

    What other advice do I have?

    On a scale of one to ten, I would give Micro Focus Fortify on Demand an eight.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user488193 - PeerSpot reviewer
    System Engineer at a tech services company with 501-1,000 employees
    Consultant
    Both editions of the product have their advantages, and they complement each other.

    What is most valuable?

    Both editions of the product have their advantages, and they complement each other.

    How has it helped my organization?

    Since we adopted HP Fortify, our organization has added more divisions that focus on penetration testing.

    What needs improvement?

    HP Fortify already covers the need for security testing and is easy to use for new users. The only thing that comes to mind regarding room for improvement are the security vulnerability updates.

    For how long have I used the solution?

    My company has been using this solution for about one year.

    What was my experience with deployment of the solution?

    I have not encountered any deployment, stability or scalability issues. I haven't had any complaints about technical issues from our client, either.

    How are customer service and technical support?

    I have not yet contacted customer service or technical support.

    Which solution did I use previously and why did I switch?

    I do know of some software that have similarities, but I’ve never used any of them before.

    How was the initial setup?

    Most of our clients use straightforward implementation; we recommend straightforward implementation because of the simplicity of the architecture and usage. For example, installing using the best practices for each product.

    What about the implementation team?

    We implemented it for our customer.

    What other advice do I have?

    HP Fortify is perfect for any company that creates their own applications or uses vendor-developed ones; it’s great for QA and development phases.

    HP Fortify is easy to use and offers lots of integration options; those options allow us to have more diverse implementations that fit the requirements.

    Disclosure: My company has a business relationship with this vendor other than being a customer: My company distributes HP Fortify.
    PeerSpot user
    Head of Compliance & Quality / CISO at a tech services company with 51-200 employees
    Real User
    Has improved our security through static code analysis
    Pros and Cons
    • "The static code analyzers are the most valuable features of this solution."
    • "The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."

    What is our primary use case?

    Our primary use case for this solution is static code analysis.

    How has it helped my organization?

    This solution has helped us to improve our security processes.

    What is most valuable?

    The static code analyzers are the most valuable features of this solution.

    What needs improvement?

    The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports.

    For how long have I used the solution?

    Four months.

    What do I think about the stability of the solution?

    The solution is working, so I would say that its stability is fine.

    What do I think about the scalability of the solution?

    We have approximately twenty users who perform code scanning. They are developers and security experts. We do plan to increase our usage of this solution in the future.

    How are customer service and technical support?

    Technical support for this solution is fine.

    How was the initial setup?

    The initial setup of this solution is straightforward.

    It took approximately two hours to deploy, and because it is a cloud-based solution it does not require anybody for maintenance.

    What about the implementation team?

    We handled the implementation in-house.

    What was our ROI?

    All I can say is that it is reducing security issues.

    Which other solutions did I evaluate?

    We evaluated Veracode before choosing this solution.

    What other advice do I have?

    This solution works, so I suggest using it.

    I would rate this solution an eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user362055 - PeerSpot reviewer
    Senior Manager at a tech services company with 10,001+ employees
    Real User
    It addresses the source code scanning and dynamic scanning in a known, correlated way.

    Valuable Features

    It's one of the leaders in the application security space. I've used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer.

    Improvements to My Organization

    It's forced the incorporation of security in the development process. That's really the biggest benefit for us.

    Room for Improvement

    It could use better integration with the incident management processor. This would allow us to understand the vulnerabilities that arise in the software and how they're linked to the incident management center.

    Deployment Issues

    The deployment has not had issues.

    Stability Issues

    It is a quite stable solution.

    Scalability Issues

    It's quite scalable and addresses a huge volume.

    Customer Service and Technical Support

    It's good, but could be better to align with other main vendors, such as IBM.

    Initial Setup

    It's not straightforward, but it's not complex either. It could also be improved.

    Other Solutions Considered

    I'm very familiar with IBM and Barracuda and others. I always know HP's competition, but I feel most comfortable with HP.

    Other Advice

    My advice would be to look not only at the software, but also at the processor and the people who will be using the software. You should buy not just the software, but also the services to train people to use it.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user310152 - PeerSpot reviewer
    it_user310152Fortify Business Development at a tech vendor with 10,001+ employees
    Vendor

    In terms of integration with SIM/SIEM solution, what do you use?

    Information Security Manager at a tech services company with 501-1,000 employees
    Real User
    Easy to set up, stable and scalable
    Pros and Cons
    • "It's a stable and scalable solution."
    • "Reporting could be improved."

    What is our primary use case?

    We use Micro Focus Fortify on Demand to access web applications and more.

    What needs improvement?

    Reporting could be improved. It would nice to export to an Excel sheet or another spreadsheet. At the moment, my only option is a PDF.

    Micro Focus Fortify on Demand is tailored towards more web application APIs, and I would like to see mobile applications added to the next release.

    For how long have I used the solution?

    We've been using Micro Focus Fortify on Demand for almost two years.

    What do I think about the stability of the solution?

    Focus Fortify on Demand is a stable solution.

    What do I think about the scalability of the solution?

    Focus Fortify on Demand is a scalable solution. 

    How was the initial setup?

    The setup and installation were straightforward. 

    What other advice do I have?

    On a scale from one to ten, I'll give it an eight.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
    Updated: April 2024
    Buyer's Guide
    Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.