Fortify on Demand Reviews

Fortify On Demand is a cloud-based service/software-as-a-service model. Fortify On-Prem, which I have implemented, is an on-prem service where the customer provides the server infrastructure, and then Fortify On Demand comes fully implemented out of the box. 

But you're still able to connect all of your Git repositories and your build environments like Maven and Gradle and all these different build environments, even like Jenkins that customers are using. It's fully connected either whether it's on-prem or cloud, and then you can do a full scan analysis of your security posture.

SAST and DAST scanning. Dynamic application scanning as well as static application scanning. So that would be websites, and you can do an audit and crawl scan of your web-based or web-facing applications, and then also scan your source code of your static application code.

The source code analyzer is the actual tool. It's the engine that sits behind Fortify. And this engine or this intelligence is within your tools. So, the great thing about Fortify is that you have plugins for your build environment. So when you're building and executing that code, you can scan that code at that interval. You can shift left. The commonality is that you want to shift left. You want to find threats early in production, as early as before it actually goes into production. It saves money that way, so you don't have to recode or reinvent your entire architecture.

We also have plugins for your actual interface. We call them IDEs. It's the interface where the developer will actually code and write programs. So from there, the source analyzer will give an analysis, and the developer can fix the code.

Then the second gateway that we have is our plugins work in both environments. So when the developer has written and remediated and fixed some of the issues, in the build environment, when he's testing his code, when it's actually running the application, the Source Code Analyzer will then analyze it again, and then there can be remediation. The code can be fixed.

We even have a tool called RASP, which is a tool that works in production. So even when your code is now being published, it's now an actual application, it's a live application, we have a RASP tool also in Fortify that also further on, in real-time, will scan and do an analysis of your code to find any zero-day attacks or threats or emerging threats. And then, again, from the dashboard interface, you'll be able to remediate.

And you can also do on-demand, we build AI Audit Assistance 2.0. It's the GEM 2.0 tool that we now have in Fortify that uses artificial intelligence where you can set thresholds. You can set a score to say that if I am sure, or if the system is sure with absolute certainty, with 90% accuracy, there is, in fact, a threat or a high risk; it will find those vulnerabilities and give you a score.

So, what it does is actually reduce the time spent on false positives. When you have false positives, you have to scrutinize all of them. We've got a lot of new technologies and methods within Fortify that allow us to reduce the false-positive rate that you generally find with scanning tools because we're using artificial intelligence as well as the source code analyzer tool. All of this has been built over years and years of development and research, and it actually gives you a better rate of reducing false positives, and you can then remediate actual threats. So, the tool has a lot of value.

The reduction of false positives is in the region of 98% or more. We now have even a new tool or AI product line called Aviator. So Fortify, OpenText Fortify now harnesses the power of artificial intelligence within the architecture, which will reduce your false-positive rate and actually give you scores on actual threats that it finds. Then, the threats and the threshold scores, the threats that are not seen as a low risk or a medium risk, can still be tended to. 

So, it doesn't exclude the thresholds. It will still give you a full analysis, but it will, with surety and with the correct analysis, give you the threats that do matter, the threats that you do need to tend to immediately.

By doing this, you also reduce the time to threat response because in cybersecurity, your time to threat response is very important. You need to ensure that you detect the threats early and that your response time is also very quick to reduce any business impact or downtime to a business. So, this is where Fortify really excels with all the new technology and artificial intelligence metrics that we have within our architecture.

The source code analyzer is the most effective for identifying security vulnerabilities. It is the engine or the artificial intelligence behind the scanning engine that does the actual analysis of the data, and they then create an FPR file. This FPR file can then be further analyzed and tested at ScanCentral, which is your centralized dashboard for security auditing and remediation.

So from there, once you've got the artifact or this file, which is created from scanning all of your applications, it gives you a comprehensive overview of the vulnerability scores or the bug densities of your code, and then you can further analyze and test those codes and draw reports from ScanCentral.

So, these reports are against the OWASP Top ten. So you've got different reports that will give you a detailed analysis of your scan data, and it also does it in a dashboard format. So you then get a comprehensive report, and you can also draw a developer's workbook report, which you can send to developers where they actually have a bird's eye view or code-level view of the vulnerabilities and the recommendations are made by Fortify on how you can remediate those threats or vulnerabilities.

And you can then improve your bug density and scores, and you can also do that from the dashboard interface. You can also remediate and within the dashboard, change your score. So you have the dashboard, which gives you a comprehensive overview across all the applications. Also, as you remediate and fix your code, the dashboards update your scores, and then you have a view, and you can control your bug densities across all of the applications once you've onboarded each and every application. And that's across all your DAST and SAST applications. And this is on a centralized dashboard.

Fortify is constantly improving. Their tools and their interfaces are modernized with every new feature or every new version. I constantly see improvements by OpenText. OpenText is very intuitive. They're also implementing a lot of new AI capabilities with the NerdTools, which I think is remarkable.

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve.

That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. 

But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. 

But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively.

So training is required. All skills are needed to learn how to use the tool.

I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool.

It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

I've been working with Fortify On Demand for two years. 

I would rate the stability a ten out of ten. It is very stable. 

It is a very scalable solution. Our customers are in banking and insurance. It's currently used by some of the major US banks. So, a lot of our clients are in the banking, insurance, and services industries.

I would rate the scalability a ten out of ten. It is suitable for medium to large businesses.

Customer support is amazing. They've got community forums, customer resources, a lot of free resources, and their premium support is very effective. So they have proper support internationally. They've been very good.

Positive

Fortify on Demand is fully functional and fully integrated with an open-source analysis tool that's fully integrated with Fortify on Demand. So, Fortify on Demand is easy to use. It's intuitive. No implementation or training is required.

Fortify on-prem requires a bit of work, but I was able to set up, in a lab environment, the controllers, the scanners, the architecture, and all of the different servers in a virtualized environment. You could set it up quite relatively easily without requiring major training because the user guides are very easy to follow. I've set up lab environments within an hour. 

So you could literally set up your entire on-prem Fortify solution within an hour because it is a very simple process to follow. The setup, installation, and configuration of the files are not that difficult to do. So you could effectively do it within an hour. You could set up the entire environment.

I would rate my experience with the initial setup an eight out of ten, where ten being easy and one being difficult. 

Cloud and on-prem. So that it's hybrid. There's three tiers for deployment model. You can do Fortify on Demand, which is a fully functional system on the cloud. Fortify On Prem, which is a system where your Fortify system is installed on client servers or on-premises. And then hybrid would be a combination of both services where you have some implementation with the client and some in the cloud.

I am the implementer. 

Fortify on Demand improved the overall security posture our customers. Fortify on Demand has reduced not only bug densities but also their attack surface quite drastically. And it's in real-time because it's got real-time dashboards, and their security teams are more proactive. It's a lot easier for them to implement their security mechanisms and gateways because Fortify allows that. I have seen a dramatic reduction in bug densities and incidents. So, a major reduction in security incidents as a result of using Fortify.

In comparison with other tools,  they're competitive. It is not more expensive than other solutions, but their pricing is competitive.

The licenses for Fortify On Demand are generally bought in units. So it's scalable in terms of pricing. It's tailored for the customer in terms of the amount of units the customer requires or the number of applications or users that the customer will onboard onto the system. So it is scalable in that regard.

As an expert, a lot of what I've seen in the tool is to use the principle of defense in-depth. Because that is the objective of Application Security, Fortify. Customers often need to look at their current security architecture, security gateways, rules, and policies.

To best utilize Fortify is to shift left, to use all of the tools and plugins that Fortify has throughout the SDLC process, to use the IDE tools, including the board tools, to use all of these respective tools together. And to shift left, to start from the IDE perspective, before source code even goes into production, before it even reaches a build environment. It is to reduce bug densities by shifting left. Use Fortify to get your bug densities and your security or your attack surfaces to reduce it by shifting left from inception, before the code is even written. They can scrutinize, go into Fortify tools, analyze them, and progressively test your code using all the tools that Fortify provides.

A lot of customers already use their own tools and their own third-party tools. It's best to use one security architecture. So for instance, rather use Fortify with Brakeman and RASP, use the Fortify suite of tools as your one architecture instead of using several third-party tools. It's always good to centralize your security architecture and use one architecture for your entire security posture instead of using different tools. Fortify has all the capabilities to centralize your security attack methodology.

So, your attack surface comes from different perspectives. It comes from an open-source code perspective. So you've got open-source code. You have proprietary code. You have repositories. You have different places where your code is, even in Azure. We even have a plugin for Azure. The point is to use all of the capabilities of Fortify as your central tool instead of using disparate tools that do not integrate with Fortify, that do not work with Fortify. It's always good to have one solid architecture as opposed to multiple disjointed tools.

Overall, I would rate it a ten out of ten. I've used several technologies and tools, even open-source or free tools, over the last fifteen years. In my opinion, from the perspective of the many tools used and other competitors, I have found Fortify to be the most reliable. They kind of align with my principles and the principles of cybersecurity specialists with defense-in-depth and shifting left. Because those are very important principles to me. And also confidentiality, integrity, and availability. They align with all of those pillars and building blocks of cybersecurity.