Fortify Static Code Analyzer OverviewUNIXBusinessApplication

Fortify Static Code Analyzer is the #1 ranked solution in top Static Code Analysis tools. PeerSpot users give Fortify Static Code Analyzer an average rating of 8.0 out of 10. Fortify Static Code Analyzer is most commonly compared to Black Duck: Fortify Static Code Analyzer vs Black Duck. Fortify Static Code Analyzer is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 25% of all views.
Buyer's Guide

Download the Static Code Analysis Buyer's Guide including reviews and more. Updated: November 2022

What is Fortify Static Code Analyzer?

Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible vulnerabilities. Fortify SCA allows users to create safe and secure software quickly. Users are able to discover potential security gaps more quickly with precise outcomes and repair them immediately.

Fortify Static Code Analyzer Benefits

  • CI/CD pipeline security: Fortify SCA integrates well with third-party tools such as ALM Octane, Atlassian Bamboo, Azure DevOps, Eclipse, Jenkins, and Jira. It offers real-time scan results, immediate recommendations, and collaborative auditing, and finds threats faster. It also discovers and prioritizes weaknesses to reduce risk.

  • Cost-effective: Improves coding actions by training users as they work to better understand the relationship of static application security testing (SAST). Fortify SCA is able to find more vulnerabilities than other solutions and delivers significantly fewer false positives.

  • Quick and reliable scanning: Fortify SCA will discover and eradicate weaknesses in byte, binary, or source code. SAST is able to stop the bulk of code issues at the start of development. The solution is able to discover 815 specific categories of risk, works through 27 programming languages and more than one million different APIs. Fortify SCA has a positive rate of 100% in the OWASP 1.2 benchmark.

Fortify Static Code Analyzer Features

  • Flexible deployment: Using Fortify On Demand, users can work in a complete SaaS environment. Fortify Hosted allows users to use on-premises and SaaS to work in a secure virtual space with complete control. Fortify-On-Prem gives users absolute control of the Fortify SCA solution.

  • Security assistant: Users have an interactive guide as they create code that provides risk analysis and anticipated outcomes. Security Assistant is an outstanding immediate feedback tool that gives instant results with significantly fewer false positives.

  • Audit assistant: This feature uses machine learning to reduce manual audit time while prioritizing the most important risks to users' networks. It provides automated audits in minutes. Any manual examinations are reduced, all issues are prioritized in accordance with organizational needs, and Fortify SCA consistently provides audit results to all projects.

Results from Real Users

Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it.” - Arun D., Senior Architect at a healthcare company.

“Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.” - Tom H., Director of Security at Merito

Fortify Static Code Analyzer was previously known as Fortify Static Code Analysis SAST.

Fortify Static Code Analyzer Video

Fortify Static Code Analyzer Pricing Advice

What users are saying about Fortify Static Code Analyzer pricing:
  • "It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform."
  • "The licensing is expensive and is in the 50K range."
  • "The price of Fortify Static Code Analyzer could be reduced."
  • Fortify Static Code Analyzer Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Tom Haakma - PeerSpot reviewer
    Director of Security at Merito
    Real User
    Top 5Leaderboard
    Super scalable, fairly stable, very flexible, and can do anything you want it to do
    Pros and Cons
    • "Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between."
    • "I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two."

    What is our primary use case?

    I work for a company that implements these solutions for customers. So, we've got it everywhere. I've done implementations that are very simple and are developer workstation-based or security analyst desktop-based. We also have implementations all the way up through their big kahuna, which is decentralized and automated scanning.

    What is most valuable?

    Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.

    What needs improvement?

    I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support.

    The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff.

    I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two.

    For how long have I used the solution?

    I have been using this solution for ten years.

    Buyer's Guide
    Static Code Analysis
    November 2022
    Find out what your peers are saying about Micro Focus, Veracode, GrammaTech and others in Static Code Analysis. Updated: November 2022.
    655,994 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    It is fairly stable. I haven't experienced any real catastrophic or fundamental flaws with it since version 19.10. This was the last one that had a real major flaw that needed hotfixes quickly.

    What do I think about the scalability of the solution?

    It is super scalable. That's definitely a bright spot.

    With a solution like this, the number of users varies so much. We typically try to build a program with a client where there is a small team operating the tool. They typically just automate it and plug it into their DevOps pipeline, but the entire development organization consumes the results and does the work. There is the infrastructure management side to keep the solution updated and make sure the infrastructure is running, and then there are security analysts who are tweaking the filters, writing custom rules, and doing this kind of stuff to further advance the program using the tool.

    Which solution did I use previously and why did I switch?

    I started working with Fortify in 2011. In the last couple of years, we've branched out and started exploring other solutions, mostly because of our customers' requests. However, we're still not seeing the same level of advancement and ability with some of the other solutions.

    We've gone down the route of evaluating Checkmarx and implementing Checkmarx with a few of our clients. It went okay, but it is not stellar. We're right in the midst of evaluating and onboarding the Synopsys toolset. I will have more input on that in about a month or so.

    How was the initial setup?

    It can be very simple. It could be simple as a desktop installation or just a VM install. It could also be complicated if you're going for their full distributed scanning model, which is their scan central.

    What's my experience with pricing, setup cost, and licensing?

    It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. 

    It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform.

    What other advice do I have?

    I would advise others to definitely do their homework in planning. It is not something where you just open the box and go. There needs to be some foresight, some planning, and a lot of input from various stakeholders. You got to talk to your infrastructure team and make sure that you have suitable hardware for this in order for it to perform at its peak.

    I would rate Fortify Static Code Analyzer an eight out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    David Alaga - PeerSpot reviewer
    Sr DevOps Engineer at incatech
    Real User
    Top 5Leaderboard
    Stable and easy to set up with great code analysis capabilities
    Pros and Cons
    • "We write software, and therefore, the most valuable aspect for us is basically the code analysis part."
    • "It comes with a hefty licensing fee."

    What is our primary use case?

    We usually run the product through the pipelines through GitLab, CICD, or Jenkins pipelines. I'm currently experimenting with AWS CodePipeline right now with integrating those types of tools into the pipeline.

    What is most valuable?

    We write software, and therefore, the most valuable aspect for us is basically the code analysis part. It's mostly used for the software that we actually write and we use it to identify whatever it is that we're looking for, whether it's the bugs or the technical data and so forth.

    The setup is pretty easy.

    The solution is pretty stable.

    What needs improvement?

    We use several other tools. We also use SonarQube. If one tool does not meet our requirements, I kind of implement another. We actually use SonarQube and Fortify together as the tools that we use to do the static code and dynamic testing, and also for security. You combine various tools in a pipeline to verify the code. Basically, it's not necessarily a standalone solution. You need to work with others to get what you need. 

    It comes with a hefty licensing fee. We get around it by leveraging SonarQube, which is free. We're trying to get plugins now for SonarQube to match what Fortify could do. It would be ideal if it also had some sort of open-source version we could use.

    For how long have I used the solution?

    I've been dealing with the solution for maybe almost two years or so.

    What do I think about the stability of the solution?

    The stability is good. I'm not running into anything that gives me a problem as far as my pipelines are concerned. I'm okay with it. I haven't really dug into a deep dive with it, however, for what I use it for, is sufficient, and I get the results that I'm looking for. 

    How are customer service and technical support?

    I haven't really dealt with technical support. Anything that I can't solve, I can Google. Then there's also the exchange code area. Usually, you find your answers if somebody has run into something, or if I run into something. If I can't find any answers, I would of course reach out to support, however, so far, that hasn't been necessary.

    Which solution did I use previously and why did I switch?

    We also use SonarQube in tandem with this product. SonarQube is primarily a static code analyzer, and then Fortify was made more for the security side. With the new plugins that go into SonarQube, it's trying to catch up with Fortify. I have the same from the opposite side, asFortify has a different use case that we use it for.

    SonarQube is trying to be just as efficient as Fortify with what Fortify can do, via the extensions that you can put in. However, when you get that extension that matches Fortify, it's kind of like SonarQube becomes more of a paid product at that point, however, even then, it's not near the price point that Fortify is.

    How was the initial setup?

    Everything is basically straightforward with the setups. Most of the static code is actually done by SonarQube, however, we run it through Fortify afterward. However, due to the large license fee, we need to find workarounds like this.

    What's my experience with pricing, setup cost, and licensing?

    The licensing is extremely expensive.

    What other advice do I have?

    I'm not sure which version of the solution we're using. I can't recall the exact version number off-hand. 

    I deal with the dev-ops engineers. We usually go for items that are cost-effective. If you've got the money for the license, then it's definitely a good solution to have. We have it at a higher level platform, however, I only use it at a certain level for our development environment. 

    I'd rate the solution at a nine out of ten. It's a great product, however, it's a bit expensive. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Static Code Analysis
    November 2022
    Find out what your peers are saying about Micro Focus, Veracode, GrammaTech and others in Static Code Analysis. Updated: November 2022.
    655,994 professionals have used our research since 2012.
    Code Reviewer with 11-50 employees
    Real User
    Top 20
    Code management solution that is straightforward to set up and effective at identifying vulnerabilities
    Pros and Cons
    • "I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
    • "The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit."

    What is our primary use case?

    I make use of this solution every day in my current position. I have experience in its installation and troubleshooting and always ensure I am up to date with their latest releases. 

    We use this solution to run and scan SQL code. 

    What is most valuable?

    I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released. The GUI is really easy to navigate through and is very user-friendly.

    What needs improvement?

    The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit. CyberRes is a partner I rely on as a first resource if I can't find the answer I need in documentation on Google. The information directly from Fortify is limited.

    For how long have I used the solution?

    I have been using this solution for seven years. 

    What do I think about the stability of the solution?

    This is a stable solution. When I first started using Fortify, my desktop at work did not having enough RAM. It would take me 10 to 12 hours to do a scan.

    How was the initial setup?

    There is an installation guide that I've used many times. First, you need to make sure that your server has the right operating system, version, amount of space, and the correct version of Java installed. You also need to ensure you have the right version of specific databases. This will ensure that the backend is compatible with Oracle, MySQL, SQL Server and Postgres. 

    The installation is very easy because it is self-explanatory. Updates are also easy to manage once rule packs are released.

    What's my experience with pricing, setup cost, and licensing?

    The licensing is expensive and is in the 50K range.

    What other advice do I have?

    This is an excellent product and but is not for the faint at heart. You will need to be willing to learn and take the time to get to grips with how it works. I like it compared to some of the other static codes that I've used in the past.

    I would rate this solution a nine out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Arun Dhwaj - PeerSpot reviewer
    Senior Architect at a healthcare company with 10,001+ employees
    Real User
    Top 10
    Useful deployment, secure, and scalable
    Pros and Cons
    • "Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it."
    • "Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good."

    What is our primary use case?

    Fortify Static Code Analyzer is used for scanning the container image, such as Kubernetes or Docker, and its main role is to do the static security analysis.

    What is most valuable?

    Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it. 

    What needs improvement?

    Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good.

    The solution could be more user-friendly. You have the CLI for business people sometimes, we are not able to give a good overview. Generally, the business people you choose would want to see the dashboard.

    For how long have I used the solution?

    I have used Fortify Static Code Analyzer within the last 12 months.

    What do I think about the stability of the solution?

    The stability of Fortify Static Code Analyzer.

    What do I think about the scalability of the solution?

    Fortify Static Code Analyzer is scalable. However, they could improve. The time it takes to scale could improve. 

    We have 30,000 employees in my company and 20 percent of the company is using the solution.

    How are customer service and support?

    I rate the support for Fortify Static Code Analyzer a four out of five.

    What about the implementation team?

    We have a team that did the implementation of the solution.

    What's my experience with pricing, setup cost, and licensing?

    The price of Fortify Static Code Analyzer could be reduced.

    What other advice do I have?

    We are looking for a different solution.

    My advice for others is to look for other solutions before you choose  Fortify Static Code Analyzer.

    I rate Fortify Static Code Analyzer an eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Conformity Controller at STET
    Real User
    Stable, with good documentation but the pricing is a bit high
    Pros and Cons
    • "We've found the documentation to be very good."
    • "The pricing is a bit high."

    What is most valuable?

    The solution has been quite stable over the years.

    We've found the documentation to be very good.

    When there are issues, there is a lot of explanation about what they are and how to solve problems. Communication is very clear. 

    What needs improvement?

    The pricing is a bit high. 

    We have not enough for really sharing between with editor. Therefore, we have to use an older version of a product.

    For how long have I used the solution?

    We've used the solution for 12 or so years at this point. It's been well over a decade. We've used it for quite a while.

    What do I think about the stability of the solution?

    The stability of the solution is pretty good. There are no bugs or glitches. It doesn't crash or freeze. It's pretty reliable. 

    How are customer service and technical support?

    Technical support is good. When we put in requests, we get feedback and results. Older requests get treated with priority, and newer requests go into a queue. 

    What's my experience with pricing, setup cost, and licensing?

    The pricing of the solution is a bit high. It would be nice if it was more competitive.

    Which other solutions did I evaluate?

    While we do want to continue to use the product, we want to negotiate with Microsoft about the licensing. in the meantime, we will likely evaluate a few other options.

    What other advice do I have?

    We're just an end-user and a customer. We don't have a business relationship with Fortify.

    We are not using the latest version of the solution right now. We're waiting for the Fortify version with PCI DSS 4.0.

    I'd rate the solution at a six out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Static Code Analysis Report and find out what your peers are saying about Micro Focus, Veracode, GrammaTech, and more!
    Updated: November 2022
    Product Categories
    Static Code Analysis
    Buyer's Guide
    Download our free Static Code Analysis Report and find out what your peers are saying about Micro Focus, Veracode, GrammaTech, and more!