Fortify Static Code Analyzer Reviews

Fortify SAST performs static code analysis, which means it reviews the source code or compiled binary code without executing the application. This helps in identifying vulnerabilities, coding errors, and security issues within the codebase.
Fortify SAST supports a wide range of programming languages, including popular ones like Java, C/C++, C#, Python, and more. This broad language support makes it suitable for various development environments.

It comes with a comprehensive set of security rules and patterns to identify vulnerabilities, including issues related to OWASP Top Ten, CWE (Common Weakness Enumeration), and other industry standards

Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines. This allows developers to scan code seamlessly.

The generation of false positives should be reduced. Although it provides mechanisms to help reduce false positives, ensuring that the reported vulnerabilities are genuine security concerns.

I have been using Fortify Static Code Analyzer for a few years. 

It is a stable solution but the stability of Fortify SAST can depend on the hardware and network infrastructure it's running on. Make sure your infrastructure meets the system requirements recommended by Micro Focus.

Properly train your development and security teams on how to use Fortify SAST effectively. Knowledgeable users are more likely to obtain stable and accurate results.

It is scalable, can handle large codebases, and is suitable for projects of varying sizes, from small applications to complex enterprise-level software.

The technical support team is decent. 

Neutral

Setting up Fortify Static Application Security Testing (SAST) involves several steps to ensure that the tool is correctly configured and integrated into your development workflow say for instance Installation, License Activation, User Access and Permissions, Integration with Development Environment, Project Configuration, Custom Rules and Policies, etc.

The initial setup is very easy, have used the enterprise version and a standalone version. The enterprise version definitely takes an ample amount of time to deploy because it needs to have a server along with other logistics in place along with a proper RBAC. The enterprise version would take an ample amount of time, but the standard version is just a few clicks.

A team of four to five people is required for the maintenance and frequent updates are required to keep all the signatures up to date. 

I would rate the setup a nine out of ten. 

Fortify SAST is a valuable tool for organizations committed to ensuring the security of their software applications. It helps prevent security vulnerabilities from making their way into production code, reducing the risk of data breaches and other security incidents. However, the effectiveness of Fortify SAST depends on proper configuration, rule selection, and integration into the development process.

I would rate the overall solution an eight out of ten.

We maintain several applications that utilize a mix of custom PHP packages and native functionality. When a package becomes outdated or a security vulnerability emerges within one, our lifecycle management system flags the issue and assigns a threat level of critical, high, or moderate. We prioritize mitigation based on severity, addressing critical issues first. Additionally, we've integrated Fortify on Demand into our build pipeline. This tool scans our codebase for static vulnerabilities as new code is built and performs dynamic scans for potential runtime issues once builds are deployed.

We implemented Fortify Static Code Analyzer to ensure our platform meets security standards, stays up-to-date with threats, and streamlines security remediation.

We use the Fortify Software Security Center to provide a wide view for our AppSec team.

The Fortify Static Code Analyzer aids in remediating potential vulnerabilities through its accurate and reliable results. It serves as a critical gatekeeper for production applications. If an application fails the Fortify on Demand scan, it does not enter the deployment phase and is effectively halted from release.

Fortify Static Code Analyzer helps our developers build secure code.

While we were able to manage our security issues before tools like Fortify Static Code Analyzer, we relied on manual identification and documentation of vulnerabilities. However, this lacked the efficiency and scalability of an automated solution.

Fortify and Sonatype solutions help us ensure compliance with applicable regulations. We gain valuable insights into relevant regulations directly from vulnerability assessments, which helps maintain compliance with specific regulations.

Fortify Static Code Analyzer offers feedback on security vulnerabilities. Its static and dynamic scan, particularly for Fortify on Demand, provides automated feedback. For example, the dynamic scan might take around 20 minutes to settle, depending on the specifics. However, this turnaround time is significantly faster than relying on the entire security team to conduct manual testing. It can sometimes provide excessive detail that is not directly pertinent, leading to inefficiencies in extracting the relevant information.

I believe Fortify Static Code Analyzer is a valuable tool for implementing shift-left security in cloud-native applications. I intend to leverage it for personal projects, starting with my current app development. I plan to make it my go-to standard for application security.

The ability to identify vulnerabilities using Fortify Static Code Analyzer early in the development life cycle has saved us costs.

Integrating Fortify Static Code Analyzer is not complicated after the first integration.

Automating the Jenkins plugins and the build title is a big plus.

Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize. It throws everything at us at once, which can be overwhelming. While it's not a major issue, I'd like to see it focus on critical vulnerabilities and highlight them upfront. Furthermore, categorizing critical vulnerabilities by platform-specific vulnerabilities and relevance to supported features would be incredibly beneficial.

While Fortify Static Code Analyzer has some merit, I believe it still has significant room for improvement. We have encountered a high number of false positives, which has been a major obstacle and resource drain.

I have been using Fortify Static Code Analyzer for two years.

We use it in combination with Sonatype Lifecycle. We use Sonatype for all of our packages. It's for any outdated packages that we have. Before we build a package out to production, we can see if we need to update it. Having that alongside Fortify makes it our own one-stop shop for security. It makes our builds a lot smoother.

I would rate the stability a seven out of ten. Fortify Static Code Analyzer suffers from limitations in handling versioning issues. It necessitates specific guidelines or calls to operate efficiently otherwise it doesn't provide feedback.

We are still trying to get an impression of the scalability. We have scaled it on all of our products and it seems to be good. I would rate the scalability an eight out of ten.

The technical support is adequate, but I did experience a frustrating issue once. They could benefit from a dedicated team to handle support requests more efficiently. Messaging them and relying solely on the support ticket system feels outdated, especially considering the premium price we pay. At least a live chat option would be a significant improvement, as the current system was quite cumbersome and unresponsive.

Neutral

The initial deployment was a bit more challenging than anticipated. There was a learning curve involved, and supporting the plugin for our Jenkins environment presented a significant obstacle.

To overcome these hurdles, we decided to evaluate the Fortify Static Code Analyzer. We began by integrating it into smaller projects first, which allowed us to gain familiarity with its capabilities. We then gradually branched out to our larger projects, building upon our understanding. This involved uploading code bases, analyzing the scans, and interpreting the results. By taking this incremental approach, we were able to effectively expand.

Four people were involved in the deployment.

We have seen a return on investment using Fortify Static Code Analyzer.

We evaluated other solutions but ultimately selected Fortify Static Code Analyzer for its simplicity and its ability to tailor to our build cycle.

I would rate Fortify Static Code Analyzer a seven out of ten.

Since we started the integration of Fortify Static Code Analyzer from the beginning, it has not yet significantly freed up the time of our security team. However, it has helped make the process more efficient, and the integration is still in progress.

Organizations that are still using manual methods to find vulnerabilities should try Fortify Static Code Analyzer. If it is within their budget, Fortify Static Code Analyzer will work well for them.

We utilize the Fortify Static Code Analyzer across various locations and projects, making it the go-to tool for security analysis in most of our development initiatives. We are a large corporation with high traffic.

For larger platforms with strong automation needs, I recommend Fortify Static Code Analyzer.

We use Fortify Static Code Analyzer to analyze our code for security vulnerabilities. It helps us identify and address potential issues, ensuring our software is secure.

Fortify Static Code Analyzer's most valuable features are its ability to provide best practices for fixing code and its examples and capabilities to address security problems in the code. It effectively identifies security vulnerabilities by analyzing the code and offering insights on improving it.

False positives need improvement in the future. Fortify's vulnerability remediation guidance helps improve code security, but I think they need to improve the focus of the solution, as it still

Contains many bugs and needs a thorough review.

I have been using Fortify Static Code Analyzer for the past three months.

For stability, I would rate it as an eight out of ten. The stability has been reliable since using this solution, and I haven't encountered any issues.

I would rate the scalability of Fortify Static Code Analyzer as seven out of ten. It is easy to scale, but on-premises cases require scaling the server to deploy it.

About ten to twenty users in my company are using Fortify Static Code Analyzer once a month. We do not plan to increase its usage in the future.

I don't work with the support directly, and I have only seen the results of their intervention, which are satisfactory.

Positive

Before using the Fortify Static Code Analyzer, I used Sonar. We switched because Fortify was better at fixing issues. We didn't evaluate other vendors and went straight with Fortify.

It took about fifteen minutes to deploy Fortify. I would rate the initial setup of Fortify Static Code Analyzer as eight out of ten, as it was relatively easy to set up. 

I rate the pricing of Fortify Static Code Analyzer as a seven out of ten since it is a bit expensive.

For someone considering Fortify Static Code Analyzer, I'd recommend checking other options like Checkmarx, as it might be a better fit depending on their use case. 

Overall, I would rate the product a five out of ten.

We're consultants and it supports our primary banking group in Italy in terms of cybersecurity strategies.

Due to the mandatory use of Sonatype within the Italian banking industry, we rely on both Fortify and Sonatype to conduct a comprehensive analysis of the implemented code. 

We use both SaaS and on-premise versions. The on-premises software helps the developer team continuously analyze tools. The SaaS version is used for centralized analysis in a testing environment for the IT security team.

Sonatype acts as a mandatory gatekeeper for accessing open-source libraries. Combining Sonatype and Fortify provides an invaluable holistic view of the application code developed by the factory. This includes both the library used by the factory to simplify development and the library itself, enabling comprehensive vulnerability detection. While Sonatype doesn't directly control the coding within the library, it effectively identifies vulnerabilities lurking within the open-source components. This offers significant value to developers who rely on these libraries, as it helps ensure their work is not compromised by unforeseen vulnerabilities. This information acts as a boost for developers, enabling them to leverage the library's functionality with greater confidence. The combination works like a black box for the developer. Sonatype and Fortify complete each other.

They are one of the market leaders, according to Gartner's Magic Quadrant. 

We use Fortify to reduce application vulnerabilities significantly. In the test environment, we don't just use software code review. Before the use of Fortify, we would test the applications; however, using Fortify allows us to test internationally and to align with various compliance requirements, for example, European banking requirements. 

It offers efficiency in the deployment of the application. It makes code review much easier pre-deployment. The Fortify FOD Portal is quite useful. It helps centrally manage everything and provides us with a 360-degree view of our AppSec team.

The solution truly supports the development team by giving a clear indication of vulnerabilities and providing suggestions on how to deal with vulnerabilities in a clear manner. There is a lot of useful analysis. It can help us map application libraries.

The software security center, in terms of managing and tracking risks, is good. It's very consistent. In Italy, the culture of risk analysis is very low. However, it provides very clear reporting. It offers great mapping. It maps both the tests and the severity of the vulnerability. It can help support the goals of risk analysis and help prioritize tasks to deal properly with risk. It can support risk analysis effectively.

The testing of the application portfolio is useful. It's also great for regulatory requests, including in the European community. The mapping of the application vulnerabilities provides us a way to respond according to risk. 

It's very simple to use Fortify.

We can fully integrate with GitHub. However, we can also migrate in certain scenarios. We can prepare packages subject to analysis and send them to Fortify. It's not difficult. It's very simple. 

When Fortify is on-premises with GitHub, remediation is easy. They can suggest and resolve issues directly. Fortify can offer guidance to the development team. So it's not only an identification tool, it's also a tool that can provide remediation for potential vulnerabilities. 

Now, in the European Union, it's mandatory to analyze software. Fortify has become a necessary product. We might have started using it before there was a regulatory need. However, we now must have something like Fortify in place. 

It helps us reduce risk exposure on applications through the discoverability of vulnerabilities and weaknesses. It's fully satisfactory. It ensures we are being fully compliant. We chose the solution as it is one of the market leaders, according to Gartner. We can only use the best in the market since it's so integral to our compliance requirements. It ensures we are always compliant with internal and external audits. 

Fortify does provide real-time feedback on security problems. However, we don't use, at the moment, the functionality of real-time vulnerability analysis during the developer's typing of the code. We check the code afterward.

It's helped us free up staff time. We spend less time fixing software deployments. We've reduced the time to market of the implementation phase by 50%. We can test the applications faster, and we can support a number of projects with the same number of people. 

Not all languages are supported in Fortify. They should expand their language offering.

We started to use Fortify in 2019.

We've contacted support in the past during the integration of Fortify. Support is quite proactive. We have periodical monthly calls with support.

Positive

We did not previously use a different solution. 

I was not involved in the implementation.  There was some integration involved in the setup. However, I can't speak to the level of difficulty involved. 

We had the help of a systems integrator during the setup. 

In terms of capabilities, the solution has all the capabilities necessary for the activity required. It's more economical than the other Big Three in the market as well. The price, overall, is quite good. 

I'm a customer. 

For those still using manual methods, I'd recommend something like Fortify that could accelerate the process of analysis. Manual methods require more effort for an organization, and those handling them must have high competence. I'm a modernist. I prefer to have continuous awareness in regard to vulnerabilities. Manual analysis, as well, can be very costly. It takes too much effort. Plus, if you have so many applications, it becomes impossible to manage manually. A business would not be able to support this. 

We're fully satisfied with the solution. I'd rate the product ten out of ten. The results they provide are clear. There's continuous development of the product, and with new languages and functionality, it will continue to get better and better. 

I make use of this solution every day in my current position. I have experience in its installation and troubleshooting and always ensure I am up to date with their latest releases. 

We use this solution to run and scan SQL code. 

I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released. The GUI is really easy to navigate through and is very user-friendly.

The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit. CyberRes is a partner I rely on as a first resource if I can't find the answer I need in documentation on Google. The information directly from Fortify is limited.

I have been using this solution for seven years. 

This is a stable solution. When I first started using Fortify, my desktop at work did not having enough RAM. It would take me 10 to 12 hours to do a scan.

There is an installation guide that I've used many times. First, you need to make sure that your server has the right operating system, version, amount of space, and the correct version of Java installed. You also need to ensure you have the right version of specific databases. This will ensure that the backend is compatible with Oracle, MySQL, SQL Server and Postgres. 

The installation is very easy because it is self-explanatory. Updates are also easy to manage once rule packs are released.

The licensing is expensive and is in the 50K range.

This is an excellent product and but is not for the faint at heart. You will need to be willing to learn and take the time to get to grips with how it works. I like it compared to some of the other static codes that I've used in the past.

I would rate this solution a nine out of ten. 

Our primary use case for this solution is to analyze the security of our software applications during the development cycle. We use it to identify vulnerabilities and potential security issues before deploying the applications into production. Our environment comprises various software development projects, ranging from web applications to internal tools.

The solution has significantly improved our organization's security posture by helping us identify and address vulnerabilities early in development. It has reduced the risk of security breaches and helped us build more secure software products. However, upgrading the solution has been challenging due to database compatibility issues.

The most valuable features include its ability to detect vulnerabilities accurately and its integration with our CI/CD pipeline. These features enable us to automate security testing and quickly identify issues, allowing us to fix them before deployment.

The product could be improved by upgrading and compatibility with databases such as MySQL. Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date.

Enhancing integration with ticket management systems like Jira in the next release would facilitate issue tracking and resolution.

We have been using Fortify Static Code Analyzer for approximately eight years.

The solution has been stable overall, with minimal disruptions to our development process.

The product has good scalability, allowing us to analyze code across various projects and scale as our development needs grow.

There is room for improvement in the technical support services in terms of responsiveness and proactive assistance.

Neutral

The initial setup was straightforward for basic installation and configuration. However, we encountered complexities during the upgrade process, particularly database compatibility issues.

While it's challenging to quantify the exact ROI, the solution has helped us prevent potential security breaches and mitigate risks, which ultimately contributes to our organization's overall ROI.

The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements.

We did evaluate other options before choosing this solution. However, Fortify stood out due to its comprehensive feature set and reputation in the industry.

Fortify Static Code Analyzer has been a valuable tool for our organization's security efforts. However, organizations should be prepared to invest time and resources in managing and upgrading the solution to maximize its effectiveness.

We use the tool for web-based applications. 

Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like password credentials and access keys embedded in the code.

I have integrated the solution with GitLab, Jira, and ITSM. 

The product shows false positives for Python applications. 

I haven't customized many rules, but some customizations that have been applied have been particularly useful in our pipeline. For instance, if our application is found to be very vulnerable, we don't proceed with deployment. We utilize static analysis, and the pipeline is halted until the vulnerabilities are addressed. Similarly, I've applied this approach in Fortify Static Code Analyzer and Checkmark SCA to stop the execution pipeline for highly vulnerable applications.

I utilize validation in the code to manage false positives in the results. In this case, the application helps identify false positives, and I spend extra time validating them. 

I would recommend Fortify Static Code Analyzer for .NET applications and not for Python ones. I rate it an eight out of ten. 

Fortify Static Code Analyzer is used for scanning the container image, such as Kubernetes or Docker, and its main role is to do the static security analysis.

Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it. 

Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good.

The solution could be more user-friendly. You have the CLI for business people sometimes, we are not able to give a good overview. Generally, the business people you choose would want to see the dashboard.

I have used Fortify Static Code Analyzer within the last 12 months.

The stability of Fortify Static Code Analyzer.

Fortify Static Code Analyzer is scalable. However, they could improve. The time it takes to scale could improve. 

We have 30,000 employees in my company and 20 percent of the company is using the solution.

I rate the support for Fortify Static Code Analyzer a four out of five.

We have a team that did the implementation of the solution.

The price of Fortify Static Code Analyzer could be reduced.

We are looking for a different solution.

My advice for others is to look for other solutions before you choose  Fortify Static Code Analyzer.

I rate Fortify Static Code Analyzer an eight out of ten.