Fortify Static Code Analyzer Reviews and Pricing

Abner Silva

Cloud Security Analyst at a agriculture with 1-10 employees

Apr 3, 2024

Download

Identifies issues like password credentials and access keys embedded in the code

Pros and Cons

"Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like password credentials and access keys embedded in the code."

"The product shows false positives for Python applications."

What is our primary use case?

We use the tool for web-based applications.

What is most valuable?

Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like password credentials and access keys embedded in the code.

I have integrated the solution with GitLab, Jira, and ITSM.

What needs improvement?

The product shows false positives for Python applications.

What other advice do I have?

I haven't customized many rules, but some customizations that have been applied have been particularly useful in our pipeline. For instance, if our application is found to be very vulnerable, we don't proceed with deployment. We utilize static analysis, and the pipeline is halted until the vulnerabilities are addressed. Similarly, I've applied this approach in Fortify Static Code Analyzer and Checkmark SCA to stop the execution pipeline for highly vulnerable applications.

I utilize validation in the code to manage false positives in the results. In this case, the application helps identify false positives, and I spend extra time validating them.

I would recommend Fortify Static Code Analyzer for .NET applications and not for Python ones. I rate it an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.