OpenText Dynamic Application Security Testing Reviews

I am currently working with several tools. For Fortify, I use SCA and WebInspect. Apart from that, I use Burp Suite from PortSwigger. For API testing, I use Postman with Burp Suite or WebInspect for some applications, while for others I use SoapUI with Burp Suite.

Most of our applications are related to Salesforce, Java-based, or .NET based systems. The applications typically involve forms where users provide their details. After submission, the information flows to two types of portals: a user portal where customers navigate and provide details, and a worker portal where company personnel verify and approve those details. These are the main types of applications I test.

From the DAST perspective, we have multiple features. We can directly provide the URL and it will crawl through all the pages of the web application to find vulnerabilities. If automatic crawling is not successful, we can create a macro of the whole application sitemap and input it into WebInspect for complete auditing.

For older applications with new enhancements, there is a manual crawl facility where we can specifically crawl the new enhancement, and WebInspect will verify it properly while performing minimal crawling or regression testing on the rest of the application.

The solution offers robust session management capabilities. For applications with MFA or username/password requirements, we can provide credentials manually or create a login macro. When the session expires, it will execute the macro to obtain a new session and continue crawling. These features are very practical. WebInspect also includes API testing capabilities, which is particularly useful when proper Burp licenses are unavailable.

Regarding reporting, it generates comprehensive PDF reports with various customization options. It details vulnerability information, affected URLs, and highlights manipulated requests and responses. The report includes an appendix section explaining each vulnerability type, identification methods, potential exploits, and remediation steps. It also groups similar vulnerabilities found across different pages for better organization.

WebInspect works efficiently with Java-based or .NET based applications. However, it struggles with Salesforce applications, where it requires approximately 20-24 hours to crawl and audit but produces minimal findings, necessitating manual verification.

The solution offers customization features for crawling and vulnerability detection. It includes various security frameworks and allows selection of specific vulnerability types to audit, such as OWASP Top 10 or JavaScript-based vulnerabilities. When working with APIs, we can select OWASP API Top 10. The tool also supports custom audit features by combining different security frameworks.

For on-premises deployment, the setup is complex, particularly regarding SQL server configuration. Unlike Burp Suite or OpenText Dynamic Application Security Testing, which have simpler setup processes, WebInspect requires SQL server setup to function.

I have been using WebInspect since I entered the security domain four or five years ago. During this period, I briefly switched to OpenText Dynamic Application Security Testing but returned to WebInspect.

There are deployment issues with the solution.

The on-premises version of WebInspect presents significant challenges. When running crawling and auditing operations, it consumes substantial system memory, making it difficult to use other applications simultaneously. The cloud version functions more smoothly without these resource constraints.

Another issue involves the crawling engine occasionally entering infinite loops. For instance, in an application with 15 URLs, the crawler might get stuck on the tenth URL, causing the scan to continue indefinitely. This problem is specific to the on-premises version due to storage limitations. The on-premises version connects to SQL server with a 9GB limit per scan, causing automatic termination if exceeded.

The solution offers different license tiers based on scalability needs. For 1-9 applications, the license allows crawling or auditing one application at a time. Higher-tier licenses support simultaneous processing of multiple applications, with options available for 10-50 applications and more than 100 applications. The cloud version allows unlimited simultaneous application scanning.

Our organization has been assigned a dedicated support person from Fortify. This vendor representative is highly accessible through various communication channels including calls, chat, and email. However, I cannot speak to the support experience for individual users or organizations with fewer licenses. Since our organization runs multiple projects using Fortify with numerous licenses, we receive prioritized attention from the vendor.

Positive

HCL AppScan offers multi-factor authentication handling, which WebInspect lacks. With WebInspect, we must request the development team to disable MFA, whereas HCL AppScan can automate this process. Regarding Burp Suite, it serves a different purpose as organizations primarily use it for manual testing rather than automated DAST, where they prefer WebInspect, OpenText Dynamic Application Security Testing, or AppScan.

We have implemented WebInspect into the Azure pipeline in one of our projects.

Other

The solution provides various licensing tiers for different scales of operation. For 1-9 applications, single application processing is available. Larger tiers support simultaneous processing of multiple applications. The cloud version enables unlimited concurrent application scanning.

While I am not directly involved with licensing, I can share that our project's license for 1-9 applications costs between $15,000 to $19,000. In comparison, Burp Suite costs approximately $500 to $540 for similar functionality.

The on-premises version of WebInspect presents significant challenges regarding system resource consumption and memory usage. The cloud version offers better performance and stability.

The setup process for on-premises deployment requires SQL server configuration knowledge and can be complex compared to simpler solutions.

The solution offers excellent scalability through different license tiers, supporting various deployment sizes from small to enterprise level.

Based on the overall experience, this solution receives a rating of 8 out of 10.

I used Fortify WebInspect for inspecting web pages in production testing, oriented towards financial services.

In the beginning, the functionality of Fortify WebInspect was clear and uncomplicated. The transaction recorder within WebInspect is easy to use, which is valuable for our team.

The main area for improvement in Fortify WebInspect is the price, as it is too high compared to the market rate. The cost of the license depends on the number of virtual users and, in comparison to other solutions, is approximately 25% higher.

I used Fortify WebInspect for approximately three to four years with my team on different projects, but not personally.

I did not have technical support from the manufacturer because my team currently uses another solution.

I used Fortify WebInspect with my team, but now we don't have any solution.

The price of Fortify WebInspect is high, with the cost depending on the number of virtual users. It is approximately 25% higher than other solutions.

I recommend Fortify WebInspect to medium-sized or large enterprise companies, but with a budget in mind. On a scale from zero to ten, I would score Fortify WebInspect between seven and eight because it is good in functionality, but the price is in the middle of the market.

Customers use Fortify WebInspect to scan web applications and get results with recommendations. After running scans, customers often have questions and need my support or recommendations to understand how to fix the issues identified. This includes understanding what vulnerabilities were found and what they mean.

The most valuable feature of Fortify WebInspect for me is the ability to scan with user authentication, like login credentials. This is crucial when scanning web applications because we need to input information like usernames and passwords to uncover vulnerabilities that appear after logging in. This feature helps identify more vulnerabilities on the website.

The feature that has been most influential in identifying vulnerabilities is its ability to crawl the website, understand the structure, and analyze the network packets sent and received.

I want to enhance automation. Currently, Fortify WebInspect can scan and find vulnerabilities, but users with specific skills need to interpret the results and understand how to address them. While Fortify WebInspect has automated scanning capabilities, it's not fully automated for 100% of the tasks. It can identify the website's structure and what the website uses. Still, for penetration testing, users like me or the customers must manually verify and test certain aspects to ensure the vulnerabilities are effectively addressed. They could develop a feature that automates sending packets back and forth, performing penetration tests, and verifying the impact of vulnerabilities, significantly enhancing the tool. It should be able to compromise vulnerabilities, report on them, and list the most critical issues that need fixing.

I have been working with Fortify WebInspect since 2013.

I would rate Fortify WebInspect a nine out of ten. I find it highly stable and haven't encountered any issues using the software.

For scalability, I would rate Fortify WebInspect an eight out of ten. 

The scalability is good, but there's sometimes a gap between security and development needs. About five of my customers are using Fortify WebInspect, but in the past, there were around ten, though some couldn't renew due to budget constraints. The customers range from small to large enterprises, including banks, SMEs, and telecom companies.

The support team is knowledgeable about the issues and resolutions. However, sometimes, when scanning, they need to investigate further and can't always provide immediate answers, especially with complex web application vulnerabilities. However, they are competent and supportive of software-related issues.

Positive

The initial setup of Fortify WebInspect is easy. It is usually on-premises and takes about one hour if everything is ready, like the physical or virtual machines. Our usual deployment process involves preparing a server or laptop, installing WebInspect, and configuring it with the included SQL Express or the customer's existing SQL Server if they have a centralized database. This setup
is straightforward and typically involves just one license on one machine.

I would rate it ten out of ten. 

 For anyone considering Fortify WebInspect, I highly recommend it. It is a valuable tool with many benefits for web applications, especially regardingsecurity. Since many businesses rely on web applications, focusing on their security is crucialto prevent potential threats. Fortify WebInspect helps achieve this by effectively reducing vulnerabilities.

Regarding artificial intelligence, integrating AI with Fortify WebInspect would be a significant improvement. It would enhance the tool's ability to detect and analyze vulnerabilities, making it more efficient. Automated learning could help make better decisions on identifying and addressing vulnerabilities, which would result in even better outcomes.

Overall, I would rate Fortify WebInspect nine out of ten.

Mostly, we use Fortify WebInspect to scan our applications. This includes whatever applications we are delivering to our customers. We aim to find out security vulnerabilities and other issues, so we can identify and fix them before releasing to the customer. This is the use case, as we strive to deliver applications free from vulnerabilities.

Fortify WebInspect contributes significantly to improving our Security Development Life Cycle (SDLC) security posture. The tool provides comprehensive vulnerability assessments which help ensure our deliverables are as free from vulnerabilities as possible. It has also streamlined our web application vulnerability assessments, assisting us in delivering secure applications to our clients.

There are many features that we find valuable in Fortify WebInspect. For example, Fortify's security scan reports, especially the initial fast scan, which assesses the functional application for security testing, have been critical. Given the priority of security vulnerabilities for all deliverables, the alignment with top ten vulnerabilities standards and its ability to detect even complex vulnerabilities is invaluable.

I would like WebInspect's scanning capability to be quicker. Specifically, being able to scan a particular flow or part of an application more rapidly would be beneficial. Additionally, the cost of the licensing, particularly for multiple user licenses, could be more relevant, which would improve affordability and distribution among users.

We have been working with Fortify WebInspect for more than two or three years.

Fortify WebInspect is quite stable. It provides reliable reports that help us manage vulnerabilities effectively. While there may be some vulnerabilities that require manual monitoring for complex projects, I generally feel confident relying on it for vulnerability management. I would rate stability between eight and nine out of ten.

While Fortify WebInspect is somewhat scalable, scanning multiple applications simultaneously poses challenges. Overall, I would rate scalability between seven and eight out of ten.

We receive proper and prompt responses from customer and technical support, so there are no complaints. I would rate customer support between nine and ten out of ten.

Positive

The setup of Fortify WebInspect is straightforward and has no significant complexity, especially for our technical team. I would rate the ease of setup as nine out of ten.

Fortify WebInspect can be a bit expensive. However, considering its stability and reliability in meeting current standards, the cost is justified. Still, making the cost more affordable for multiple user licenses would be beneficial.

For those who have not yet tried WebInspect, I would definitely recommend it due to its high reliability and stability. It is an excellent tool for ensuring the removal of vulnerabilities from any organization's systems.

I would rate it a nine out of ten.

We develop software packages for clients, and these clients are mostly in the BFSI sector. The packages need to be scanned, and we engage Fortify WebInspect for this. 

Customers typically perform their own application pen tests, but in some cases, we have engagements where customers want us to scan the dynamic codes, which is where we use WebInspect.

The automated scanning capabilities of Fortify WebInspect allow us to generate immediate reports for customers, providing faster detection and fixing of issues.

Fortify WebInspect allows us to scan most file extensions, even for packages or workloads created on the cloud. 

It is easy to use, and its reporting is fairly simple. Additionally, it effectively removes false positives quickly, leading to better reporting.

There are some file extensions, like .SER, that Fortify WebInspect doesn't scan. For these, we have to depend on other tools like GitHub scanners.

I have been working with Fortify WebInspect for almost eight years now.

Fortify WebInspect is very stable, with no significant issues observed.

The scalability is good. It depends on the licenses, but I have not seen any challenges around latency or other issues.

The support varies as the OEM has changed multiple times (HP, Microfocus, OpenText). Currently, the support is less responsive compared to earlier days.

Neutral

We have used Check Point and Checkmarx minimally, but the primary focus has been on Fortify.

The initial setup can be rated between seven and nine out of ten. For new users, it might be a seven out of ten. However, for experienced users, it's easier and can be rated as a nine out of ten.

The deployment process depends on the client's needs and can vary from client to client. It could be on-premises or on the cloud and sometimes just for scanning.

Pricing depends on the deal and can vary. Smaller clients might find it challenging to afford Fortify WebInspect, while it is more suitable for medium to large enterprises. The OEMs tend to price specifically per deal.

We evaluated Check Point and Checkmarx, although neither was used extensively.

For medium to large enterprises, Fortify WebInspect is a good, stable, and secure solution. I'd rate the solution eight out of ten.

My company sells Fortify WebInspect to our customers.

The most valuable feature of the solution is that it is a powerful tool that has many customers with multiple use cases.

Fortify WebInspect's shortcoming stems from the fact that it is a very expensive product in Korea, which makes it difficult for its potential customers to introduce the product in their IT environment. The pricing of the product is an area that can be considered for improvement. In the future, Fortify WebInspect should be made available at a cheaper rate since, in Korea, there are many other cheap alternatives available.

I have been using Fortify WebInspect for over ten years. I use Fortify WebInspect 23.1. My company is a reseller of the solution.

Stability-wise, I rate the solution a five out of ten. The product has some bug-related issues, especially when it releases new versions.

Scalability-wise, I rate the solution a seven out of ten.

My company caters to two or three customers.

The solution's technical support was very helpful. I rate the technical support an eight out of ten.

Positive

The installation phase of the product is slightly complex, making it not so easy.

The product does not come in packaging, so one needs to install a database, after which one can install the product by activating the license and updating it whenever required. Fortify WebInspect has many processes involved in its installation phase compared to the other products in the market. Certain Korean products can be installed with just one step. I need to support my customers with the product's installation phase.

The installation process takes a day or two to complete, but for some of my customers, it takes a month since they do not have any experience or knowledge about the product.

The solution is deployed on-premises.

Fortify WebInspect is a very expensive product.

During the evaluation phase, my company considered products like HCL AppScan and a product from Synopsys.

I recommend the solution to its potential users for trial. Fortify WebInspect is a very old product and helps with many use cases owing to its powerful functionalities.

I take care of the maintenance part of the product. Three of my colleagues who are engineers also help me with the maintenance phase.

Considering the licensing cost of the product, bug-related issues, and difficulty in installation compared to other products, I rate the overall product a seven to eight out of ten.

This is a scanning tool. We carried out a POC with the aim of taking a proactive approach to scanning the applications and remediating the vulnerabilities in the development environment. We have 15-18 applications currently using Fortify. We'll be testing additional applications in the coming months. 

WebInspect has the ability to scan an application and find vulnerabilities in the early stages of development. It also integrates with some of the applications as a part of the developing tool itself. It's a very good feature. 

We were not able to host or install Fortify in some of our systems due to incompatibility. For a core company like ours using products like AppRizzo and similar technologies, the integration or installation of Fortify within the use tools would offer an upper hand relative to other scanning tools. Most organizations want a very seamless integration or installation with the many different technologies they use for their respective units.

We've been using this solution for 18 months. 

From a stability perspective, this is a good solution. It doesn't change the meta code which is an issue we've had with other scanning tools where the metadata changes when they're run in production and it can destabilize. 

The solution is scalable, particularly when it integrates with other products. 

I haven't had any interaction with technical support as it's managed by a separate team but I believe that they provide a good service. 

We previously used Netsparker but we were unable to use it across our entire landscape which is why we moved to Fortify. That said, Fortify has its own challenges although not as many limitations as Netsparker. 

The complexity or otherwise of the initial setup depends on the technology you are using. It can be seamless but can also be complicated. If one particular scanning tool works across all the technologies or softwares then it is very easy but from the stakeholder standpoint, it can get very confusing when we share multiple reports. We have a development and operations team who take care of maintenance.

This is an expensive product. They have some constraints which is why we only purchased a few annual licenses. Enterprise organizations will have many users so it may be more cost-effective.

This is a good scanning tool. I recommend having your application scanned in the early stages of your development so that you don't get into back and forth development cycles and deployment in production can be done more efficiently. 

 I rate this solution eight out of 10. 

Most of the time, it is used to access the current state of a client's web application. Sometimes it's used to test in the test environment, and sometimes in the enterprise environment, for example, the published environment. It mainly scans and checks for critical vulnerabilities. 

It can also check the differences between the web application, between the crawled URLs. It's not the main functionality, however, it is possible to use it in that manner. 

We like that we can see the request and response and create our own requests and see those responses. 

There are lots of small settings and tools, like an HTTP editor, that are very useful.

It is mostly stable. 

Support is very helpful. 

The setup is easy.

Depending on the deployment type, it can scale. 

We have had a problem with authentification. Most applications need authentication to scan to show results correctly. It doesn't allow for various types of authentications.

We have had some bugs on the solution.

The on-premises deployment does not scale. 

I've been using the solution for two years. 

The solution is stable and reliable. I'd rate it eight or nine out of ten. We have had some bugs. However, it's mostly stable. 

The solution can scale, depending on the installation, from desktop to cloud. The cloud is easy to scale. The desktop is not scalable. In our case, since we are on-premises, I'd rate scalability two or three out of ten for the ability to scale. 

Most of our clients are small to medium-sized organizations. 

We had some cases open with the vendor concerning bugs and received very good help. They are responsive and solve our issues. 

Positive

The initial setup is mostly easy. You may need some skills if you start to use more of the tools and begin to customize. I'd rate the ease of setup eight out of ten. 

Our deployment takes one to two weeks. It shouldn't take more than two weeks.

We only had one person handling the deployment. 

Basically, we ask clients what they need, design the architecture, and then deploy it into the network on-premises. After testing, we start using it on a daily basis. We can help customers with training, so they know how to use the solution. 

The solution may occasionally need additional certificates installed. However, not much maintenance is needed. 

I haded the initial setup myself, in-house. 

I cannot speak to the exact pricing of the solution. I handle the technical side of things. I'm not involved in licensing or sales. 

We are integrators. 

We're always dealing with the latest version of the solution. The latest would be 22.1. I started with using 20.1.

I'd recommend the solution. It's a helpful tool. 

I would rate the solution overall at an eight out of ten. It will continue to evolve, I'm sure. 

Fortify WebInspect can be deployed on the cloud or on-premise.

Fortify WebInspect is used as a vulnerability scanner for applications.

Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use.

I have been using Fortify WebInspect for approximately one year.

The stability of Fortify WebInspect could improve.

Fortify WebInspect is a scalable solution, it is good for a lot of applications.

The technical support of Fortify WebInspect is great.

The initial setup of Fortify WebInspect is complex.

My advice to others using Fortify WebInspect is not to use it, there are better solutions in the market.

I rate Fortify WebInspect a five out of ten.

We use this solution for security testing.

The most valuable feature of this solution is the ability to make our customers more secure.

A localized version, for example, in Korean would be a big improvement to this solution. 

We have been using this solution for 14 years. 

This is a stable solution. 

The initial setup is straightforward. 

This solution is very expensive. 

I would rate this solution an eight out of ten.