What is our primary use case?
We use it for code scanning, security scanning, and finding vulnerabilities.
I am using its latest version. I have Fortify code scan on the cloud and Fortify WebInspect on-premise for a dynamic scan. So, SAST is on the cloud, and DAST is on-premise.
What is most valuable?
Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features.
The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.
What needs improvement?
It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application.
Its installation and maintenance are not easy. Its updates and upgrades are hard.
Its performance needs to be stabilized. It should also be able to find more vulnerabilities than other tools.
It is expensive. Its price needs to be improved.
For how long have I used the solution?
I have been using this solution for five years.
What do I think about the stability of the solution?
Its performance is good, but it takes a lot of resources in terms of CPU utilization, so stability-wise, there are problems at times.
What do I think about the scalability of the solution?
We have 70 to 80 users who use this solution. Its scalability is easy. You just need to add another server, if required.
How are customer service and support?
We have contacted them for multiple issues. Sometimes, scanning didn't work, and the reports didn't come, so we had to escalate. My experience with them was fair. It wasn't great. We asked for remote control or remote setup, but they never provided that. There is no remote assistance. You need to upload the logs. They review and reply back on time. Their response time is very short, which is good, but if we need remote help, it is not easy. You don't get that immediately.
Which solution did I use previously and why did I switch?
I have also been using AppScan. The performance of AppScan is good, but WebInspect has more features, such as a centralized dashboard and the ability to assign a risk into priorities. It is an enterprise and feature-rich tool, but performance-wise, AppScan is good.
How was the initial setup?
The on-premise setup is complex. It requires the installation of a lot of tools, software, licenses, and on. Its installation is very complex as compared to the other tools in the market. It took us a week.
It requires some maintenance in terms of logs. It collects a lot of logs, and you need to remove those logs and keep updating the software. The update is not that regular, and you need to install the update manually on each of the servers. The update requires a lot of effort. It's not a simple auto-update feature.
What about the implementation team?
We had to take help from the vendor. At one point, I was stuck, and the vendor had to install it. They were pretty supportive.
What's my experience with pricing, setup cost, and licensing?
Its price is almost similar to the price of AppScan. Both of them are very costly.
Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that.
What other advice do I have?
While implementing WebInspect, it is always better to keep all the required software installed and ready. The installation of WebInspect has a lot of dependencies, such as .NET, Java, SQL database, etc. All of the data does not come in-built. So, the moment you start building it, if it creates a problem, you have to remove and reinstall everything from scratch and then come back, which takes a lot of time. So, it is better to have those prerequisites handy, pre-installed, and tested.
I would rate it a seven out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.