IT Central Station is now PeerSpot: Here's why

Fortify WebInspect OverviewUNIXBusinessApplication

Fortify WebInspect is #1 ranked solution in top Dynamic Application Security Testing (DAST) tools. PeerSpot users give Fortify WebInspect an average rating of 6 out of 10. Fortify WebInspect is most commonly compared to Micro Focus Fortify on Demand: Fortify WebInspect vs Micro Focus Fortify on Demand. Fortify WebInspect is popular among the large enterprise segment, accounting for 73% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 30% of all views.
Fortify WebInspect Buyer's Guide

Download the Fortify WebInspect Buyer's Guide including reviews and more. Updated: May 2022

What is Fortify WebInspect?

Fortify WebInspect is an automated DAST solution that helps security professionals and QA testers uncover security vulnerabilities and configuration concerns by providing complete vulnerability detection. This is accomplished by mimicking real-world external security attacks on a live application in order to discover and prioritize concerns for root-cause study. Fortify WebInspect provides a number of REST APIs for easier integration, as well as the ability to be maintained via an intuitive UI or totally automated.

Fortify WebInspect may be used as a completely automated solution to suit DevOps and scaling requirements, and it integrates seamlessly with the SDLC. REST APIs aid in closer integration by automating scans and ensuring that compliance standards are satisfied. Users can make use of pre-built integrations for Micro Focus Lifecycle Management (ALM) and Quality Center, as well as other security testing and management platforms.

Teams may reuse current scripts and tools thanks to powerful connectors. Any Selenium script can be simply integrated with Fortify WebInspect. Fortify WebInspect supports Swagger and OData formats via the WISwag command line tool, allowing it to work with any DevOps workflow. A scan template can be pre-configured by ScanCentral Admin and sent to users to scan their apps, with zero security knowledge required.

Fortify WebInspect Features

Fortify WebInspect has many valuable key features. Some of the most useful ones include:

  • Security testing of functional applications (FAST): FAST can use all of the functional tests in the same way as IAST does, but it will continue crawling. FAST will not miss anything that a functional test misses.
  • Insights from a hacker's perspective: View discoveries such as client-side frameworks and version number. These are findings that, if not addressed, could lead to vulnerabilities.
  • Workflow macros HAR files: Fortify WebInspect can scan workflows with HAR files, ensuring that crucial content is not missed.
  • Management of compliance: Preconfigured policies and reports for all key online application security compliance regulations, such as PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, and HIPAA.
  • Horizontal scaling can help you speed up your work: Using Kubernetes, horizontal scaling creates little versions of WebInspect that only process JavaScript. This allows the scans to run in parallel, resulting in significantly faster scans.
  • Scan any API for better accuracy: Get the complete picture on APIs, including SOAP, Rest, Swagger, OpenAPI, and Postman.
  • Managing the security of enterprise applications: To meet DevOps requirements, monitor trends within an application and take action on the most critical issues first.
  • Deployment options: With the flexibility of on-premise, SaaS, or AppSec-as-a-service, you can get started immediately and scale as needed.

Fortify WebInspect Benefits

There are many benefits to implementing Fortify WebInspect. Some of the biggest advantages the solution offers include:

  • Vulnerabilities are discovered faster and earlier.
  • Automation and agent technology can help you save time.
  • Users can utilize crawl web technologies and modern frameworks.
  • ScanCentral DAST helps you manage enterprise app security risk.

Reviews from Real Users

Fortify WebInspect stands out among its competitors for a number of reasons. One major one is its robust centralized dashboard, which gives insight into all vulnerabilities.

Milin S., an Information Security Architect at a real estate/law firm, writes of the product, “Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features. The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.”

Fortify WebInspect was previously known as Micro Focus WebInspect, WebInspect.

Fortify WebInspect Customers

Aaron's

Fortify WebInspect Video

Fortify WebInspect Pricing Advice

What users are saying about Fortify WebInspect pricing:
  • "Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
  • "Our licensing is such that you can only run one scan at a time, which is inconvenient."
  • "The price is okay."
  • Fortify WebInspect Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Milin Shah - PeerSpot reviewer
    Information Security Architect at a real estate/law firm with 1,001-5,000 employees
    Real User
    Top 20Leaderboard
    Good reporting and vulnerability management, but needs better performance and resource utilization
    Pros and Cons
    • "Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features."
    • "It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application."

    What is our primary use case?

    We use it for code scanning, security scanning, and finding vulnerabilities. I am using its latest version. I have Fortify code scan on the cloud and Fortify WebInspect on-premise for a dynamic scan. So, SAST is on the cloud, and DAST is on-premise.

    What is most valuable?

    Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features. The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.

    What needs improvement?

    It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application. Its installation and maintenance are not easy. Its updates and upgrades are hard. Its performance needs to be stabilized. It should also be able to find more vulnerabilities than other tools. It is expensive. Its price needs to be improved.

    For how long have I used the solution?

    I have been using this solution for five years.
    Buyer's Guide
    Fortify WebInspect vs. Rapid7 InsightAppSec
    May 2022
    Find out what your peers are saying about Fortify WebInspect vs. Rapid7 InsightAppSec and other solutions. Updated: May 2022.
    610,190 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    Its performance is good, but it takes a lot of resources in terms of CPU utilization, so stability-wise, there are problems at times.

    What do I think about the scalability of the solution?

    We have 70 to 80 users who use this solution. Its scalability is easy. You just need to add another server, if required.

    How are customer service and support?

    We have contacted them for multiple issues. Sometimes, scanning didn't work, and the reports didn't come, so we had to escalate. My experience with them was fair. It wasn't great. We asked for remote control or remote setup, but they never provided that. There is no remote assistance. You need to upload the logs. They review and reply back on time. Their response time is very short, which is good, but if we need remote help, it is not easy. You don't get that immediately.

    Which solution did I use previously and why did I switch?

    I have also been using AppScan. The performance of AppScan is good, but WebInspect has more features, such as a centralized dashboard and the ability to assign a risk into priorities. It is an enterprise and feature-rich tool, but performance-wise, AppScan is good.

    How was the initial setup?

    The on-premise setup is complex. It requires the installation of a lot of tools, software, licenses, and on. Its installation is very complex as compared to the other tools in the market. It took us a week. It requires some maintenance in terms of logs. It collects a lot of logs, and you need to remove those logs and keep updating the software. The update is not that regular, and you need to install the update manually on each of the servers. The update requires a lot of effort. It's not a simple auto-update feature.

    What about the implementation team?

    We had to take help from the vendor. At one point, I was stuck, and the vendor had to install it. They were pretty supportive.

    What's my experience with pricing, setup cost, and licensing?

    Its price is almost similar to the price of AppScan. Both of them are very costly.  Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that.

    What other advice do I have?

    While implementing WebInspect, it is always better to keep all the required software installed and ready. The installation of WebInspect has a lot of dependencies, such as .NET, Java, SQL database, etc. All of the data does not come in-built. So, the moment you start building it, if it creates a problem, you have to remove and reinstall everything from scratch and then come back, which takes a lot of time. So, it is better to have those prerequisites handy, pre-installed, and tested. I would rate it a seven out of 10.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Security Engineer at Secure Network
    Real User
    Top 5Leaderboard
    Easy to use with a simple deployment and good documentation
    Pros and Cons
    • "The solution is easy to use."
    • "The scanner could be better."

    What is our primary use case?

    We primarily use the solution for web applications and tests. 

    How has it helped my organization?

    It helped us much as it's a really good automated scanner with nice number of checks.

    What is most valuable?

    The solution is easy to use.

    The initial setup is pretty straightforward and the deployment is quick.

    The solution has good documentation.

    The product is a good option for enterprise-level organizations.

    What needs improvement?

    The scanner could be better. 

    The out of bounds channel is missing and it makes it hard to nail down the vulnerabilities.

    For how long have I used the solution?

    I hadn't been working with the solution for very long; I worked with it at my last company.

    What do I think about the stability of the solution?

    The first time we ran the module, it was okay, however, the next time we ran it, it almost crashed. For example, when I started the proxy, I tried to create some traffic from the application and nothing happened, but then, after that, everything began to hang. I'm not sure if this was an issue with a particular version or not. I'm not sure if it was some sort of bug.

    How are customer service and technical support?

    Typically, if I have an issue, I contact my internal support team. They may directly contact technical support. However, I have not done so myself. Therefore, I can't speak to their responsiveness or knowledge levels.

    Which solution did I use previously and why did I switch?

    I've used PortSwigger in the past, and it was a pretty good product as well.

    How was the initial setup?

    The initial setup is not complex. It's pretty straightforward. You just have to download it to the Microsoft server and you're done.

    The total deployment may take an hour, or, at maximum, two.

    What about the implementation team?

    I handled the implementation myself.

    Which other solutions did I evaluate?

    We used Acunetix and Netsparker with Burp Suite.

    What other advice do I have?

    We're just customers. We don't have a business relationship with the company.

    I would recommend WebInspect to enterprise-level organizations. to use. For a smaller company, I'd recommend something more automated. WebInspect has far more manual work, however, it does have good documentation. 

    Overall, I'd rate the solution eight out of ten.

    Which deployment model are you using for this solution?

    On-premises

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Fortify WebInspect vs. Rapid7 InsightAppSec
    May 2022
    Find out what your peers are saying about Fortify WebInspect vs. Rapid7 InsightAppSec and other solutions. Updated: May 2022.
    610,190 professionals have used our research since 2012.
    Sr. Manager Business Operations Protection at a consumer goods company with 10,001+ employees
    Real User
    Top 20Leaderboard
    Great accuracy when scanning, but it has an interface that is awkward and not friendly to work with
    Pros and Cons
    • "The accuracy of its scans is great."
    • "Our biggest complaint about this product is that it freezes up, and literally doesn't work for us."

    What is our primary use case?

    This is a security testing tool that is used by our security team and the QA team.

    What is most valuable?

    The accuracy of its scans is great. Provided it does not freeze, or somebody from another team is not trying to use the same resources, it works well.

    The integration with the Fortify code scanner is nice because you combine those two elements and get one output.

    What needs improvement?

    Our biggest complaint about this product is that it freezes up, and literally doesn't work for us. It may be in part the way we have it set up, or how we've licensed it.

    It is awkward and not very friendly to work with.

    The version that I am using is not capable of generating reports to HTML or PDF, so I can't share them. I have to get somebody else to log into the application and view the results themselves. Simply, I can't output a report that I can easily share.

    For how long have I used the solution?

    We have been using WebInspect for about one year.

    What do I think about the stability of the solution?

    The experience that I have had is that it is not stable.

    What do I think about the scalability of the solution?

    Scalability is probably fine if you buy more licenses.

    How are customer service and technical support?

    I have not worked with their technical support.

    What's my experience with pricing, setup cost, and licensing?

    Our licensing is such that you can only run one scan at a time, which is inconvenient. The licensing was bundled with Fortify so I'm sure that we paid for it in some context, although I don't know what the exact cost would be.

    What other advice do I have?

    We are using this WebInspect in conjunction with Fortify. We're not using the client-host based deployment, but rather, a web-based one. The agent is not installed on my machine.

    The suitability of this product depends on your use case. If you're trying to do what we're doing in QA and security then it's probably great. If, however, you want to do things on external sites then I would suggest an external cloud-based one.

    I would rate this solution a four out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Senior Security Consaulant
    Reseller
    Top 20Leaderboard
    Great vulnerability detection and pretty stable, but an expensive option
    Pros and Cons
    • "The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
    • "Lately, we've seen more false negatives."

    What is our primary use case?

    We primarily use the solution to test web applications regularly.

    What is most valuable?

    The solution is able to detect a wide range of vulnerabilities. It's better at it than other products.

    What needs improvement?

    The solution is on the expensive side. It's something that clients comment on. If they could make it more reasonable, it would be better.

    Lately, we've seen more false negatives.

    For how long have I used the solution?

    I've been dealing with the solution for three years at this point.

    What do I think about the stability of the solution?

    The solution is largely stable. We've only noticed recently that there are more false negatives. I'm not sure if that means there's an issue or not.

    What do I think about the scalability of the solution?

    In terms of scalability, many of our customers only have 20-30 websites and therefore one scanner fulfills their requirement. In that sense, we've never really tried to scale the product.

    How are customer service and technical support?

    For the most part, WebInspect has pretty good technical support. Not all Micro Focus products have equally good support.

    Which solution did I use previously and why did I switch?

    We suggest different solutions to our clients. Some might use Acunetix. We've also used ForeSite in the past as well.

    What's my experience with pricing, setup cost, and licensing?

    The solution is rather expensive. It's not cheap. If you compare it to, for example, Acunetix, Acunetix is cheaper.

    What other advice do I have?

    While we generally like WebINspect, if a client has a smaller budget, we might suggest Acunetix simply because it is cheaper. However, if a customer's priority was better scanning for their application, we would suggest WebInspect. We like to give our clients options and choices. We prefer to provide them with options that meet their needs and address their pain points.

    Overall, I would rate the solution seven out of ten. If the price was a bit better, I would rate them higher.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    Prajyoti Mandal - PeerSpot reviewer
    Senior Delivery Lead at Accenture
    Real User
    Leaderboard
    FPA and Audit Workbench are very helpful and integration with SSC allows us to see vulnerabilities

    What is most valuable?

    The FPA and Audit Workbench are very helpful for me. When we are integrating it with SSC, we're able to scan and trace and see all of the vulnerabilities. Comparison is easy in SSC.

    It's very detailed with examples for each vulnerability. It's very good for the users and beginners. It doesn't take a lot of time to understand the tool.

    For how long have I used the solution?

    I've been using this solution for three years.

    What do I think about the stability of the solution?

    It's stable and user friendly.

    What do I think about the scalability of the solution?

    It's scalable.

    How are customer service and support?

    I haven't needed to contact technical support.

    How was the initial setup?

    It's very straightforward.

    What's my experience with pricing, setup cost, and licensing?

    The price is okay.

    What other advice do I have?

    I would rate this solution 8 out of 10.

    Fortify WebInspect is always the first tool I recommend for users.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate