Fortify WebInspect Reviews

We use this solution for security testing.

The most valuable feature of this solution is the ability to make our customers more secure.

A localized version, for example, in Korean would be a big improvement to this solution. 

We have been using this solution for 14 years. 

This is a stable solution. 

The initial setup is straightforward. 

This solution is very expensive. 

I would rate this solution an eight out of ten. 

We use it for code scanning, security scanning, and finding vulnerabilities.

I am using its latest version. I have Fortify code scan on the cloud and Fortify WebInspect on-premise for a dynamic scan. So, SAST is on the cloud, and DAST is on-premise.

Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features.

The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.

It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application.

Its installation and maintenance are not easy. Its updates and upgrades are hard.

Its performance needs to be stabilized. It should also be able to find more vulnerabilities than other tools.

It is expensive. Its price needs to be improved.

I have been using this solution for five years.

Its performance is good, but it takes a lot of resources in terms of CPU utilization, so stability-wise, there are problems at times.

We have 70 to 80 users who use this solution. Its scalability is easy. You just need to add another server, if required.

We have contacted them for multiple issues. Sometimes, scanning didn't work, and the reports didn't come, so we had to escalate. My experience with them was fair. It wasn't great. We asked for remote control or remote setup, but they never provided that. There is no remote assistance. You need to upload the logs. They review and reply back on time. Their response time is very short, which is good, but if we need remote help, it is not easy. You don't get that immediately.

I have also been using AppScan. The performance of AppScan is good, but WebInspect has more features, such as a centralized dashboard and the ability to assign a risk into priorities. It is an enterprise and feature-rich tool, but performance-wise, AppScan is good.

The on-premise setup is complex. It requires the installation of a lot of tools, software, licenses, and on. Its installation is very complex as compared to the other tools in the market. It took us a week.

It requires some maintenance in terms of logs. It collects a lot of logs, and you need to remove those logs and keep updating the software. The update is not that regular, and you need to install the update manually on each of the servers. The update requires a lot of effort. It's not a simple auto-update feature.

We had to take help from the vendor. At one point, I was stuck, and the vendor had to install it. They were pretty supportive.

Its price is almost similar to the price of AppScan. Both of them are very costly. 

Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that.

While implementing WebInspect, it is always better to keep all the required software installed and ready. The installation of WebInspect has a lot of dependencies, such as .NET, Java, SQL database, etc. All of the data does not come in-built. So, the moment you start building it, if it creates a problem, you have to remove and reinstall everything from scratch and then come back, which takes a lot of time. So, it is better to have those prerequisites handy, pre-installed, and tested.

I would rate it a seven out of 10.

The FPA and Audit Workbench are very helpful for me. When we are integrating it with SSC, we're able to scan and trace and see all of the vulnerabilities. Comparison is easy in SSC.

It's very detailed with examples for each vulnerability. It's very good for the users and beginners. It doesn't take a lot of time to understand the tool.

I've been using this solution for three years.

It's stable and user friendly.

It's scalable.

I haven't needed to contact technical support.

It's very straightforward.

The price is okay.

I would rate this solution 8 out of 10.

Fortify WebInspect is always the first tool I recommend for users.

We primarily use the solution to test web applications regularly.

The solution is able to detect a wide range of vulnerabilities. It's better at it than other products.

The solution is on the expensive side. It's something that clients comment on. If they could make it more reasonable, it would be better.

Lately, we've seen more false negatives.

I've been dealing with the solution for three years at this point.

The solution is largely stable. We've only noticed recently that there are more false negatives. I'm not sure if that means there's an issue or not.

In terms of scalability, many of our customers only have 20-30 websites and therefore one scanner fulfills their requirement. In that sense, we've never really tried to scale the product.

For the most part, WebInspect has pretty good technical support. Not all Micro Focus products have equally good support.

We suggest different solutions to our clients. Some might use Acunetix. We've also used ForeSite in the past as well.

The solution is rather expensive. It's not cheap. If you compare it to, for example, Acunetix, Acunetix is cheaper.

While we generally like WebINspect, if a client has a smaller budget, we might suggest Acunetix simply because it is cheaper. However, if a customer's priority was better scanning for their application, we would suggest WebInspect. We like to give our clients options and choices. We prefer to provide them with options that meet their needs and address their pain points.

Overall, I would rate the solution seven out of ten. If the price was a bit better, I would rate them higher.

This is a security testing tool that is used by our security team and the QA team.

The accuracy of its scans is great. Provided it does not freeze, or somebody from another team is not trying to use the same resources, it works well.

The integration with the Fortify code scanner is nice because you combine those two elements and get one output.

Our biggest complaint about this product is that it freezes up, and literally doesn't work for us. It may be in part the way we have it set up, or how we've licensed it.

It is awkward and not very friendly to work with.

The version that I am using is not capable of generating reports to HTML or PDF, so I can't share them. I have to get somebody else to log into the application and view the results themselves. Simply, I can't output a report that I can easily share.

We have been using WebInspect for about one year.

The experience that I have had is that it is not stable.

Scalability is probably fine if you buy more licenses.

I have not worked with their technical support.

Our licensing is such that you can only run one scan at a time, which is inconvenient. The licensing was bundled with Fortify so I'm sure that we paid for it in some context, although I don't know what the exact cost would be.

We are using this WebInspect in conjunction with Fortify. We're not using the client-host based deployment, but rather, a web-based one. The agent is not installed on my machine.

The suitability of this product depends on your use case. If you're trying to do what we're doing in QA and security then it's probably great. If, however, you want to do things on external sites then I would suggest an external cloud-based one.

I would rate this solution a four out of ten.

We primarily use the solution for web applications and tests. 

It helped us much as it's a really good automated scanner with nice number of checks.

The solution is easy to use.

The initial setup is pretty straightforward and the deployment is quick.

The solution has good documentation.

The product is a good option for enterprise-level organizations.

The scanner could be better. 

The out of bounds channel is missing and it makes it hard to nail down the vulnerabilities.

I hadn't been working with the solution for very long; I worked with it at my last company.

The first time we ran the module, it was okay, however, the next time we ran it, it almost crashed. For example, when I started the proxy, I tried to create some traffic from the application and nothing happened, but then, after that, everything began to hang. I'm not sure if this was an issue with a particular version or not. I'm not sure if it was some sort of bug.

Typically, if I have an issue, I contact my internal support team. They may directly contact technical support. However, I have not done so myself. Therefore, I can't speak to their responsiveness or knowledge levels.

I've used PortSwigger in the past, and it was a pretty good product as well.

The initial setup is not complex. It's pretty straightforward. You just have to download it to the Microsoft server and you're done.

The total deployment may take an hour, or, at maximum, two.

I handled the implementation myself.

We used Acunetix and Netsparker with Burp Suite.

We're just customers. We don't have a business relationship with the company.

I would recommend WebInspect to enterprise-level organizations. to use. For a smaller company, I'd recommend something more automated. WebInspect has far more manual work, however, it does have good documentation. 

Overall, I'd rate the solution eight out of ten.

We use WebInspect for performance network application testing to be sure that we aren't creating any security issues.

The most valuable feature is the performance.

The user interface is ok and it is very simple to use.

There were times when we had to run the login sequence several times in order to capture it properly.

It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved.

I have been using WebInspect for about one year.

The stability is good.

Scalability has only been an issue in that larger sites take a lot longer to scan.

I have not been in contact with technical support.

I have used Qualys in the past but more for vulnerability management in the infrastructure, as opposed to web application security.

The initial setup is straightforward and very simple. I simply download the file on my home laptop and started testing with it.

I can deploy this solution on my own.

I have been told by friends and colleagues that Acunetix is better, so I will be evaluating that solution in the future.

I would rate this solution a seven out of ten.

I am using WebInspect for finding vulnerabilities.

The most valuable feature is the static analysis.

Creating reports is very slow and it is something that should be improved.

In the future, I would like to see better integration between static analysis and dynamic analysis.

I have been working with WebInspect for one year.

We have never had a problem with stability.

This is a scalable solution. I performed an analysis of more than five million rows and it took perhaps three hours.

Technical support is a bit slow, as sometimes it takes too long to get responses. However, the support is good because our problem was fixed after just one interaction with them.

Prior to using WebInspect, I was using SonarQube. The problem with SonarQube is that they are not very good at analyzing ASP.NET applications, so I gave up on it.

The pricing is not clear and while it is not high, it is difficult to understand.

I would rate this solution an eight out of ten.