Fortify WebInspect OverviewUNIXBusinessApplication

Fortify WebInspect is the #1 ranked solution in top Dynamic Application Security Testing (DAST) tools. PeerSpot users give Fortify WebInspect an average rating of 6.8 out of 10. Fortify WebInspect is most commonly compared to PortSwigger Burp Suite Professional: Fortify WebInspect vs PortSwigger Burp Suite Professional. Fortify WebInspect is popular among the large enterprise segment, accounting for 70% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 22% of all views.
Fortify WebInspect Buyer's Guide

Download the Fortify WebInspect Buyer's Guide including reviews and more. Updated: November 2022

What is Fortify WebInspect?

Fortify WebInspect is an automated DAST solution that helps security professionals and QA testers uncover security vulnerabilities and configuration concerns by providing complete vulnerability detection. This is accomplished by mimicking real-world external security attacks on a live application in order to discover and prioritize concerns for root-cause study. Fortify WebInspect provides a number of REST APIs for easier integration, as well as the ability to be maintained via an intuitive UI or totally automated.

Fortify WebInspect may be used as a completely automated solution to suit DevOps and scaling requirements, and it integrates seamlessly with the SDLC. REST APIs aid in closer integration by automating scans and ensuring that compliance standards are satisfied. Users can make use of pre-built integrations for Micro Focus Lifecycle Management (ALM) and Quality Center, as well as other security testing and management platforms.

Teams may reuse current scripts and tools thanks to powerful connectors. Any Selenium script can be simply integrated with Fortify WebInspect. Fortify WebInspect supports Swagger and OData formats via the WISwag command line tool, allowing it to work with any DevOps workflow. A scan template can be pre-configured by ScanCentral Admin and sent to users to scan their apps, with zero security knowledge required.

Fortify WebInspect Features

Fortify WebInspect has many valuable key features. Some of the most useful ones include:

  • Security testing of functional applications (FAST): FAST can use all of the functional tests in the same way as IAST does, but it will continue crawling. FAST will not miss anything that a functional test misses.
  • Insights from a hacker's perspective: View discoveries such as client-side frameworks and version number. These are findings that, if not addressed, could lead to vulnerabilities.
  • Workflow macros HAR files: Fortify WebInspect can scan workflows with HAR files, ensuring that crucial content is not missed.
  • Management of compliance: Preconfigured policies and reports for all key online application security compliance regulations, such as PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, and HIPAA.
  • Horizontal scaling can help you speed up your work: Using Kubernetes, horizontal scaling creates little versions of WebInspect that only process JavaScript. This allows the scans to run in parallel, resulting in significantly faster scans.
  • Scan any API for better accuracy: Get the complete picture on APIs, including SOAP, Rest, Swagger, OpenAPI, and Postman.
  • Managing the security of enterprise applications: To meet DevOps requirements, monitor trends within an application and take action on the most critical issues first.
  • Deployment options: With the flexibility of on-premise, SaaS, or AppSec-as-a-service, you can get started immediately and scale as needed.

Fortify WebInspect Benefits

There are many benefits to implementing Fortify WebInspect. Some of the biggest advantages the solution offers include:

  • Vulnerabilities are discovered faster and earlier.
  • Automation and agent technology can help you save time.
  • Users can utilize crawl web technologies and modern frameworks.
  • ScanCentral DAST helps you manage enterprise app security risk.

Reviews from Real Users

Fortify WebInspect stands out among its competitors for a number of reasons. One major one is its robust centralized dashboard, which gives insight into all vulnerabilities.

Milin S., an Information Security Architect at a real estate/law firm, writes of the product, “Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features. The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.”

Fortify WebInspect was previously known as Micro Focus WebInspect, WebInspect.

Fortify WebInspect Customers

Aaron's

Fortify WebInspect Video

Archived Fortify WebInspect Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Security Engineer at Secure Network
Real User
Leaderboard
Easy to use with a simple deployment and good documentation
Pros and Cons
  • "The solution is easy to use."
  • "The scanner could be better."

What is our primary use case?

We primarily use the solution for web applications and tests. 

How has it helped my organization?

It helped us much as it's a really good automated scanner with nice number of checks.

What is most valuable?

The solution is easy to use.

The initial setup is pretty straightforward and the deployment is quick.

The solution has good documentation.

The product is a good option for enterprise-level organizations.

What needs improvement?

The scanner could be better. 

The out of bounds channel is missing and it makes it hard to nail down the vulnerabilities.

Buyer's Guide
Fortify WebInspect vs. Rapid7 InsightAppSec
November 2022
Find out what your peers are saying about Fortify WebInspect vs. Rapid7 InsightAppSec and other solutions. Updated: November 2022.
655,711 professionals have used our research since 2012.

For how long have I used the solution?

I hadn't been working with the solution for very long; I worked with it at my last company.

What do I think about the stability of the solution?

The first time we ran the module, it was okay, however, the next time we ran it, it almost crashed. For example, when I started the proxy, I tried to create some traffic from the application and nothing happened, but then, after that, everything began to hang. I'm not sure if this was an issue with a particular version or not. I'm not sure if it was some sort of bug.

How are customer service and support?

Typically, if I have an issue, I contact my internal support team. They may directly contact technical support. However, I have not done so myself. Therefore, I can't speak to their responsiveness or knowledge levels.

Which solution did I use previously and why did I switch?

I've used PortSwigger in the past, and it was a pretty good product as well.

How was the initial setup?

The initial setup is not complex. It's pretty straightforward. You just have to download it to the Microsoft server and you're done.

The total deployment may take an hour, or, at maximum, two.

What about the implementation team?

I handled the implementation myself.

Which other solutions did I evaluate?

We used Acunetix and Netsparker with Burp Suite.

What other advice do I have?

We're just customers. We don't have a business relationship with the company.

I would recommend WebInspect to enterprise-level organizations. to use. For a smaller company, I'd recommend something more automated. WebInspect has far more manual work, however, it does have good documentation. 

Overall, I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Security Consaulant
Reseller
Great vulnerability detection and pretty stable, but an expensive option
Pros and Cons
  • "The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
  • "Lately, we've seen more false negatives."

What is our primary use case?

We primarily use the solution to test web applications regularly.

What is most valuable?

The solution is able to detect a wide range of vulnerabilities. It's better at it than other products.

What needs improvement?

The solution is on the expensive side. It's something that clients comment on. If they could make it more reasonable, it would be better.

Lately, we've seen more false negatives.

For how long have I used the solution?

I've been dealing with the solution for three years at this point.

What do I think about the stability of the solution?

The solution is largely stable. We've only noticed recently that there are more false negatives. I'm not sure if that means there's an issue or not.

What do I think about the scalability of the solution?

In terms of scalability, many of our customers only have 20-30 websites and therefore one scanner fulfills their requirement. In that sense, we've never really tried to scale the product.

How are customer service and technical support?

For the most part, WebInspect has pretty good technical support. Not all Micro Focus products have equally good support.

Which solution did I use previously and why did I switch?

We suggest different solutions to our clients. Some might use Acunetix. We've also used ForeSite in the past as well.

What's my experience with pricing, setup cost, and licensing?

The solution is rather expensive. It's not cheap. If you compare it to, for example, Acunetix, Acunetix is cheaper.

What other advice do I have?

While we generally like WebINspect, if a client has a smaller budget, we might suggest Acunetix simply because it is cheaper. However, if a customer's priority was better scanning for their application, we would suggest WebInspect. We like to give our clients options and choices. We prefer to provide them with options that meet their needs and address their pain points.

Overall, I would rate the solution seven out of ten. If the price was a bit better, I would rate them higher.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
Fortify WebInspect vs. Rapid7 InsightAppSec
November 2022
Find out what your peers are saying about Fortify WebInspect vs. Rapid7 InsightAppSec and other solutions. Updated: November 2022.
655,711 professionals have used our research since 2012.
Sr. Manager Business Operations Protection at a consumer goods company with 10,001+ employees
Real User
Great accuracy when scanning, but it has an interface that is awkward and not friendly to work with
Pros and Cons
  • "The accuracy of its scans is great."
  • "Our biggest complaint about this product is that it freezes up, and literally doesn't work for us."

What is our primary use case?

This is a security testing tool that is used by our security team and the QA team.

What is most valuable?

The accuracy of its scans is great. Provided it does not freeze, or somebody from another team is not trying to use the same resources, it works well.

The integration with the Fortify code scanner is nice because you combine those two elements and get one output.

What needs improvement?

Our biggest complaint about this product is that it freezes up, and literally doesn't work for us. It may be in part the way we have it set up, or how we've licensed it.

It is awkward and not very friendly to work with.

The version that I am using is not capable of generating reports to HTML or PDF, so I can't share them. I have to get somebody else to log into the application and view the results themselves. Simply, I can't output a report that I can easily share.

For how long have I used the solution?

We have been using WebInspect for about one year.

What do I think about the stability of the solution?

The experience that I have had is that it is not stable.

What do I think about the scalability of the solution?

Scalability is probably fine if you buy more licenses.

How are customer service and technical support?

I have not worked with their technical support.

What's my experience with pricing, setup cost, and licensing?

Our licensing is such that you can only run one scan at a time, which is inconvenient. The licensing was bundled with Fortify so I'm sure that we paid for it in some context, although I don't know what the exact cost would be.

What other advice do I have?

We are using this WebInspect in conjunction with Fortify. We're not using the client-host based deployment, but rather, a web-based one. The agent is not installed on my machine.

The suitability of this product depends on your use case. If you're trying to do what we're doing in QA and security then it's probably great. If, however, you want to do things on external sites then I would suggest an external cloud-based one.

I would rate this solution a four out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ashutosh Barot - PeerSpot reviewer
Security Researcher at a financial services firm with 5,001-10,000 employees
Real User
Easy to use with a simple interface, but we sometimes had trouble capturing login sequences
Pros and Cons
  • "The user interface is ok and it is very simple to use."
  • "It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved."

What is our primary use case?

We use WebInspect for performance network application testing to be sure that we aren't creating any security issues.

What is most valuable?

The most valuable feature is the performance.

The user interface is ok and it is very simple to use.

What needs improvement?

There were times when we had to run the login sequence several times in order to capture it properly.

It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved.

For how long have I used the solution?

I have been using WebInspect for about one year.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

Scalability has only been an issue in that larger sites take a lot longer to scan.

How are customer service and technical support?

I have not been in contact with technical support.

Which solution did I use previously and why did I switch?

I have used Qualys in the past but more for vulnerability management in the infrastructure, as opposed to web application security.

How was the initial setup?

The initial setup is straightforward and very simple. I simply download the file on my home laptop and started testing with it.

What about the implementation team?

I can deploy this solution on my own.

Which other solutions did I evaluate?

I have been told by friends and colleagues that Acunetix is better, so I will be evaluating that solution in the future.

What other advice do I have?

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Fernando Vizer - PeerSpot reviewer
Senior Information Technology Architect at a tech vendor with 11-50 employees
Real User
Good static code analysis helps to discover vulnerabilities
Pros and Cons
  • "The most valuable feature is the static analysis."
  • "Creating reports is very slow and it is something that should be improved."

What is our primary use case?

I am using WebInspect for finding vulnerabilities.

What is most valuable?

The most valuable feature is the static analysis.

What needs improvement?

Creating reports is very slow and it is something that should be improved.

In the future, I would like to see better integration between static analysis and dynamic analysis.

For how long have I used the solution?

I have been working with WebInspect for one year.

What do I think about the stability of the solution?

We have never had a problem with stability.

What do I think about the scalability of the solution?

This is a scalable solution. I performed an analysis of more than five million rows and it took perhaps three hours.

How are customer service and technical support?

Technical support is a bit slow, as sometimes it takes too long to get responses. However, the support is good because our problem was fixed after just one interaction with them.

Which solution did I use previously and why did I switch?

Prior to using WebInspect, I was using SonarQube. The problem with SonarQube is that they are not very good at analyzing ASP.NET applications, so I gave up on it.

What's my experience with pricing, setup cost, and licensing?

The pricing is not clear and while it is not high, it is difficult to understand.

What other advice do I have?

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
HansEnders - PeerSpot reviewer
HansEndersSenior Solution Architect at a computer software company with 10,001+ employees
Real User

I believe the reviewer or the forum organizer has posted this review in the wrong area, or confused Fortify's WebInspect product (DAST) with their Static Code Analyzer ("Fortify SCA") product (SCA).

+++++++++
Fortify general: https://www.microfocus.com/en-us/solutions/application-security

SCA: https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview

WebInspect: https://www.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview

Assoc. Director at a tech services company with 10,001+ employees
Real User
Easy to use and has good cost/value
Pros and Cons
  • "It is scalable and very easy to use."
  • "The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."

What is our primary use case?

We use WebInspect for dynamic application security testing, and integrating that into all our needs.

What is most valuable?

In terms of its most valuable features, it is scalable and very easy to use.

What needs improvement?

Right now, it's kind of bulky. There are a lot of newer generation tools coming out that are easier.

Also, when it comes to the installation and deployment, they inspect the enterprise. It was ok with the scale, but still I think they can make it a little lighter in nature.

For how long have I used the solution?

I have been using WebInspect for around six, seven years.

What do I think about the stability of the solution?

It's quite a stable product.

What do I think about the scalability of the solution?

WebInspect is a scalable product. We have users in the double digits, around 10-15 users. At any time there are a couple of project users, so I would say around eight to ten.

We require one person maximum for deployment and maintenance.

How are customer service and technical support?

I have been satisfied with my experience with the customer support.

Which solution did I use previously and why did I switch?

I previously used AppScan. We switched due to an overall change in our organization in Azure. IBM sold this to HCL so there is no IBM grant attached to it.

How was the initial setup?

The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex.

The first time we deployed it, it really took awhile because of some issues on our side and on their side. Installation can last for more than three days.

What about the implementation team?

Our team implemented it along with some of the other professional departments.

Which other solutions did I evaluate?

We did evaluate AppScan for this task. Both solutions are good. We also evaluated Oracle of course, but it is purely a SaaS solution and that's the reason it was not considered.

What other advice do I have?

Yes, I would recommend WebInspect. It is a good product, comparable to AppScan. It is quite scalable, and good cost/value with the support and backing from Micro Focus. It's good and I definitely recommend it.

On a scale of one to ten, I would give it an eight.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Senior Software Developer at a financial services firm with 10,001+ employees
Real User
Stable and well-known for dynamic application scanning but needs better integration with the cloud
Pros and Cons
  • "It's a well-known platform for doing dynamic application scanning."
  • "The solution needs better integration with Microsoft's Azure Cloud or an extension of Azure DevOps. In fact, it should better integrate with any cloud provider. Right now, it's quite difficult to integrate with that solution, from the cloud perspective."

What is our primary use case?

We primarily use the solution for dynamic application scanning.

What is most valuable?

It's a well-known platform for doing dynamic application scanning.

What needs improvement?

The solution needs better integration with Microsoft's Azure Cloud or an extension of Azure DevOps. In fact, it should better integrate with any cloud provider. Right now, it's quite difficult to integrate with that solution, from the cloud perspective.

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

We've yet to test the scalability of the solution, so I can't comment on how scalable it is just yet. Right now, we have our DevOps team working with it, about three to five people.

How are customer service and technical support?

We've never been in touch with technical support.

How was the initial setup?

Right now we are in the middle integration, so I'm not sure how much time it's going to take. We haven't yet scanned any of our endpoints, and I'm not sure how much complexity will be involved during the process.

What other advice do I have?

We're using the public cloud deployment model. Our provider is Microsoft.

We just chose the solutions for dynamic scanning and static scanning, but we haven't performed any scanning yet.

I'd recommend it; I'd rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Milin Shah - PeerSpot reviewer
Information Security Architect at a real estate/law firm with 1,001-5,000 employees
Real User
Top 10Leaderboard
Great centralized dashboard but is a bit overpriced
Pros and Cons
  • "I've found the centralized dashboard the most valuable. For the management, it helps a lot to have abilities at the central level."
  • "I'm not sure licensing, but on the pricing, it's a bit costly. It's a bit overpriced. Though it is an enterprise tool, there are other tools also with similar functionalities."

What is our primary use case?

We primarily use the application for web application scanning.

What is most valuable?

I've found the centralized dashboard the most valuable. For management, it helps a lot to have abilities at the central level.

What needs improvement?

The solution needs improvements from the scanning and the technical perspective.

In the next release, we would love to see smooth scale mobile testing - if it has similar to testing with wider applications for different technologies as well because people are moving towards mobile. If the solution can integrate AI and also understand the application by itself, this will be great.

For how long have I used the solution?

I've been using the solution for three months.

What do I think about the stability of the solution?

Stability wise, the tool is stable, but the tool still requires some improvements in the latest technology websites.  For example, if there is a single website or e-commerce website, it is still trying to understand a lot of the applications while it scans. It is not that smooth with complex websites. We have about 80-100 users on the solution.

How are customer service and technical support?

So far technical support is good. It is fair enough. They haven't got a response or turn around time. From the support perspective, it is good.

Which solution did I use previously and why did I switch?

I haven't used any different solution here, but in another organization, I have used multiple application scanning products. I've used IBM scan. I have used SecuRex. Those were good as well.

How was the initial setup?

The initial setup is pretty good. They have a step by step guide and everything is given. It sets up with the environment but it requires a lot of memory and the system requires a lot of memory. That is the only negative, normally if you have a three-way scanner, it would run smoothly on even a small configuration laptop. This was a delicate setup.

What's my experience with pricing, setup cost, and licensing?

I'm not sure about the licensing, but on the pricing, it's a bit costly. It's a bit overpriced. Though it is an enterprise tool, there are other tools with similar functionalities. The pricing is a little more costly than other regular solutions. There are only two such products that are this costly. This and IBM. The rest of the application scanners are not as costly.

What other advice do I have?

I am currently evolving, going through the product. We have yet to go through all the features and functionalities of the product. The way it checks for vulnerabilities helps a lot. It makes the most of the check for vulnerabilities. The centralized dashboard for the management is good but I'm still looking into it. That and other features we are yet to be discovered. I'm still trying to get to know all the features.

Looking at an enterprise level product is good. With it, you get a centralized board, you have a management view, enroll management and access management. Everything is there. But still, check your requirements, what you need. If you use it for a certain amount of applications, you might not need such a heavy tool.

Our requirement is 10 or 20 times more than a regular company and hence we went with an enterprise solution and had somebody who could implement this. If your requirement is a little less, it might just call for some other scanners based on your requirements. 

If you do need such an extensive requirement, ensure that you also have the data servers and systems for such tools. It will be easy to implement in any environment if you do.

I would rate this solution 7 out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1021815 - PeerSpot reviewer
Senior Consultant at a tech services company with 1,001-5,000 employees
Consultant
Good technical support but needs a reduction in false positives

What needs improvement?

The service can be improved by creating a reduction of false positives.

For how long have I used the solution?

I've been using the solutions for the last three months.

What do I think about the scalability of the solution?

My organization is a big organization so I don't know exactly if my organization will increase usage.

How are customer service and technical support?

My experience with technical support has been good.

Which solution did I use previously and why did I switch?

We did use a different solution previously.

How was the initial setup?

The initial setup was complex.

What other advice do I have?

Currently, I'm satisfied with the solution. I would rate this product a 7 out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ops Risk Lead at a tech services company with 10,001+ employees
Real User
Leaderboard
Needs a cloud-based version, although it's easy to scan and then to share scan reports

How has it helped my organization?

Easy to scan and then share scan reports, it has definitely streamlined many processes.

What is most valuable?

Guided Scan option allows us to easily scan and share reports.

What needs improvement?

One thing I would like to see them introduce is a cloud-based platform.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We have often encountered scanning errors.

What do I think about the scalability of the solution?

Not applicable.

How is customer service and technical support?

I would rate tech support at six out of 10.

How was the initial setup?

The setup was very straightforward.

What's my experience with pricing, setup cost, and licensing?

It’s a fair price for the solution.

Which other solutions did I evaluate?

No, we did not evaluate other options.

What other advice do I have?

I rate it five out of 10. I was not very impressed.

It's a good product, but get a license for cloud-based, if available.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
OpsRiskL10dc - PeerSpot reviewer
OpsRiskL10dcOps Risk Lead at a tech services company with 10,001+ employees
LeaderboardReal User

Agreed, but as comparing with other cloud based web app scan tools, Web Inspect results are much more accurate, hence as a tool MicroFocus should start making this tool as a cloud version

See all 3 comments