We changed our name from IT Central Station: Here's why
Get our free report covering SonarSource, Checkmarx, Veracode, and other competitors of Micro Focus Fortify on Demand. Updated: January 2022.
564,643 professionals have used our research since 2012.

Read reviews of Micro Focus Fortify on Demand alternatives and competitors

R&D Director at a computer software company with 201-500 employees
Real User
All-encompassing tool that scans for vulnerabilities and security breaches
Pros and Cons
  • "Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
  • "We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."

What is our primary use case?

We focus on these two use cases: 

  1. Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
  2. The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.

How has it helped my organization?

Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely.  By adopting their suggestions, we are fixing this vulnerability.

Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code.

If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.

What is most valuable?

It is faster to adopt and use because it's a SaaS software. As a service tool, we didn't have to deal with any installation emails. We also didn't have to download packages, upgrade, or maintain their on-prem machine, which is usually the case for on-prem solutions. This is a critical point that we needed to consider when adopting the right tool. So, SaaS was a deal breaker for us. 

I don't have any complaints about the policy reporting for ensuring compliance with industry standards and regulations. It is good and a mandatory part of our process.

What needs improvement?

We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.

For how long have I used the solution?

About six months.

How are customer service and technical support?

The technical support was good. Even with the time zones changes, they took the examples that we provided about how our call works and investigated them. When they didn't get an answer initially, they contacted someone else to assist. Overall, our experience was good.

The turnaround time and response times are good. We always got a response, even if they said, "It will take a while, as we are still investigating." One day after always, we always got a response, even if it was, "We need time to investigate." 

I would differentiate between the initial response time for our needs and the resolution time for the issue. The representative themselves respond pretty quickly to our needs. We exchange phone calls with them or email, and they responded quickly. Some of the issues that we experienced were due to our specific code languages and packages that didn't work smoothly with the tool. For those, the representative had to approach the Veracode R&D team. It took more time to involve R&D, but we eventually got a resolution from them after a few days.

How was the initial setup?

To get into the solution, it took some tries to understand the structure of our repository and the code that we were using to write dependencies, etc. So, it took a bit of time, but then in the end, the solution was easy to connect.

It took about a month until we completed integration of Veracode tools into our own systems. Eventually, the tools needs to scan our code that resides on our machines in our on-prem environment. The integration of Veracode on the cloud with the on-prem repository and our processes took time. We worked with the Israeli representative of Veracode to help us. However, it was about a month overall until we stabilize it.

What about the implementation team?

An Israeli sales representative for Veracode came to our office and worked very closely with us. They escorted us through the process of doing the PoC, examining the results and tools, and how to use them. We found it straightforward. There were some hiccups and some problems in the beginning, but not something significant in the general overview. It was easy and fast to adopt.

What was our ROI?

Our customers demand that we provide secure software. Veracode is giving us the mandate of claiming that our code is more secure because we are using an external third-party, neutral tool to examine our code and expose vulnerabilities. By fixing them, Veracode takes some of the responsibility, which is kind of a diploma that we can wave when we are negotiating with our customers.

Which other solutions did I evaluate?

We compared it with other tools as part of our proof of concept to adopt the right tool. Eventually, we selected Veracode because the tool provided us the easiest, fastest solution for our two use cases.

When we did the PoC to compare it with other tools, before we decided to adopt Veracode, one of the benefits that we saw is its reports are more focused on real issues. Other scanning tools that we tried, they produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.

We have used a Checkmarx tool, which is a competitor of Veracode. We have also examined Micro Focus Fortify and some other monitoring tools, which gave us a partial solution, had only static code analysis, or had only the open sources for composition part. We wanted one tool which does everything; we found Veracode all-encompassing.

What other advice do I have?

The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software.

We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections.

We are not using it for cloud software. Our solution is only on-prem.

I would rate this solution as an eight out of 10.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Engineer at a pharma/biotech company with 201-500 employees
Real User
Top 20
Good static code analysis and benchmarking but the library could support more languages
Pros and Cons
  • "The most valuable features are the segregation containment and the suspension of product services."
  • "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."

What is our primary use case?

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. 

Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

What is most valuable?

The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.

What needs improvement?

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

The stability is good. 

The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.

What do I think about the scalability of the solution?

Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently. 

We have 50 developers' licenses.

There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.

It is integrated with our CICD department and is being used extensively.

We do have plans to increase the usage of SonarQube.

Which solution did I use previously and why did I switch?

We have used open-source origins of the tools.

PCI is an open-source solution that we used before, and we used Snyk as well.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

We did not use a vendor team, it was done by us.

What's my experience with pricing, setup cost, and licensing?

The developer edition is based on cost per lines of code.

Which other solutions did I evaluate?

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.

We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.

What other advice do I have?

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.

The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AVP at a computer software company with 1,001-5,000 employees
Real User
Top 10
Good reporting and dashboards, but technical support needs to respond more quickly
Pros and Cons
  • "The reporting is very useful because you can always view an entire list of the issues that you have."
  • "We are having issues with false positives that need to be resolved."

What is our primary use case?

We use this solution purely for critical analysis.

What is most valuable?

The reporting is very useful because you can always view an entire list of the issues that you have.

The importing of the reports into the dashboard is helpful.

What needs improvement?

The integrability of this solution can be improved. Integration with other tools such as Jira is needed.

We are having issues with false positives that need to be resolved.

Being able to save reports in different formats would be helpful because they could be imported into other tools or repositories.

Technical support should respond more quickly to requests and inquiries.

In the next release, I would like to see a more streamlined output that is easy to manage. They do have a dashboard now, but it can be improved by making it simpler.

For how long have I used the solution?

I have been working with Micro Focus Software Security Center for seven years.

What do I think about the stability of the solution?

This stability is good and I'm quite comfortable with it.

What do I think about the scalability of the solution?

Scaling this product is easy as long as you have enough licenses. Until now, I haven't faced any major issues. We are not using the product to its capacity and it's still serving its purpose.

We have only a very limited number of users because it is only our security team that is using it, and we are not extending it to the developers. It is an IT manager and the team leads who are using it.

How are customer service and technical support?

I have been in contact with technical support on a number of occasions, including a couple of meetings to discuss issues that we were having. We have been interacting with them.

My understanding from colleagues and friends in other companies is that nowadays, the service and support is not that great. I think that it used to be good, but now the responses are very slow.

Which solution did I use previously and why did I switch?

The solution that we used prior to this one was developed internally, and we have not used other commercial tools. I have seen Rapid7 solutions, but have not used them to a great extent.

How was the initial setup?

The initial setup is straightforward with no major problems.

Which other solutions did I evaluate?

We evaluated a couple of other options including Checkmarx and Veracode. We also looked at a solution to help collect and collate all of the logs and reports from different tools.

I do think that in terms of coverage, Micro Focus Fortify has an edge over this tool.

What other advice do I have?

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Consultant Cyber Security at a tech services company with 51-200 employees
Consultant
Top 5
A fast solution that is easy to deploy, configure, and use
Pros and Cons
  • "I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool. It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy."
  • "They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."

What is most valuable?

I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool.

It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy.

What needs improvement?

They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams.

It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one.

For how long have I used the solution?

We started to use Netsparker Web Application Security Scanner in February of this year. We are using its latest version.

What do I think about the stability of the solution?

It is pretty stable. 

What do I think about the scalability of the solution?

It is scalable.

How are customer service and technical support?

We engage with the local partner and the distributor here for support. We are satisfied with the support here.

How was the initial setup?

The initial setup wasn't a problem for me. I have been using these security tools for a while now.

Which other solutions did I evaluate?

I also use Micro Focus Fortify. The difference is mainly in the UI. I haven't really got into the comparison between the output of the scans, but I was really impressed by the UI and the ease of use of Netsparker Web Application Security Scanner.

What other advice do I have?

I would recommend this solution. I haven't really researched other products, but for me, Netsparker Web Application Security Scanner is a benchmark right now.

I would rate Netsparker Web Application Security Scanner an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Consaulant
Reseller
Top 20
Great vulnerability detection and pretty stable, but an expensive option
Pros and Cons
  • "The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
  • "Lately, we've seen more false negatives."

What is our primary use case?

We primarily use the solution to test web applications regularly.

What is most valuable?

The solution is able to detect a wide range of vulnerabilities. It's better at it than other products.

What needs improvement?

The solution is on the expensive side. It's something that clients comment on. If they could make it more reasonable, it would be better.

Lately, we've seen more false negatives.

For how long have I used the solution?

I've been dealing with the solution for three years at this point.

What do I think about the stability of the solution?

The solution is largely stable. We've only noticed recently that there are more false negatives. I'm not sure if that means there's an issue or not.

What do I think about the scalability of the solution?

In terms of scalability, many of our customers only have 20-30 websites and therefore one scanner fulfills their requirement. In that sense, we've never really tried to scale the product.

How are customer service and technical support?

For the most part, WebInspect has pretty good technical support. Not all Micro Focus products have equally good support.

Which solution did I use previously and why did I switch?

We suggest different solutions to our clients. Some might use Acunetix. We've also used ForeSite in the past as well.

What's my experience with pricing, setup cost, and licensing?

The solution is rather expensive. It's not cheap. If you compare it to, for example, Acunetix, Acunetix is cheaper.

What other advice do I have?

While we generally like WebINspect, if a client has a smaller budget, we might suggest Acunetix simply because it is cheaper. However, if a customer's priority was better scanning for their application, we would suggest WebInspect. We like to give our clients options and choices. We prefer to provide them with options that meet their needs and address their pain points.

Overall, I would rate the solution seven out of ten. If the price was a bit better, I would rate them higher.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Get our free report covering SonarSource, Checkmarx, Veracode, and other competitors of Micro Focus Fortify on Demand. Updated: January 2022.
564,643 professionals have used our research since 2012.