Micro Focus Fortify on Demand OverviewUNIXBusinessApplication

Micro Focus Fortify on Demand is the #7 ranked solution in AST tools and #8 ranked solution in application security solutions. PeerSpot users give Micro Focus Fortify on Demand an average rating of 8.0 out of 10. Micro Focus Fortify on Demand is most commonly compared to SonarQube: Micro Focus Fortify on Demand vs SonarQube. Micro Focus Fortify on Demand is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 20% of all views.
Micro Focus Fortify on Demand Buyer's Guide

Download the Micro Focus Fortify on Demand Buyer's Guide including reviews and more. Updated: November 2022

What is Micro Focus Fortify on Demand?

Micro Focus Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.

Micro Focus Fortify on Demand Features

Micro Focus Fortify on Demand has many valuable key features. Some of the most useful ones include:

  • Deployment flexibility
  • Scalability
  • Built for DevSecOps
  • Ease of use
  • Supports 27+ languages
  • Real-time vulnerability identification with
  • Security Assistant
  • Actionable results in less than 1 hour for most applications with DevOps automation
  • Expanded coverage, accuracy and remediation details with IAST runtime agent
  • Continuous application monitoring of production applications
  • Virtual patches
  • Supports iOS and Android mobile applications
  • Security vulnerability identification
  • Behavioral and reputation analysis

Micro Focus Fortify on Demand Benefits

There are several benefits to implementing Micro Focus Fortify on Demand. Some of the biggest advantages the solution offers include:

  • Fast remediation: With Micro Focus Fortify on Demand you can achieve fast remediation throughout the software lifecycle with robust assessments by a team of security experts.
  • Easy integration: The solution’s integration ecosystem is easy to use, creating a more secure software supply chain.
  • Security testing: Micro Focus Fortify on Demand covers in-depth mobile app security testing, open-source analysis, and vendor application security management, in addition to static and dynamic testing.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Micro Focus Fortify on Demand solution.

Dionisio V., Senior System Analyst at Azurian, says, "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that." He goes on to add, “Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.”

A Security Systems Analyst at a retailer mentions, “Being able to reduce risk overall is a very valuable feature for us.”

Jayashree A., Executive Manager at PepsiCo, comments, “Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning. When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.”

A Principal Solutions Architect at a security firm explains, “Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.”

PeerSpot user Mamta J., Co-Founder at TechScalable, states, "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."

Micro Focus Fortify on Demand was previously known as Fortify on Demand.

Micro Focus Fortify on Demand Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Micro Focus Fortify on Demand Video

Micro Focus Fortify on Demand Pricing Advice

What users are saying about Micro Focus Fortify on Demand pricing:
  • "We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price."
  • "Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide."
  • "We make an annual purchase of the licenses we need."
  • "The pricing model it's based on how many applications you wish to scan."
  • Micro Focus Fortify on Demand Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Senior System Analyst at Azurian
    Real User
    Top 20
    Makes it easy to discover hidden vulnerabilities in our open source libraries
    Pros and Cons
    • "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
    • "During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us."

    What is our primary use case?

    We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.

    In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.

    The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far. 

    Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.

    How has it helped my organization?

    Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation. Without it, we would have to spend much more time finding hidden weaknesses in our code.

    What is most valuable?

    One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.

    Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.

    What needs improvement?

    During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.

    Similarly, I would love to see some kind of tracing solution for use in stress testing. So when we stress the application on a certain page or on a certain platform, we would be able to see a complete stress test report which could quickly tell us about weak points or failures in the application. 

    Further potential for improvement is that, when we deploy our Java WAR files for review in the QA area, we want to be able to create a report in Fortify on Demand right from within this deployment stage. So it might inspect or check the solution's Java WAR package directly and come up with a report in this crucial phase of QA. 

    Buyer's Guide
    Micro Focus Fortify on Demand
    November 2022
    Learn what your peers think about Micro Focus Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    653,522 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using Fortify on Demand for about a month or so. 

    What do I think about the stability of the solution?

    Overall, we have not had any issues with stability, although we have not used it for very long.

    What do I think about the scalability of the solution?

    We have had no problems with scalability in our current use case, which is only one client at the moment. As a cloud service, it has satisfied our requirements well and we haven't had any situations where scalability is an issue.

    How are customer service and support?

    When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually. I think that they could work on reacting faster to support questions.

    Which solution did I use previously and why did I switch?

    We have also tried SonarQube, but Fortify on Demand appealed to us more due to their source code review with emphasis on open source vulnerabilities. Fortify seems stronger in that aspect and we like to use many open source libraries in our work. 

    How was the initial setup?

    The setup is easy and it only takes about 30 minutes to perform a basic code review in Java when dealing with WAR files.

    It can get more complicated when you want to fine-tune the reporting interface to give only the details that you want to see. This is because the initial configuration depends on other variables like the scope of the review, the client's preferences, the technician's preferences, and other factors.

    When it comes to launching Fortify on Demand and connecting it to our codebase, it's quite easy. Getting quick reviews done on WAR files is a relatively simple procedure.

    What about the implementation team?

    Our company implements Fortify on Demand ourselves on behalf of our client. When the client requests any changes, we then implement it for them.

    What's my experience with pricing, setup cost, and licensing?

    We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.

    In our case, we are constrained by the client's budget, but others might find that the price is not too bad. It all depends on the budget.

    What other advice do I have?

    For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including:

    • Very useful source code review and vulnerability detection.
    • Clear and easy-to-read test results and reports.
    • Good integration with other platforms during development.

    I would rate Fortify on Demand a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Security Systems Analyst at a retailer with 5,001-10,000 employees
    Real User
    Top 10
    An extremely scalable, flexible, and stable solution that reduces the overall risk and gives us assurance
    Pros and Cons
    • "Being able to reduce risk overall is a very valuable feature for us."
    • "They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it."

    What is our primary use case?

    All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.

    How has it helped my organization?

    Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.

    What is most valuable?

    Being able to reduce risk overall is a very valuable feature for us.

    What needs improvement?

    They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.

    What do I think about the stability of the solution?

    It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.

    What do I think about the scalability of the solution?

    It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.

    How are customer service and technical support?

    Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.

    Which solution did I use previously and why did I switch?

    This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.

    How was the initial setup?

    The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.

    What about the implementation team?

    It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.

    I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.

    What was our ROI?

    Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.

    What's my experience with pricing, setup cost, and licensing?

    Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.

    What other advice do I have?

    We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.

    The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.

    The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.

    I would rate Micro Focus Fortify on Demand a nine out of ten.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Micro Focus Fortify on Demand
    November 2022
    Learn what your peers think about Micro Focus Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    653,522 professionals have used our research since 2012.
    Jayashree Acharyya - PeerSpot reviewer
    Executive Manager at PepsiCo
    Real User
    Top 5Leaderboard
    High performance, useful security scanning, but cannot operate from a Linux Agent
    Pros and Cons
    • "Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning."
    • "Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve."

    What is our primary use case?

    Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

    We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

    We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

    How has it helped my organization?

    We previously only did the testing and scanning after deploying applications in production, but now we are doing it in development. We are making sure the code is safe to use in all the environments, not only in production. It has been valuable for us.

    What is most valuable?

    Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.

    When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.

    What needs improvement?

    Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve.

    Currently, when we are running a security scan or Azure DevOps pipeline Micro Focus Fortify on Demand will give an overall status. People have to click on the link to read the in-depth results. If there could be some output of the report that can be passed in the pipeline and based on that we can control the next step of the pipeline. For example, if Micro Focus Fortify on Demand is saying the report is critical, do not go any further. If we can have that critical variable as a pipeline output that can be used later it would be really helpful.

    For how long have I used the solution?

    I have been using Micro Focus Fortify on Demand for one year.

    What do I think about the scalability of the solution?

    We have approximately 50 applications that are using this solution and we are expanding our operation to increase usage.

    We have developers, DevOps, and engineers using this solution in my organization.

    Which solution did I use previously and why did I switch?

    We use SonarQube alongside Micro Focus Fortify on Demand.

    The difference between the two is Micro Focus Fortify on Demand handles the security testing and SonarQube does more in-depth level code testing.

    How was the initial setup?

    The initial setup was simple.

    What about the implementation team?

    We have an internal DevSecOps team of approximately 15 people that does the implementation of the solution.

    What was our ROI?

    Micro Focus Fortify on Demand has saved our company money from the use of automation features. We are able to run the scans automatically from the pipeline saving us a lot of time and communication. Previously it would have taken a few days whereas now it can be completed in 10 minutes.

    What's my experience with pricing, setup cost, and licensing?

    We make an annual purchase of the licenses we need.

    What other advice do I have?

    Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us.

    I rate Micro Focus Fortify on Demand a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Fernando Carlos - PeerSpot reviewer
    Project Manager at Everis
    Real User
    Top 10
    Great cost benefit with good stability and reduces exposure and remediation issues
    Pros and Cons
    • "The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
    • "There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."

    What is our primary use case?

    We're implementing DevSecOps in Fortify only a part of the big picture. We are implementing the entire secure development lifecycle.

    What is most valuable?

    The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

    What needs improvement?

    There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

    The initial setup is a bit complex.

    We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

    I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

    For how long have I used the solution?

    I've used this solution over the last 12 months at least.

    What do I think about the stability of the solution?

    The solution is stable. It's reliable. It doesn't crash or freeze. There aren't bugs or glitches.

    What do I think about the scalability of the solution?

    We haven't tried to scale the solution just yet. As we didn't take the SaaS solution, scalability may be limited for us. I'm unsure. I can't really comment on that.

    Currently, we have about 20 people on the development team.

    Right now, we don't plan to increase usage.

    How are customer service and technical support?

    The technical support is fine, however, it would be very helpful, especially during implementation, if there was more documentation and help surrounding setup.

    Which solution did I use previously and why did I switch?

    We did not use a different solution previously. Before we had this solution, we were just evaluating other solutions and looking at the costs, and trying to bring in something newer, like an integrated automated secure stack, or something like that.

    How was the initial setup?

    We found that the initial setup a bit complex. It's not exactly straightforward. For a newbie, there's a learning curve, and that can slow things down a bit.

    Our deployment took about three to four months.

    What about the implementation team?

    We only deployed in our company and we didn't use a consultant or integrator. We handled it completely in-house.

    What was our ROI?

    At this time, I don't have an answer on the return of investment. As far as I can see, it's necessary. If we got exposed or had a data leak it would cost the company dearly. With that in mind, while I can see there's an ROI, I can't provide an exact number.

    What's my experience with pricing, setup cost, and licensing?

    We pay for licensing. We do pay an extra cost for implementing the infrastructure into the cloud. 

    Which other solutions did I evaluate?

    I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

    What other advice do I have?

    We're just a customer and we offer consulting services.

    We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors.

    The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad.

    I'd rate the solution ten out of ten. It's the best on the market for me.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Jason Lebrecht US - PeerSpot reviewer
    Jason Lebrecht USSr. Manager 5G & MEC (Edge) Strategy at Verizon
    Top 20Real User

    Hello Fernando, great to see that the Fortify solution continues to provide value by reducing risk. Great honest review.



    Jason Lebrecht

    Principal Solutions Architect at a security firm with 11-50 employees
    Real User
    A good scanner that performs different types of scans and keeps everything in one place, but it needs more streamlined installation procedure and a bit more automation
    Pros and Cons
    • "Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
    • "It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

    What is our primary use case?

    Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

    I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

    What is most valuable?

    Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

    What needs improvement?

    It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

    For how long have I used the solution?

    I have been using this solution for seven or eight months.

    What do I think about the stability of the solution?

    I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

    What do I think about the scalability of the solution?

    Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

    Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

    How are customer service and technical support?

    Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

    How was the initial setup?

    As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

    What other advice do I have?

    It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

    I would rate Micro Focus Fortify on Demand a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Harkamal-Singh - PeerSpot reviewer
    Solution architect at NTT
    Real User
    Top 5
    Beneficial functionality, pinpoints issues for resolution, but interface could improve
    Pros and Cons
    • "The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution."
    • "Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."

    What is our primary use case?

    Micro Focus Fortify on Demand is used for detecting vulnerabilities in code, looking at libraries, and finding where there are vulnerabilities within unpatched code.

    What is most valuable?

    The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution.

    The allocations to different members of a team are good. If you find a problem, you can delegate the task to patch the particular code.

    What needs improvement?

    Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly.

    For how long have I used the solution?

    I have been using Micro Focus Fortify on Demand for approximately two years.

    What do I think about the stability of the solution?

    I have found Micro Focus Fortify on Demand stable.

    What do I think about the scalability of the solution?

    Micro Focus Fortify on Demand is a scalable solution.

    We have several customers using this solution. There are approximately 1,000 developers using the solution.

    How are customer service and support?

    The support from Micro Focus Fortify on Demand is great. They have been very good to answer our questions. They have their own Fortify on Demand team and they will help you resolve your problems.

    How was the initial setup?

    The initial setup is straightforward. 

    The installation can take a couple of hours depending on what the deployment is, such as, on cloud or on-premise. Additionally, the size of the code that will be put on the system can impact the time, but it does not take long. 

    What about the implementation team?

    We did the implementation ourselves. I was able to use YouTube to help me with the process, there's quite a lot of information on there with Micro Focus going through tutorials on how to use the solution. 

    What's my experience with pricing, setup cost, and licensing?

    The pricing model it's based on how many applications you wish to scan.

    Which other solutions did I evaluate?

    I have evaluated other solutions, such as Contrast Security.

    What other advice do I have?

    I would recommend Micro Focus Fortify on Demand to others.

    I rate Micro Focus Fortify on Demand a seven out of ten.

    The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Acquisitions Leader at a healthcare company with 10,001+ employees
    Real User
    Top 5Leaderboard
    Outstanding support, efficient API, and one of the best tools for the Shift Left approach
    Pros and Cons
    • "It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support."
    • "It is an extremely robust, scalable, and stable solution."
    • "It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers."
    • "We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."

    What is our primary use case?

    We are using it for application security testing. We have microservices and applications within the organization, and the testing is being done on a continuous basis right through the development cycle or the development chain.

    We are using its latest version. It is deployed on the cloud and on-premises.

    What is most valuable?

    It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

    It is an extremely robust, scalable, and stable solution.

    It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

    What needs improvement?

    It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.

    It doesn't do software composition analysis. We've asked their product management team to look into that as well.

    We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.

    For how long have I used the solution?

    I have been using this solution for four years.

    What do I think about the stability of the solution?

    It is very stable. 

    What do I think about the scalability of the solution?

    It is very scalable.

    How are customer service and technical support?

    Their tech support is absolutely outstanding. Their tech support is the most responsive tech support I've ever seen.

    How was the initial setup?

    It is very straightforward to set up. You can set it up in minutes.

    What other advice do I have?

    If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available.

    I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Yash Brahmani - PeerSpot reviewer
    Devops Engineer at BNP Paribas
    Real User
    Top 20
    The vulnerability detection and scanning features are solid
    Pros and Cons
    • "The vulnerability detection and scanning are awesome features."
    • "The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."

    What is our primary use case?

    We are the central team that manages Fortify end-to-end and provides it as a solution to internal users. We are using SonarQube for code review, but we use Fortify and Nexus IQ  for DevOps.

    What is most valuable?

    The vulnerability detection and scanning are awesome features. 

    What needs improvement?

    The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE. 

    That will help us understand what's affecting the CVE. Initially, it's about finding the safer package version. Fortify should automatically recommend the safest version, so we can go to the vendor and request that. Once we identify the vulnerability, we can implement a remediation plan.

    For how long have I used the solution?

    We just started using Fortify on Demand. 

    What do I think about the stability of the solution?

    Fortify is stable.

    What do I think about the scalability of the solution?

    Fortify is scalable enough. We have 10,000-plus users on it.

    How are customer service and support?

    Micro Focus support is slow, and they should improve that.

    Which solution did I use previously and why did I switch?

    We've been working with SonarQube for five years. SonarQube can show us the initial test and how your code is developed over time. It gives us insight into how a specific project is progressing. That's the great thing about SonarQube. Once the code goes into the Fortify or Nexus, it's mostly a safety check. SonarQube catches most of the vulnerabilities in Python at the development stage.

    How was the initial setup?

    The product itself is easy to set up, but establishing the necessary culture and structure is a bit complex. We need to develop a culture and create sub-teams within the teams. Each team needs a security coordinator who can relate what new things are coming in, such as CVEs or new scans that need to be done.

    For maintenance, we have a team of two product owners who are heavily involved with the product itself. We have around three or four people with a good understanding of deploying and maintaining the solution.

    What other advice do I have?

    I rate Micro Focus Fortify on Demand eight out of 10. It's a great product, and I recommend it. You should deploy it as part of the TechOps implementation. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Micro Focus Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
    Updated: November 2022
    Buyer's Guide
    Download our free Micro Focus Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.