IT Central Station is now PeerSpot: Here's why

Micro Focus Fortify on Demand OverviewUNIXBusinessApplication

Micro Focus Fortify on Demand is #4 ranked solution in AST tools and #7 ranked solution in application security tools. PeerSpot users give Micro Focus Fortify on Demand an average rating of 8 out of 10. Micro Focus Fortify on Demand is most commonly compared to SonarQube: Micro Focus Fortify on Demand vs SonarQube. Micro Focus Fortify on Demand is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
What is Micro Focus Fortify on Demand?

Micro Focus Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.

Micro Focus Fortify on Demand Features

Micro Focus Fortify on Demand has many valuable key features. Some of the most useful ones include:

  • Deployment flexibility
  • Scalability
  • Built for DevSecOps
  • Ease of use
  • Supports 27+ languages
  • Real-time vulnerability identification with
  • Security Assistant
  • Actionable results in less than 1 hour for most applications with DevOps automation
  • Expanded coverage, accuracy and remediation details with IAST runtime agent
  • Continuous application monitoring of production applications
  • Virtual patches
  • Supports iOS and Android mobile applications
  • Security vulnerability identification
  • Behavioral and reputation analysis

Micro Focus Fortify on Demand Benefits

There are several benefits to implementing Micro Focus Fortify on Demand. Some of the biggest advantages the solution offers include:

  • Fast remediation: With Micro Focus Fortify on Demand you can achieve fast remediation throughout the software lifecycle with robust assessments by a team of security experts.
  • Easy integration: The solution’s integration ecosystem is easy to use, creating a more secure software supply chain.
  • Security testing: Micro Focus Fortify on Demand covers in-depth mobile app security testing, open-source analysis, and vendor application security management, in addition to static and dynamic testing.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Micro Focus Fortify on Demand solution.

Dionisio V., Senior System Analyst at Azurian, says, "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that." He goes on to add, “Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.”

A Security Systems Analyst at a retailer mentions, “Being able to reduce risk overall is a very valuable feature for us.”

Jayashree A., Executive Manager at PepsiCo, comments, “Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning. When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.”

A Principal Solutions Architect at a security firm explains, “Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.”

PeerSpot user Mamta J., Co-Founder at TechScalable, states, "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."

Micro Focus Fortify on Demand was previously known as Fortify on Demand.

Micro Focus Fortify on Demand Buyer's Guide

Download the Micro Focus Fortify on Demand Buyer's Guide including reviews and more. Updated: April 2022

Micro Focus Fortify on Demand Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Micro Focus Fortify on Demand Video

Micro Focus Fortify on Demand Pricing Advice

What users are saying about Micro Focus Fortify on Demand pricing:
  • "We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price."
  • "Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide."
  • "We make an annual purchase of the licenses we need."
  • "It is cost-effective."
  • "It is quite expensive. Pricing and the licensing model could be improved."
  • Micro Focus Fortify on Demand Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Senior System Analyst at Azurian
    Real User
    Top 20
    Makes it easy to discover hidden vulnerabilities in our open source libraries
    Pros and Cons
    • "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
    • "During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us."

    What is our primary use case?

    We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.

    In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.

    The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far. 

    Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.

    How has it helped my organization?

    Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation. Without it, we would have to spend much more time finding hidden weaknesses in our code.

    What is most valuable?

    One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.

    Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.

    What needs improvement?

    During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.

    Similarly, I would love to see some kind of tracing solution for use in stress testing. So when we stress the application on a certain page or on a certain platform, we would be able to see a complete stress test report which could quickly tell us about weak points or failures in the application. 

    Further potential for improvement is that, when we deploy our Java WAR files for review in the QA area, we want to be able to create a report in Fortify on Demand right from within this deployment stage. So it might inspect or check the solution's Java WAR package directly and come up with a report in this crucial phase of QA. 

    For how long have I used the solution?

    I have been using Fortify on Demand for about a month or so. 

    What do I think about the stability of the solution?

    Overall, we have not had any issues with stability, although we have not used it for very long.

    What do I think about the scalability of the solution?

    We have had no problems with scalability in our current use case, which is only one client at the moment. As a cloud service, it has satisfied our requirements well and we haven't had any situations where scalability is an issue.

    How are customer service and technical support?

    When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually. I think that they could work on reacting faster to support questions.

    Which solution did I use previously and why did I switch?

    We have also tried SonarQube, but Fortify on Demand appealed to us more due to their source code review with emphasis on open source vulnerabilities. Fortify seems stronger in that aspect and we like to use many open source libraries in our work. 

    How was the initial setup?

    The setup is easy and it only takes about 30 minutes to perform a basic code review in Java when dealing with WAR files.

    It can get more complicated when you want to fine-tune the reporting interface to give only the details that you want to see. This is because the initial configuration depends on other variables like the scope of the review, the client's preferences, the technician's preferences, and other factors.

    When it comes to launching Fortify on Demand and connecting it to our codebase, it's quite easy. Getting quick reviews done on WAR files is a relatively simple procedure.

    What about the implementation team?

    Our company implements Fortify on Demand ourselves on behalf of our client. When the client requests any changes, we then implement it for them.

    What's my experience with pricing, setup cost, and licensing?

    We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.

    In our case, we are constrained by the client's budget, but others might find that the price is not too bad. It all depends on the budget.

    What other advice do I have?

    For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including:

    • Very useful source code review and vulnerability detection.
    • Clear and easy-to-read test results and reports.
    • Good integration with other platforms during development.

    I would rate Fortify on Demand a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Security Systems Analyst at a retailer with 5,001-10,000 employees
    Real User
    Top 10
    An extremely scalable, flexible, and stable solution that reduces the overall risk and gives us assurance
    Pros and Cons
    • "Being able to reduce risk overall is a very valuable feature for us."
    • "They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it."

    What is our primary use case?

    All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.

    How has it helped my organization?

    Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.

    What is most valuable?

    Being able to reduce risk overall is a very valuable feature for us.

    What needs improvement?

    They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.

    What do I think about the stability of the solution?

    It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.

    What do I think about the scalability of the solution?

    It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.

    How are customer service and technical support?

    Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.

    Which solution did I use previously and why did I switch?

    This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.

    How was the initial setup?

    The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.

    What about the implementation team?

    It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.

    I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.

    What was our ROI?

    Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.

    What's my experience with pricing, setup cost, and licensing?

    Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.

    What other advice do I have?

    We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.

    The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.

    The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.

    I would rate Micro Focus Fortify on Demand a nine out of ten.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Micro Focus Fortify on Demand
    April 2022
    Learn what your peers think about Micro Focus Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: April 2022.
    595,546 professionals have used our research since 2012.
    Jayashree Acharyya - PeerSpot reviewer
    Executive Manager at PepsiCo
    Real User
    Top 5Leaderboard
    High performance, useful security scanning, but cannot operate from a Linux Agent
    Pros and Cons
    • "Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning."
    • "Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve."

    What is our primary use case?

    Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

    We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

    We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

    How has it helped my organization?

    We previously only did the testing and scanning after deploying applications in production, but now we are doing it in development. We are making sure the code is safe to use in all the environments, not only in production. It has been valuable for us.

    What is most valuable?

    Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.

    When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.

    What needs improvement?

    Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve.

    Currently, when we are running a security scan or Azure DevOps pipeline Micro Focus Fortify on Demand will give an overall status. People have to click on the link to read the in-depth results. If there could be some output of the report that can be passed in the pipeline and based on that we can control the next step of the pipeline. For example, if Micro Focus Fortify on Demand is saying the report is critical, do not go any further. If we can have that critical variable as a pipeline output that can be used later it would be really helpful.

    For how long have I used the solution?

    I have been using Micro Focus Fortify on Demand for one year.

    What do I think about the scalability of the solution?

    We have approximately 50 applications that are using this solution and we are expanding our operation to increase usage.

    We have developers, DevOps, and engineers using this solution in my organization.

    Which solution did I use previously and why did I switch?

    We use SonarQube alongside Micro Focus Fortify on Demand.

    The difference between the two is Micro Focus Fortify on Demand handles the security testing and SonarQube does more in-depth level code testing.

    How was the initial setup?

    The initial setup was simple.

    What about the implementation team?

    We have an internal DevSecOps team of approximately 15 people that does the implementation of the solution.

    What was our ROI?

    Micro Focus Fortify on Demand has saved our company money from the use of automation features. We are able to run the scans automatically from the pipeline saving us a lot of time and communication. Previously it would have taken a few days whereas now it can be completed in 10 minutes.

    What's my experience with pricing, setup cost, and licensing?

    We make an annual purchase of the licenses we need.

    What other advice do I have?

    Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us.

    I rate Micro Focus Fortify on Demand a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Fernando Carlos - PeerSpot reviewer
    Project Manager at Everis
    Real User
    Top 20
    Great cost benefit with good stability and reduces exposure and remediation issues
    Pros and Cons
    • "The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
    • "There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."

    What is our primary use case?

    We're implementing DevSecOps in Fortify only a part of the big picture. We are implementing the entire secure development lifecycle.

    What is most valuable?

    The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

    What needs improvement?

    There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

    The initial setup is a bit complex.

    We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

    I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

    For how long have I used the solution?

    I've used this solution over the last 12 months at least.

    What do I think about the stability of the solution?

    The solution is stable. It's reliable. It doesn't crash or freeze. There aren't bugs or glitches.

    What do I think about the scalability of the solution?

    We haven't tried to scale the solution just yet. As we didn't take the SaaS solution, scalability may be limited for us. I'm unsure. I can't really comment on that.

    Currently, we have about 20 people on the development team.

    Right now, we don't plan to increase usage.

    How are customer service and technical support?

    The technical support is fine, however, it would be very helpful, especially during implementation, if there was more documentation and help surrounding setup.

    Which solution did I use previously and why did I switch?

    We did not use a different solution previously. Before we had this solution, we were just evaluating other solutions and looking at the costs, and trying to bring in something newer, like an integrated automated secure stack, or something like that.

    How was the initial setup?

    We found that the initial setup a bit complex. It's not exactly straightforward. For a newbie, there's a learning curve, and that can slow things down a bit.

    Our deployment took about three to four months.

    What about the implementation team?

    We only deployed in our company and we didn't use a consultant or integrator. We handled it completely in-house.

    What was our ROI?

    At this time, I don't have an answer on the return of investment. As far as I can see, it's necessary. If we got exposed or had a data leak it would cost the company dearly. With that in mind, while I can see there's an ROI, I can't provide an exact number.

    What's my experience with pricing, setup cost, and licensing?

    We pay for licensing. We do pay an extra cost for implementing the infrastructure into the cloud. 

    Which other solutions did I evaluate?

    I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

    What other advice do I have?

    We're just a customer and we offer consulting services.

    We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors.

    The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad.

    I'd rate the solution ten out of ten. It's the best on the market for me.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Principal Solutions Architect at a security firm with 11-50 employees
    Real User
    A good scanner that performs different types of scans and keeps everything in one place, but it needs more streamlined installation procedure and a bit more automation
    Pros and Cons
    • "Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
    • "It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

    What is our primary use case?

    Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

    I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

    What is most valuable?

    Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

    What needs improvement?

    It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

    For how long have I used the solution?

    I have been using this solution for seven or eight months.

    What do I think about the stability of the solution?

    I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

    What do I think about the scalability of the solution?

    Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

    Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

    How are customer service and technical support?

    Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

    How was the initial setup?

    As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

    What other advice do I have?

    It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

    I would rate Micro Focus Fortify on Demand a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Mamta Jha - PeerSpot reviewer
    Co-Founder at TechScalable
    Real User
    Top 20
    A feature-rich solution for simplified designing and architecting
    Pros and Cons
    • "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."
    • "In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication. They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful."

    What is our primary use case?

    We are architecting applications for e-commerce websites similar to Amazon. Everything is running on the cloud, and Micro Focus Fortify on Demand is totally integrated with our solution at this point in time.

    What is most valuable?

    Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices.

    Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.

    What needs improvement?

    In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication.

    They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful.

    For how long have I used the solution?

    I have been using this solution for three years.

    What do I think about the stability of the solution?

    We have not come across anything major. We have been using it for quite a while, and we are happy with it. 

    What do I think about the scalability of the solution?

    Scalability is good. Our customer bases are not that huge. Bigger enterprises may have trouble in scaling it, but for our load of work, it is working fine.

    We have more than ten users. We are a very small startup, and we don't have too many people. 

    How are customer service and technical support?

    Till now, we have not raised any tickets. If we are stuck with something, we just google and find out. We use their documentation, which is good enough. That's why we didn't raise any technical queries or things like that.

    How was the initial setup?

    It was good. I don't think we struggled that much.

    What about the implementation team?

    We implemented it ourselves. We have two people to maintain this solution.

    Which other solutions did I evaluate?

    We didn't evaluate any other solution. I was trying to find out which solution should I use, and I just saw good reviews of this solution. This was the first solution that we tried out, and we liked it. We started with a trial, and it was doing good. Our necessities were met, so we didn't try to figure out any other competitive tool in the market. 

    What other advice do I have?

    You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. 

    I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Project Analyst at a financial services firm with 1,001-5,000 employees
    Real User
    Top 20
    A cost-effective and intuitive solution for checking vulnerabilities during the development process
    Pros and Cons
    • "The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
    • "It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."

    What is our primary use case?

    We use it for statistical analysis for Java applications that are used in the collection process of a bank. It is also used for an internal web page. The tellers use this web page in the branches to make money transactions, such as withdrawals, deposits, etc.

    What is most valuable?

    The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications.

    It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for.

    What needs improvement?

    It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. 

    They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team.

    For how long have I used the solution?

    I have been using this solution for two or three months.

    What do I think about the stability of the solution?

    It has been pretty stable.

    What do I think about the scalability of the solution?

    It is scalable, but we haven't scaled it much. Currently, we have ten users, but it is capable of taking many more users.

    How are customer service and technical support?

    Their support is good, but sometimes, they take a bit longer. For high severity incidents, they should properly identify the team that has to be engaged to solve an issue. I would rate them an eight out of ten.

    How was the initial setup?

    The initial setup was pretty much straightforward. It was quite easy to implement. 

    It is quite intuitive, and the training model that they have helps the development team in using it easily. The deployment process took only about two weeks.

    In terms of the implementation strategy, it started with a kickoff meeting with the provider who offered the solution. We involved the development team, security information team, and infrastructure team from the beginning. They all knew what can be done with the solution and what role they are going to play in the implementation process, which helped a lot to achieve a pretty short implementation time.

    What's my experience with pricing, setup cost, and licensing?

    It is cost-effective.

    What other advice do I have?

    It is a great solution. It is cost-effective for a secure development process. If an enterprise wants to adopt the DevOps process, Micro Focus Fortify on Demand is a great starting point. 

    I would rate Micro Focus Fortify on Demand a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Production Manager for Nearshore SWaT at a computer software company with 10,001+ employees
    Real User
    Top 20
    Stable and shows the vulnerabilities online while checking the code, but it is quite expensive
    Pros and Cons
    • "The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them."
    • "The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."

    What is our primary use case?

    We use Micro Focus Fortify on Demand to check the vulnerabilities of developments that we perform.

    What is most valuable?

    The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them.

    What needs improvement?

    The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools.

    For how long have I used the solution?

    I have been using this product for four years. 

    What do I think about the stability of the solution?

    It is stable.

    What do I think about the scalability of the solution?

    It is scalable. However, it poses a challenge in terms of pricing and licensing.

    How are customer service and technical support?

    I haven't contacted their support, but I know that a team was in touch with Fortify technical support because they do get to have a lot of questions about migrating the software, licensing, and other stuff. They contact the support quite often. I know that they get responses, not always the ones they would like, but they do get a response from them.

    Which solution did I use previously and why did I switch?

    I have used SonarQube but not at the same level. It has some functionalities that are related to security. It does not go as deep as Micro Focus Fortify on Demand. 

    We have evaluated other tools that are competitors of Micro Focus Fortify on Demand, but we still decided to keep Micro Focus Fortify on Demand.

    How was the initial setup?

    I wasn't responsible for setting it up. 

    What about the implementation team?

    We have a team that works with the product. All development teams work with this team to accomplish the goals. Everything was set up by this team, and afterward, the development team just has to look at the reports and vulnerabilities so that they can run scans.

    What's my experience with pricing, setup cost, and licensing?

    It is quite expensive. Pricing and the licensing model could be improved. 

    What other advice do I have?

    Before using it, evaluate other possibilities because it's quite expensive if you don't have the need to use it. For example, replace it with SonarQube or another competitor's tool that may not do quite the same thing, but it is enough for what you want for your objectives. It could be a cheaper way to get to those goals.

    I would rate Micro Focus Fortify on Demand a seven out of ten. Improvement in pricing would be the biggest thing that would improve the scoring.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free Micro Focus Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.