The source code analyzer is the most effective for identifying security vulnerabilities. It is the engine or the artificial intelligence behind the scanning engine that does the actual analysis of the data, and they then create an FPR file. This FPR file can then be further analyzed and tested at ScanCentral, which is your centralized dashboard for security auditing and remediation.

So from there, once you've got the artifact or this file, which is created from scanning all of your applications, it gives you a comprehensive overview of the vulnerability scores or the bug densities of your code, and then you can further analyze and test those codes and draw reports from ScanCentral.

So, these reports are against the OWASP Top ten. So you've got different reports that will give you a detailed analysis of your scan data, and it also does it in a dashboard format. So you then get a comprehensive report, and you can also draw a developer's workbook report, which you can send to developers where they actually have a bird's eye view or code-level view of the vulnerabilities and the recommendations are made by Fortify on how you can remediate those threats or vulnerabilities.

And you can then improve your bug density and scores, and you can also do that from the dashboard interface. You can also remediate and within the dashboard, change your score. So you have the dashboard, which gives you a comprehensive overview across all the applications. Also, as you remediate and fix your code, the dashboards update your scores, and then you have a view, and you can control your bug densities across all of the applications once you've onboarded each and every application. And that's across all your DAST and SAST applications. And this is on a centralized dashboard.

Fortify is constantly improving. Their tools and their interfaces are modernized with every new feature or every new version. I constantly see improvements by OpenText. OpenText is very intuitive. They're also implementing a lot of new AI capabilities with the NerdTools, which I think is remarkable.

Our CSD team used multiple tools for different scenarios. When dealing with sophisticated threats or vulnerabilities, manual analysis was necessary alongside Fortify's machine-based analysis. So, in handling complicated vulnerabilities, we couldn't rely on just one tool. Multiple tools were required. One such tool was OS Zap Proxy. We integrated Zap Proxy with Fortify, and this integration proved quite useful. Instead of relying solely on Fortify's dashboard, we integrated it with other tools, which made more sense. The security analysts, up to the level of the CSO, wouldn't rely only on a single dashboard. They used multiple tools to detect and work on vulnerabilities across various platforms and products. Fortify seamlessly integrates all these aspects.

Fortify helps me find serious issues, such as developers inadvertently leaving access tokens, including API access tokens, in the source code. Fortify is effective in identifying such oversights, making it a really helpful tool despite its problems. It is valuable in improving our overall security posture by catching significant errors.

The solution is very fast.

The scanning capabilities, particularly for our repositories, have been invaluable.

One of the most valuable features of Fortify On Demand is its ability to integrate seamlessly with the DevOps lifecycle, particularly in terms of security testing. Injecting security testing into the DevOps process ensures that security measures are incorporated from the development stage onwards. It aligns with the main objective of DevOps, which is to automate and streamline the software development lifecycle, from code commit to deployment. With automation tools orchestrating the pipeline, tasks such as code compilation, testing, and deployment can be carried out rapidly and efficiently. This results in faster time-to-market for features, reducing deployment times from hours to minutes. It enhances trust from customers and cybersecurity teams, as security measures are built into the software from the outset, increasing confidence in the security.

I appreciate all the features, with a particular emphasis on their vulnerability scanner. For instance, in our environment where two-factor authentication is prevalent across many of our sites, the scanner efficiently identifies vulnerabilities, including those related to second-factor methods or mobile codes. What stands out to me is the user-friendliness of each feature. Given that we're a bank with multiple applications, having the flexibility to customize solutions according to the unique needs of each application is crucial.

The solution is user-friendly. One feature I find very effective is the tool's automatic scanning capability. It scans replicas of the code developers write and automatically detects any vulnerabilities. The integration with CI/CD tools is also useful for plugins.

The tool's AI feature analyzes security threats and recommends updating the code accordingly. One major issue that AI detected for us was logging issues and hardware vulnerabilities. Fortify On Demand identified these, allowing our developers to address and fix the issues.

We've found the depth of scanning that the product provides and the results we get are the most valuable features. 

The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place.

To my mind, the best features of this product are its speed and efficiency. It covers a wide variety of languages and even has an option for checking different Java versions.

Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.

When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.

The vulnerability detection and scanning are awesome features. 

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution.

The allocations to different members of a team are good. If you find a problem, you can delegate the task to patch the particular code.

It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

It is an extremely robust, scalable, and stable solution.

It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

The most valuable features are the server, scanning, and it has helped identify issues with the security analysis.

The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security.

The user interface is good.

The SAST feature is the most valuable.

Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.

Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.

Being able to reduce risk overall is a very valuable feature for us.

The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them.

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

We have the option to scan web applications on demand. We have the option to do dynamic analysis. We also have an on-premise solution for static code analysis.

We have the option to test applications with or without credentials.

Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud.

Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support.

The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues.

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications.

It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for.

Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices.

Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

We actually find all of the product's features valuable. But at this point, we are trying to upsell by adding additional components like RAFT (Re-usable Automation Framework for Testing) to the test cycle.  

What is most useful is how you can have related features upgraded on the tools. The tools themselves have details for the code as well, where the issues have been flagged, and all the vulnerabilities are there, in one place.

The static code analyzers are the most valuable features of this solution.

The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for.

The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it. 

The features I found most valuable is that it is very configurable. The installation was also very easy. 

We can run our scans properly on it. It improves future security scans.

One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed. I think that's really useful.

We shared the easy to use dashboard with our programmers and involved outsourcers for a quick issues fix. 

The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product). It also allows for more efficient and custom integration by allowing customized enhancements through the API support offered through the SSC portal.

• The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time
• I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification
• The process was easy to follow and we were supported by 24/7 by TAM personnel to help with any fire drills. This was helpful many times when I needed a quick answer late at night or early in the morning

The quality of application security testing reduces risk and gives very few false positives.

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

• Scan wizard: for configuring large scans
• Audit workbench: for on-the-fly defect auditing
• CLI: to integrate the tool into CI/CD

Both editions of the product have their advantages, and they complement each other.

The static code analyzer provides views from a security perspective and it is easy to use compared to others.

The solution simply identifies any security flaws that any of our applications might have.

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

It enforces source-code scanning, finding vulnerabilities in source code.

It's one of the leaders in the application security space. I've used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer.

• It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
• Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

I was able to quickly pass compliance with HIPAA.
Correlated static and dynamic results with detailed priority guidance.
Accurate results, tailored to each application.
All results manually reviewed by application security experts .
Central testing program management for all applications.

The solution is user-friendly.

There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do. We were working with a different solution called SolarCloud previously and it was limited. We are trying to find the right level of security for our needs.