IT Central Station is now PeerSpot: Here's why

Micro Focus Fortify on Demand OverviewUNIXBusinessApplication

Micro Focus Fortify on Demand is #5 ranked solution in AST tools and #7 ranked solution in application security solutions. PeerSpot users give Micro Focus Fortify on Demand an average rating of 7.8 out of 10. Micro Focus Fortify on Demand is most commonly compared to SonarQube: Micro Focus Fortify on Demand vs SonarQube. Micro Focus Fortify on Demand is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
Micro Focus Fortify on Demand Buyer's Guide

Download the Micro Focus Fortify on Demand Buyer's Guide including reviews and more. Updated: July 2022

What is Micro Focus Fortify on Demand?

Micro Focus Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.

Micro Focus Fortify on Demand Features

Micro Focus Fortify on Demand has many valuable key features. Some of the most useful ones include:

  • Deployment flexibility
  • Scalability
  • Built for DevSecOps
  • Ease of use
  • Supports 27+ languages
  • Real-time vulnerability identification with
  • Security Assistant
  • Actionable results in less than 1 hour for most applications with DevOps automation
  • Expanded coverage, accuracy and remediation details with IAST runtime agent
  • Continuous application monitoring of production applications
  • Virtual patches
  • Supports iOS and Android mobile applications
  • Security vulnerability identification
  • Behavioral and reputation analysis

Micro Focus Fortify on Demand Benefits

There are several benefits to implementing Micro Focus Fortify on Demand. Some of the biggest advantages the solution offers include:

  • Fast remediation: With Micro Focus Fortify on Demand you can achieve fast remediation throughout the software lifecycle with robust assessments by a team of security experts.
  • Easy integration: The solution’s integration ecosystem is easy to use, creating a more secure software supply chain.
  • Security testing: Micro Focus Fortify on Demand covers in-depth mobile app security testing, open-source analysis, and vendor application security management, in addition to static and dynamic testing.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Micro Focus Fortify on Demand solution.

Dionisio V., Senior System Analyst at Azurian, says, "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that." He goes on to add, “Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.”

A Security Systems Analyst at a retailer mentions, “Being able to reduce risk overall is a very valuable feature for us.”

Jayashree A., Executive Manager at PepsiCo, comments, “Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning. When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.”

A Principal Solutions Architect at a security firm explains, “Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.”

PeerSpot user Mamta J., Co-Founder at TechScalable, states, "Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."

Micro Focus Fortify on Demand was previously known as Fortify on Demand.

Micro Focus Fortify on Demand Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Micro Focus Fortify on Demand Video

Archived Micro Focus Fortify on Demand Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
Real User
Easy to use and the reporting is good, but does not support dynamic application security testing
Pros and Cons
  • "Fortify on Demand is easy to use and the reporting is good."
  • "The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood."

What is our primary use case?

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

What is most valuable?

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

What needs improvement?

This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.

This solution would benefit from having more customization available for the reports. 

For how long have I used the solution?

We have been evaluating Fortify on Demand for close to a year.

Buyer's Guide
Micro Focus Fortify on Demand
July 2022
Learn what your peers think about Micro Focus Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,949 professionals have used our research since 2012.

What do I think about the stability of the solution?

Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.

What do I think about the scalability of the solution?

In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.

How are customer service and support?

I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.

Which solution did I use previously and why did I switch?

We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.

How was the initial setup?

My understanding is the this is not a difficult solution to manage and maintain.

What about the implementation team?

Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.

Which other solutions did I evaluate?

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

What other advice do I have?

Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.

Overall, it is a very good tool and it works well for what it is designed for. 

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
Real User
Good development platform integration promotes a culture of Security by design
Pros and Cons
  • "The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
  • "This solution would be improved if the code-quality perspective were added to it, on top of the security aspect."

What is our primary use case?

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

What is most valuable?

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

What needs improvement?

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.

For how long have I used the solution?

We have been using Micro Focus Fortify on Demand over the past four years.

What do I think about the stability of the solution?

This is a very stable solution. Once it is deployed there are not a lot of challenges.

What do I think about the scalability of the solution?

This platform is very much scalable in terms of integrating with other solutions.

We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.

How are customer service and technical support?

I have not been in touch with technical support from the vendor.

Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.

Which solution did I use previously and why did I switch?

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

How was the initial setup?

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

What about the implementation team?

I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.

Which other solutions did I evaluate?

We did not evaluate other vendors beyond the solutions that we are using.

What other advice do I have?

My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Micro Focus Fortify on Demand
July 2022
Learn what your peers think about Micro Focus Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,949 professionals have used our research since 2012.
ChimaUzomba - PeerSpot reviewer
Chief Executive & Certified Security Administrator at Boch
Reseller
Good for banking and financial institutions to manage and test product lifecycles
Pros and Cons
  • "This product is top-notch solution and the technology is the best on the market."
  • "The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."

What is our primary use case?

We recommend this product to our customers. We act as vendors and resellers. This is actually one of the solutions we often recommend to our customers most often. Usually, this is the best choice for banking and financial institutions. It is deployed by their development team in-house. They use it to manage and test product lifecycles.  

What is most valuable?

We actually find all of the product's features valuable. But at this point, we are trying to upsell by adding additional components like RAFT (Re-usable Automation Framework for Testing) to the test cycle.  

What needs improvement?

Strictly in terms of this product, I think it is a top-notch solution and I think the technology is still the best on the market. What might be improved is maybe just look at the pricing. It is a bit confusing compared to other products that we also sell.  

Whatever innovation they can come up with would be an excellent addition if it adds useful functionality. The only thing I can think of that they might add is something like features you can find in Codebashing that they have not yet implemented. I don't know if it has all of those features. If not, it would be useful for something like that to be added.  

For how long have I used the solution?

We have been suggesting the product since before the merger with Hewlett Packard.  

What do I think about the stability of the solution?

This is a very stable product.  

What do I think about the scalability of the solution?

This product is scalable. Most of our customers are enterprise customers. I can point out three off the top of my head. If the product can scale to the enterprise level, it makes sense that it is quite scalable.  

How are customer service and technical support?

The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to. Micro Focus has a whole lot of solutions that are of value in our region, but it seems that they are not doing a proper job of coordination of knowledge. There is a huge knowledge gap from the Micro Focus team in the way they support businesses. We were hoping that the transition was the thing that affected the lack of better support. But by now we should be able to point to who the person is that is in charge and the person to talk to when it comes to the various products. I really don't know anybody in charge of the technical team to help us properly with issues.  

How was the initial setup?

I think the initial setup for the on-demand product is straightforward. The product installed on-premises is somewhat complex. For this reason, it is better that the on-premises version is installed with the help of integrators or consultants. 

What other advice do I have?

I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.  

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Senior Application Security Analyst at a financial services firm with 10,001+ employees
Real User
Has the ability to have related features upgraded on the tools but the tool suffers from latency
Pros and Cons
  • "t's a cloud-based solution, so there was no installation involved."
  • "The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed."

What is most valuable?

What is most useful is how you can have related features upgraded on the tools. The tools themselves have details for the code as well, where the issues have been flagged, and all the vulnerabilities are there, in one place.

What needs improvement?

The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed.

They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is.

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

The solution is okay in terms of scalability. I'm still not really familiar with the tool, and I'm still learning from it. So far, I think it has a good ability to scale.

How are customer service and technical support?

Technical support is okay. They have a platform that you can create tickets on. Once you raise a ticket, support is quick to help you. 

If they wanted to improve technical support they could offer meetings with the developer or security team.

How was the initial setup?

It's a cloud-based solution, so there was no installation involved.

What other advice do I have?

We use the cloud deployment model of the solution.

Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool.

I would rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ives Laaf - PeerSpot reviewer
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees
Real User
Has improved our security through static code analysis

What is our primary use case?

Our primary use case for this solution is static code analysis.

How has it helped my organization?

This solution has helped us to improve our security processes.

What is most valuable?

The static code analyzers are the most valuable features of this solution.

What needs improvement?

The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports.

For how long have I used the solution?

Four months.

What do I think about the stability of the solution?

The solution is working, so I would say that its stability is fine.

What do I think about the scalability of the solution?

We have approximately twenty users who perform code scanning. They are developers and security experts. We do plan to increase our usage of this solution in the future.

How are customer service and technical support?

Technical support for this solution is fine.

How was the initial setup?

The initial setup of this solution is straightforward.

It took approximately two hours to deploy, and because it is a cloud-based solution it does not require anybody for maintenance.

What about the implementation team?

We handled the implementation in-house.

What was our ROI?

All I can say is that it is reducing security issues.

Which other solutions did I evaluate?

We evaluated Veracode before choosing this solution.

What other advice do I have?

This solution works, so I suggest using it.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CISO at a retailer with 1,001-5,000 employees
Real User
Detects vulnerabilities and provides useful suggestions, but doesn't understand complex websites
Pros and Cons
  • "The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
  • "Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."

What is our primary use case?

We use Fortify on Demand to test our e-commerce website. We do static codes testing before it goes live.

How has it helped my organization?

Before we migrate a new code to our production website, it is scanned with Fortify and all security vulnerabilities are identified. Then we try to remediate them so we don't expose ourselves.

I've been involved in deciding what's right or wrong. I've been involved in deciding on the product early on, and then if we should go on-premise or in the cloud, if we should build it into part of the software development life cycle or if we should do it on demand before we go to production. I've been involved in a lot of that. I've been involved in working with the development team to decide what is a vulnerability and what is not, and which vulnerabilities we need to take to heart, regardless if we understand what it is that we should ignore, and regardless of the fact that we think it's highly critical.

What is most valuable?

The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for.

The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it. 

What needs improvement?

Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. And they try to look at it saying, "Okay. From a pure standards perspective, this is a critical vulnerability for you." Which in reality, if you would really try to exploit it, you'd see that we actually did cross a little something around it, and the vulnerability is not there. So they would expect to have a certain type of a formatting requirement around a specific field to avoid being able to put in special characters. They would assume that because we don't have that, it's a vulnerability. But in reality, you actually do have a custom function that has been defined somewhere else in the code and these fields are subject to that function. I don't carry along with that in the same way as the application really does. That's something that we found that needs improvement.

We're actually going to transfer from them, and the main reason is that there is nobody home. We could have tickets open with them for months trying to escalate and have them remediate certain false positives as I described. We have had no success bringing this product to a level that we feel there's not too much noise. It gives you specifically what you need. You could take it at face value and run with it.

We're going to switch to Checkmarx. We're in the middle of the deployment.

For how long have I used the solution?

We've been using Fortify on Demand for eight years or so.

What do I think about the stability of the solution?

Stability is good. The product works.

What do I think about the scalability of the solution?

Scalability is irrelevant to us because it's in the cloud. For the past few years, we've been using it in the cloud, so it's a common scanner. It's not handling transactions. It's not a firewall or an antivirus that you have doing real-time transactions. It looks at the code and the volume of code we migrate. We write a lot of code every week, but it's still within reason. We're not talking about thousands of developers sending code at the same time. So I don't think that scalability was much in our conversation.

The product is being used by the e-commerce application development team, and we have senior developers who are responsible to scan and evaluate security concerns that come out of the product. We also have a lead security person and a development team who are responsible to oversee this and ensure that the issues are being addressed.

Deployment and maintenance, are not really applicable because it was somebody at DNH working with the company, setting it up. We did not put it into part of the platform of real-time migration, such that the code automatically goes there, marks it, and allows it to go to production or not. We didn't go that route, so it really didn't need too many people to be involved in the deployment.

How are customer service and technical support?

The technical support is just not there. We have open tickets. They don't respond. Even if they respond, we don't see eye to eye. As the company got sold and bought, the support got worse.

How was the initial setup?

Our website is complex, so the setup is also complex. By definition, we expected it to be complex, and Checkmarx should also be complex because of the culture, habits, and complexity of our custom-developed website. Our website is not an off-the-shelf product, so there's a lot of complexity that comes with it by nature. But that's okay.

The initial deployment goal was to scan every bit and byte of code on the production e-commerce site. That was the plan. We started rolling this out and then we started sending tests. We went back and forth on whether we should make it in-line automatic that we scan sales, in a way that it would not allow the code to move further, or if we should do it off to the side, such that the application development life cycle continues to run separately, while somebody is scanning it making sure we dissolve all the issues. So we tried both routes. There are benefits to each, and it's definitely safer to do it in-line. Again, the culture, habits, and technology's use mean that it is not always best to do it in-line because it could become too complicated and break too many things. So we actually switched that. There is a person that does that. It's not built into the migration system by default. Somebody is scanning it and then moves to the next one.

What about the implementation team?

We worked with them and they helped us deploy. We tried a few different versions. We tried on-premise, and then we went to the cloud. Fortify on Demand is the cloud-based version, which we're using now.

Our experience with their developer team was good. But now, over time, the company went from a partner to a disconnected environment. Overall, the experience started out with a back and forth and an active relationship but over time, they became very disconnected.

What's my experience with pricing, setup cost, and licensing?

It's a yearly contract, but I don't remember the dollar amount.

Which other solutions did I evaluate?

I don't remember if we evaluated anybody else. I think Fortify was recommended through a consultant. Some years ago, there were not so many vendors at a time playing in this arena. There's not so many today for static analysis, but I don't think that we really evaluated any others.

What other advice do I have?

I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So I would not advise anybody to go to Fortify based on the fact that they really don't have a very forthcoming support team and availability.

Could be the other options would provide professional services, but that's not the point. The point is that if you want to pick up the phone and send them an email, open a ticket saying that, "This is a false positive," somebody should get back to you. So I don't think that Fortify's a viable option still these days based on the fact of where they sit and how they operate.

I would rate the product a four out of ten. It works. The reason why I give it a four is because of the limitations of the product to understand the dynamics of our website and the number of things that are not working smoothly due to the fact that our website is complex.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user625875 - PeerSpot reviewer
Director Consulting at a tech services company with 10,001+ employees
Consultant
It is very configurable. The installation was also very easy.
Pros and Cons
  • "I do not remember any issues with stability."
  • "The licensing was good."
  • "The installation was easy."
  • "There were some regulated compliances, which were not there."

What is our primary use case?

My primary use case is to help the teams in development. It helps us scan.

How has it helped my organization?

First, you don't have very high requirement and we could do it quickly and efficiently. Second, it was easy for us to install the reading bot facing challenges and such, while doing that installation. Third, when we were doing the scan, it was self intuitive and we were able to scan faster while we had two challenges in the other two solutions that we were using. In terms of finding out where to configure, what are the next steps to configure what we are missing and those kind of areas.

Usually what happens, because we were part of the COE, we had to find those faster and go through old ECs and deliver the results to the short duration income. So, that's where it helped us, it helped us setting up that environment quickly on a laptop, do the scan and come back.

What is most valuable?

The features I found most valuable is that it is very configurable. The installation was also very easy. 

What needs improvement?

Yeah, some of the technologies and framework for libraries were not available at that point of time. For example, if it was in the back end, at that point in time we had to look at other tools. There were some analytical compliances so when we had more tools, it took all the technologies frameworks that Fortify was having. We required this because we were widely working with different clients for the different varieties of technology and domains. There were some regulated compliances, which were not there, but these were the factors because of which we had to use some instances of other tools as well.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I do not remember any issues with stability. Of course, it is common that if there is some misconfiguration, it can lead to crashes and the site of the code can crash. But, this is something we have learned to tweak and estimate the length of code before the site of the application. Then, we can consider which technology could be configured, what technology should be excluded, and then scan to optimize some of the related issues.

What do I think about the scalability of the solution?

In terms of the scalability of the solution, we did not have a centralized server connecting to multiple clients. We did not have scalablility issues due to our small-scale use.

How is customer service and technical support?

We had a good tech support experience.

How was the initial setup?

It was very straightforward in comparison to other solutions that we had used in the past.

What's my experience with pricing, setup cost, and licensing?

The licensing was good because the licenses have the heavy centralized server. It connects to the other PTs, or even if it connects to the old EC servers. We had to put it within an old EC, in order for the licensing to be available at all scales.Then, you had to open multiple ports in that scenario that was not possible. But, you can do it at the application level, which is faster. You can buy a license, do a scan at that level, as well as scale up. So we also had multiple requests in terms of helping a client before they start in terms of doing something easy so that you do not require a complete license to be purchased.

Which other solutions did I evaluate?

We were using many other tools like TechAbility, IBM AppScan and I think these were the predominant ones.

What other advice do I have?

Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Nixon B - PeerSpot reviewer
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
Helps us to stay updated with the newest languages and versions coming out
Pros and Cons
  • "It improves future security scans."
  • "Fortify helps us to stay updated with the newest languages and versions coming out."
  • "Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
  • "We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."

What is our primary use case?

We previously used it for static and dynamic scans, but now we use it only for dynamic scans.

We have close to 85 products in-house, so we run a lot of scans.

How has it helped my organization?

We are using lost programming languages, because we have a lot of product development going on because we have a product-based company. Fortify helps us to stay updated with the newest languages and versions coming out. We can run our scans on a timely basis.

What is most valuable?

We can run our scans properly on it. It improves future security scans.

What needs improvement?

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

There are no stability issues. Though, we would like the scans to run faster.

What do I think about the scalability of the solution?

We have no scaling issues.

How are customer service and technical support?

Tech support has been a great help. They always respond to us in a timely manner.

Whenever we contact support, they assist us in running our scans.

Which solution did I use previously and why did I switch?

We did not have another solution before. We tried other solutions, but they were not as good as Fortify.

How was the initial setup?

I was not involved in the initial implementation.

What's my experience with pricing, setup cost, and licensing?

The pricing is expensive.

Which other solutions did I evaluate?

Currently, Checkmarx offers us a graphically, revised run.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jonathas De Morais - PeerSpot reviewer
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees
Real User
Scans run in the background and security analysts are available if an issue comes up
Pros and Cons
  • "One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
  • "It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
  • "If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."

What is our primary use case?

We use it for externally exposed applications that we want to scan before releasing them to production. As you can imagine, it's important to make sure they're secure and that we will not be exposed. For internal apps, we use other static code scanning, primarily SonarQube. But Fortify on Demand is for externally exposed applications.

How has it helped my organization?

Because of the kind of products we deal with, and the kind of customers we have, we have really specific security requirements and practices we need to follow, specifically applying to our SDLC. Our SDLC dictates that we have security scanning, and that improves our code quality. Thankfully, we have never had any kind of serious security flaw or any kind of deviation of the process. We can certainly account for that because of the security tools and analysis that we have prior to moving code to production.

What is most valuable?

One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed. I think that's really useful.

What needs improvement?

It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers. That's one of the reasons we don't use it throughout the company and for all our applications, only for the ones we judge to be most important.

Also, if you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time. 

And it's too expensive to afford to run it for every application all the time. That's certainly something that requires improvement.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

I haven't really encountered any issues with stability.

What do I think about the scalability of the solution?

No issues with scalability. It has been able to handle all our workload so far.

How are customer service and technical support?

Our experience with tech support has been good. We haven't needed support that much but whatever we needed we were able to find on their website. There were a couple of things regarding the licensing and payment that we had to get some help with. But it was quick and easy.

Which solution did I use previously and why did I switch?

We didn't have a previous solution. We researched a couple of the tools, but we ended up using Fortify because of the comprehensive scans they have, and mainly because they are focused on the kind of apps that we have and the kind of requirements we have. They are able to cover most of the standards and practices that we need to adhere to.

How was the initial setup?

The initial setup was straightforward. We had onsite training from HPE to help set up the local environment and first scans, and that was helpful.

What's my experience with pricing, setup cost, and licensing?

The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps. That subscription model is probably something that needs improvement.

Which other solutions did I evaluate?

We looked at CheckMarkx and SonarQube Enterprise. As I said, we are currently using SonarQube for other apps, but we use the open-source version. We tried to use the Enterprise version but it didn't cover all the aspects that we needed it to cover.

What other advice do I have?

Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at.

I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the local scan won't be as fast as the static code scan.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Fernando Vizer - PeerSpot reviewer
Fernando VizerSenior Information Technology Architect at a tech vendor with 11-50 employees
Real User

I did a scan, discovered the default only includes critical and high issues, then when I requested to include medium and low ranked issues, they ask me to pay again for a scan. It is annoying and will force me to look for a competitor. It is this way even if it is the same code I already uploaded.

Elina Petrovna - PeerSpot reviewer
Professor at BitBrainery University
Real User
Saved us a lot of time as we focus primarily on programming rather than tool operational work

What is our primary use case?

I analyzed more than 20 applications implemented in BIT Brainery University. The static analysis has to be done every release before putting it in production.

How has it helped my organization?

Even though it was our final choice, it has saved us a lot of time as we focus primarily on programming rather than tool operational work. We did not need third-party consultants.

What is most valuable?

We shared the easy to use dashboard with our programmers and involved outsourcers for a quick issues fix. 

What needs improvement?

It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Murat Kaya - PeerSpot reviewer
Application Security Specialist at a tech services company with 5,001-10,000 employees
Real User
Allows for more efficient and custom integration by allowing customized enhancements through the API support
Pros and Cons
  • "The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product)."
  • "Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA."
  • "The biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility."

What is our primary use case?

When choosing a software security product, we expect the product not only has the ability to find exploits, but also has educational and instructional capabilities related to exploits. This makes both the security auditor's job easier and helps the software developer to improve himself and write safer code. Here we have seen that the Micro Focus family has exactly what we want. For this reason, we chose Micro Focus software security products. In addition, the quality of the support and updating services ensures that we gain confidence in their products.

How has it helped my organization?

In large software development teams, the most important issue related to software and application security is to identify vulnerabilities and weaknesses quickly and accurately, then to gather those findings on a common platform so  they can be distributed and tracked by teams and developers. 

Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA. This facilitates error and vulnerability management and makes the "Secure Software Development Lifecycle" work well.

What is most valuable?

The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product). It also allows for more efficient and custom integration by allowing customized enhancements through the API support offered through the SSC portal.

What needs improvement?

Though it is generally close to perfection, the biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility. Since there are different templates on TFS in particular (CMMI, Agile etc.), the configuration for different templates can also be customized with the flexibility to be provided here.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jason Lebrecht US - PeerSpot reviewer
Sr. Manager 5G & MEC (Edge) Strategy at Verizon
Real User
Top 20
We can load the details and within a few days, receive the results of intrusion attacks, although it needs to have better packaged reporting capabilities.
Pros and Cons
  • "I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
  • "With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."

How has it helped my organization?

The HP FoD effort allowed my client to utilize this service anytime their internal IT team was overwhelmed with workloads. FoD gives them an option to utilize the additional HP Services when they are overwhelmed with other IT Security needs across the company.

What is most valuable?

  • The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time
  • I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification
  • The process was easy to follow and we were supported by 24/7 by TAM personnel to help with any fire drills. This was helpful many times when I needed a quick answer late at night or early in the morning

What needs improvement?

  • I believe that sales packages should be posted for single applications, and packages of multiple applications. For example, we have one-time a package for single applications, and 12 month unlimited use for static and a package for static & dynamic testing. It would be nice to see packages posted for a single application, and groups of three, five, or 10 applications. More than 10 applications would need to be custom pricing like you have today.
  • I would like it to be easier to understand, and have better packaged reporting capabilities. For most of the reporting I needed, I exported to Excel and then had to produce more visually accepted reports for Executive Clients. With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities.

What do I think about the stability of the solution?

Because the product is based on HP’s Fortify Platform, the product is great.

What do I think about the scalability of the solution?

I can’t answer this question appropriately yet as I only utilized the service for one application so far.

How are customer service and technical support?

Customer Service:

10/10 - Christine Bobba, Gerald and the whole TAM Team were very supportive. Stuart Ward does a great job running his TAM Team focused on customer service.

Technical Support:

Jason Powell was really support from a technical perspective. He was able to quickly gather the details we needed to resolve security issues with the code or set up.

Which solution did I use previously and why did I switch?

I’ve used Rapid7 and Qualys Security Solutions in Managed Service Environments for previous clients. Both are really good solutions, but I’ve not utilized any other On-Demand Solution.

I switched because my client uses HP as its core product set. I needed to use Fortify and the FoD Solution allowed me to be up and running within a few short days.

How was the initial setup?

Super easy deployment and usage of the scanning capabilities. The setup was straightforward, and the ability to enter data and start the correct scan was intuitive.

What was our ROI?

We did not charge for the product, we charged for our PMO Services to run the product.

What's my experience with pricing, setup cost, and licensing?

We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.

I would suggest, and I have, that companies should utilize the 12 month unlimited test package.

Which other solutions did I evaluate?

I searched online and FoD allowed me the best opportunity for success due to my client’s timeline.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Dheeraj Kanukuntla - PeerSpot reviewer
Dheeraj KanukuntlaUser at a comms service provider with 10,001+ employees
Real User

Thanks

it_user692322 - PeerSpot reviewer
Digital Security Integration Lead at a non-tech company with 10,001+ employees
Vendor
The quality of application security testing reduces risk and gives very few false positives.
Pros and Cons
  • "The quality of application security testing reduces risk and gives very few false positives."
  • "New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."

How has it helped my organization?

The security of our consumer-facing web sites is better.

What is most valuable?

The quality of application security testing reduces risk and gives very few false positives.

What needs improvement?

New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions. DevOps requires very fast turnaround and I’m not sure HPE Fortify on Demand can do that, although they have a new product in beta for that.

What do I think about the stability of the solution?

We did not have stability issues.

What do I think about the scalability of the solution?

We did not have scalability issues.

How are customer service and technical support?

Technical support is very good.

Which solution did I use previously and why did I switch?

We didn’t have a previous solution.

How was the initial setup?

Setup was not complex, although given our size it was a challenge.

What's my experience with pricing, setup cost, and licensing?

Drive a hard bargain.

Which other solutions did I evaluate?

We evaluated IBM and Veracode.

What other advice do I have?

Go with the SaaS product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user712167 - PeerSpot reviewer
it_user712167General Manager - Application Security at a tech consulting company with 51-200 employees
Consultant

Yes, It does have less positives. After being a premium customer and having taken the annual / 3 yr subscription option, we can opt for + (plus) services by which we can have a manual AUDIT to manually review our code for the 1st time. This helps reduce most of the false positives and developers and team in-charges can concentrate on actual issues / vulnerabilities or the weaknesses in existing application which is assessed. - Manoj Purandare, India

it_user506661 - PeerSpot reviewer
Senior Lead at a computer software company with 1,001-5,000 employees
Real User
Helps us identify security vulnerability earlier in the development.
Pros and Cons
  • "We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
  • "The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."

How has it helped my organization?

Security of our applications is a huge concern for everyone now. Using quality products like HPE’s Fortify helped us minimize issues raised by the clients. Therefore, customer satisfaction in terms of the security was high.

What is most valuable?

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

What needs improvement?

The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.

How are customer service and technical support?

Technical support is very good. We had a few issues in the initial setup and the HPE team’s support was commendable.

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

Initial setup was complex; we ran into lot of memory issues. The Visual Studio plugin was not responsive, either.

What about the implementation team?

An in-house team implemented it. Don’t use the Visual Studio plugin, unless your solution is really small. Otherwise, use the command line setup.

Which other solutions did I evaluate?

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user512112 - PeerSpot reviewer
Technical Lead at a tech services company with 10,001+ employees
Real User
Our client uses the audit workbench for on-the-fly defect auditing. .NET code scanning is still dependent on building the code base before running any scan.
Pros and Cons
  • "Audit workbench: for on-the-fly defect auditing."
  • ".NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio."

How has it helped my organization?

Security defects are captured early in the lifecycle and fixed quicker. Usage of Fortify has made developers more aware about security vulnerabilities and their consequences, as well as various secure programming practices.

What is most valuable?

  • Scan wizard: for configuring large scans
  • Audit workbench: for on-the-fly defect auditing
  • CLI: to integrate the tool into CI/CD

What needs improvement?

.NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio.

More conventional reporting formats need to be provided.

Also, a provision should be available to generate customized reports.

What do I think about the stability of the solution?

For code bases heavy on JavaScript, the static scan takes a long time (as long as two days). Even then, the scan crashes at times. Increasing system memory doesn't seem to improve the situation (tried with 16/32 GB system memory).

It requires a high-end system with 8/16/32 GB RAM for stable performance.

How are customer service and technical support?

I haven't reached out to HP Support so far.

Which solution did I use previously and why did I switch?

I did not previously use any product for static application security.

How was the initial setup?

Initial setup is quite easy.

What's my experience with pricing, setup cost, and licensing?

Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).

Which other solutions did I evaluate?

Before choosing this product, we evaluated Veracode and Checkmarx (among licensed), and FindBugs and Yasca (among free).

What other advice do I have?

If you are already using HPE tools and services such as ALM, then Fortify is a good option, as it provides out-of-the-box support for these. Scanning capability-wise, the tool is decent enough, and is also easy to use. However, it generates a large number of false positives after a scan, which can be tedious to verify manually.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user488193 - PeerSpot reviewer
System Engineer at a tech services company with 501-1,000 employees
Consultant
Both editions of the product have their advantages, and they complement each other.

What is most valuable?

Both editions of the product have their advantages, and they complement each other.

How has it helped my organization?

Since we adopted HP Fortify, our organization has added more divisions that focus on penetration testing.

What needs improvement?

HP Fortify already covers the need for security testing and is easy to use for new users. The only thing that comes to mind regarding room for improvement are the security vulnerability updates.

For how long have I used the solution?

My company has been using this solution for about one year.

What was my experience with deployment of the solution?

I have not encountered any deployment, stability or scalability issues. I haven't had any complaints about technical issues from our client, either.

How are customer service and technical support?

I have not yet contacted customer service or technical support.

Which solution did I use previously and why did I switch?

I do know of some software that have similarities, but I’ve never used any of them before.

How was the initial setup?

Most of our clients use straightforward implementation; we recommend straightforward implementation because of the simplicity of the architecture and usage. For example, installing using the best practices for each product.

What about the implementation team?

We implemented it for our customer.

What other advice do I have?

HP Fortify is perfect for any company that creates their own applications or uses vendor-developed ones; it’s great for QA and development phases.

HP Fortify is easy to use and offers lots of integration options; those options allow us to have more diverse implementations that fit the requirements.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company distributes HP Fortify.
PeerSpot user
it_user488208 - PeerSpot reviewer
Specialist Master/Manager at a consultancy with 10,001+ employees
Real User
We use it to evaluate code from a security perspective as opposed to a developer’s perspective.

Valuable Features

The static code analyzer provides views from a security perspective and it is easy to use compared to others.

Improvements to My Organization

We use it to evaluate security from the code and provide results from a security perspective as opposed to a developer’s perspective.

Room for Improvement

Reports can be better visually with graphics such as charts included. Charts (pie, bar, some graph) could show the percentage of the vulnerability categories identified, as opposed to listing them all in a table. At a higher level, it would be nice to aggregate the analysis.

Use of Solution

I have used it for 3.5 years.

Deployment Issues

I did not encounter any deployment issues. It was fairly simple and easy to install/deploy.

Customer Service and Technical Support

Technical support is 6/10. I find the Internet to be more helpful at times than their own tech support in finding answers.

Initial Setup

Initial setup was easy and intuitive: just specify the license path and install the product.

Implementation Team

We implemented it in-house.

ROI

Quality vs quantity: You pay more for a higher-quality product and meets your needs, compared to others that might be cheaper, but you have to crawl to get what you are looking for.

Other Solutions Considered

While I did evaluate others, it depends on the budget.

Other Advice

It is a good product to choose for SCA and cloud deployment. If you choose SSC, don’t always look at the price, as the other products might not conduct the same analysis as HP Fortify does. Not all products are created equal.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a vendor partner.
PeerSpot user
Elina Petrovna - PeerSpot reviewer
Elina PetrovnaProfessor at BitBrainery University
Real User

The weakest component of Fortify is SSC. Very difficult to customize, huge infrastructure to implement and maintain and costly

it_user455427 - PeerSpot reviewer
Development and Database Manager at a financial services firm with 501-1,000 employees
Vendor
It works to identify security flaws that any of our applications might have.

What is most valuable?

The solution simply identifies any security flaws that any of our applications might have.

How has it helped my organization?

This identification provides us an advantage in that the service itself works to stay abreast and knowledgeable about emerging threats. Rather than have a security team dedicated to that effort, we don’t have to deal with that in a time consuming, direct manner. We don't need to have these skills in-house.

What needs improvement?

I find that while it does find a lot of legitimate threats, it tends to have a lot of false positives, and there are more false positives than I would like to see. It flags threats that sometimes are not, and when we have to investigate that it takes time. If they could improve the intelligence then I think it could really help the system function more efficiently. The dynamic time scan takes about seven days, and this could be a bit quicker. We like to incorporate the scan into every build cycle and if we have to wait for a seven day business cycle it has to go into our scheduling. If that could be improved there would be a lot of happy people.

For how long have I used the solution?

It predates my employment; I’m certain we signed up in 2013 – roughly three years ago.

What was my experience with deployment of the solution?

We have had no issues with the deployment.

What do I think about the stability of the solution?

I would say it’s fairly stable. It’s a web application so of course there are browser hiccups but I would give it a high score for stability. Once in a while there is a page refresh, but nothing major.

What do I think about the scalability of the solution?

We have four applications and we’ve been able to get them all in there, I don’t see it having a limit.

How are customer service and technical support?

Customer Service:

Customer service has been good once we get attention, which comes back to the false positive issue.

Technical Support:

Sometimes the results need clarifications. They could be a bit more responsive as once we get someone the interactions have been good and helpful.

Which solution did I use previously and why did I switch?

This was our first foray into a hosted service.

How was the initial setup?

The deployment was super easy as the interface is straightforward. It was almost too easy.

What other advice do I have?

If you haven’t run any formal scan be prepared for it to come back and be a bit scary.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Omar Sánchez (Mr.Tech) - PeerSpot reviewer
Omar Sánchez (Mr.Tech)Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
LeaderboardConsultant

Support is offered through phone and a password-protected web portal, and also through email. In addition, the standard price allows for quarterly updates for the latest security tests for code review. Phone support is available 6 a.m. to 6 p.m. Pacific Standard Time.

it_user441546 - PeerSpot reviewer
Information Security Lead Consultant & Application Security Specialist at a energy/utilities company with 1,001-5,000 employees
Vendor
It's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

What is most valuable?

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

How has it helped my organization?

The results it provides are more than 95% accurate, helping us to focus on the right things first.

Our new software procurement process benefited as well as we use this as a central control to provide security assurance and evaluate the quality of our deliverables.

Its ease-of-use has influenced developer behavior and enabled them to follow security principles.

What needs improvement?

It would be useful if they could integrate secure design reviews, security user stories in Fortify on Demand Portal, and also look for possible options to get just one view of risks for given services (Covering Application, Infrastructure, Pen. Test, etc.).

For how long have I used the solution?

I’ve used it since 2010.

What was my experience with deployment of the solution?

We've had no issues with deployment.

What do I think about the stability of the solution?

It’s a very stable product. We've had no issues with instability.

What do I think about the scalability of the solution?

It’s scaled for our needs. We've had no issues with un-scalability.

How are customer service and technical support?

Customer Service:

Customer service is excellent.

Technical Support:

The technical support is very good.

Which solution did I use previously and why did I switch?

We've used various other tools, including the Fortify on-premise solution. We chose Fortify on Demand as it is cost effective, scalable, easy to deploy, and helps us to manage our vulnerabilities centrally.

How was the initial setup?

The initial setup was very easy and straightforward. We were able to roll out this service to all our business units.

What about the implementation team?

We performed the installation in-house.

What's my experience with pricing, setup cost, and licensing?

There is no setup cost as it is an on-demand solution. However, if there is any firewall change required for an internal application, we would need to raise that from our end.

Which other solutions did I evaluate?

We considered SonarQube, MSFox, and CodeInspect.

What other advice do I have?

Fully utilize this product and its feature as it covers almost everything required for software security assurance.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user399378 - PeerSpot reviewer
Director of Information Technology at a tech consulting company with 501-1,000 employees
Consultant
It enforces source-code scanning and finding vulnerabilities in source code. It would be nice if it could manage the false positives better.

Valuable Features

It enforces source-code scanning, finding vulnerabilities in source code.

Improvements to My Organization

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

Room for Improvement

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

Scalability Issues

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Customer Service and Technical Support

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

Initial Setup

The initial setup was pretty easy and straightforward.

Other Advice

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user362055 - PeerSpot reviewer
Senior Manager at a tech services company with 10,001+ employees
Real User
It addresses the source code scanning and dynamic scanning in a known, correlated way.

Valuable Features

It's one of the leaders in the application security space. I've used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer.

Improvements to My Organization

It's forced the incorporation of security in the development process. That's really the biggest benefit for us.

Room for Improvement

It could use better integration with the incident management processor. This would allow us to understand the vulnerabilities that arise in the software and how they're linked to the incident management center.

Deployment Issues

The deployment has not had issues.

Stability Issues

It is a quite stable solution.

Scalability Issues

It's quite scalable and addresses a huge volume.

Customer Service and Technical Support

It's good, but could be better to align with other main vendors, such as IBM.

Initial Setup

It's not straightforward, but it's not complex either. It could also be improved.

Other Solutions Considered

I'm very familiar with IBM and Barracuda and others. I always know HP's competition, but I feel most comfortable with HP.

Other Advice

My advice would be to look not only at the software, but also at the processor and the people who will be using the software. You should buy not just the software, but also the services to train people to use it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user310152 - PeerSpot reviewer
it_user310152Fortify Business Development at a tech vendor with 10,001+ employees
Vendor

In terms of integration with SIM/SIEM solution, what do you use?

it_user326421 - PeerSpot reviewer
Solution Security Architect with 1,001-5,000 employees
Real User
It has added a very quick turnaround for security code reviews, allowing us to integrate this function into the overall development and testing lifecycle.

What is most valuable?

  • It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
  • Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

How has it helped my organization?

It has added a very quick turnaround for security code reviews which allowed us to integrate this (formerly missing) function into the overall development and testing lifecycle.

What needs improvement?

It needs to support more languages.

For how long have I used the solution?

I've used it for three months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Excellent – from the PoC through setup and implementation; we received timely and knowledgeable support whenever we need it.

Which solution did I use previously and why did I switch?

We tried to do it by hand (which was very time consuming and error-prone) and some tools built-in to Visual Studio (which was not widely accepted by individuals).

How was the initial setup?

We had some issue with logins and account setups, but received excellent support.

What about the implementation team?

We implemented it ourselves with the help of HP.

What was our ROI?

Don’t know since the project got cancelled.

What other advice do I have?

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Omar Sánchez (Mr.Tech) - PeerSpot reviewer
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Leaderboard
It provides an independent review of third-party applications, allowing organizations to test software before purchasing. But try the free version first as there's no "right" way to measure ROI.

What is most valuable?

I was able to quickly pass compliance with HIPAA.
Correlated static and dynamic results with detailed priority guidance.
Accurate results, tailored to each application.
All results manually reviewed by application security experts .
Central testing program management for all applications.

How has it helped my organization?

HP Fortify on Demand provides an independent review of third-party applications, allowing organizations to test software before purchasing, and also allowing software vendors to demonstrate the security of their software. Third-party vendors can upload the source code and/or provide a URL, review the results, and then publish a report back to their customer.

This service compels commercial vendors to take action to proactively fix vulnerabilities, while allowing them to remain in control of their applications. Security professionals can demand that high-priority problems be addressed and verified during the procurement or upgrade process, prior to acceptance. HP Fortify on Demand serves as an independent third-party solution to conduct unbiased analysis of applications and provide a detailed tamper-proof report back to the security team.

What needs improvement?

You are going to like the new detailed reporting. It can correlate the results from different forms of testing and prioritize them by severity to present the truest representation of application risk.

For how long have I used the solution?

1 year

What was my experience with deployment of the solution?

It was very easy to install and deploy.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

No. Scalable infrastructure allows for fast turnaround times and it has no limitations based on lines of code, megabytes, or anything else.

How are customer service and technical support?

Customer Service:

Good

Technical Support:

Good

Which solution did I use previously and why did I switch?

I currently use other solutions. We gave HP Fortify on Demand a try and we are very happy with the results.

How was the initial setup?

Yes. Very easy.

What about the implementation team?

We tried the free version first and then we acquired the software the product website.

What was our ROI?

Keep in mind that the calculation for return on investment and, therefore the definition, can be modified to suit the situation. It all depends on what you include as returns and costs. The definition of the term in the broadest sense just attempts to measure the profitability of an investment and, as such, there is no one "right" calculation. But, I have to say the client is very satisfied.

What's my experience with pricing, setup cost, and licensing?

Try the free version first.

Which other solutions did I evaluate?

I am already using other software. We wanted to try it and it works like a charm.

What other advice do I have?

Trust me, you want to be able to do automated and manual testing on a web application that is live.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
PeerSpot user
Buyer's Guide
Download our free Micro Focus Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2022
Buyer's Guide
Download our free Micro Focus Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.