OpenText Core Application Security Reviews

I have used Fortify on Demand for security scanning, along with outsourcing to companies that scan our systems and report vulnerabilities. My work has involved securing our APIs and systems.

We use Fortify across all stages of the environment: development, test, and production. We even use it for disaster recovery.

Whenever we deploy our Jenkins pipelines, the system automatically scans our Git repository to fix security vulnerabilities. All the security vulnerabilities are then created as tasks in Jira, so we can fix them as quickly as possible.

We have added it to our operational toolkit to ensure it's part of our development spectrum. We added it directly into our Jenkins pipelines.

We have some products that are publicly accessible via phone or website. These products need to be extra secure because they rely on firewalls, and hackers could potentially exploit them. Fortify on Demand provided us with valuable information on how to fix a critical API vulnerability.

So, Fortify on Demand identifies critical vulnerabilities. We have two security scans. One is Fortify on Demand, and the other is for an outsourced company. For Fortify, you assign the specific branch of code you want to scan. You can scan the code you're currently deploying through Jenkins pipelines. Since it's external, you can also scan other brands if needed. Otherwise, you can specify which specific brands or smaller branches to scan within your entire codebase.

The scanning capabilities, particularly for our repositories, have been invaluable.

There is room for improvement in the integration process, especially with the pipeline system, which could be streamlined. Making changes and configuring it for different systems, like desktop environments, is challenging. 

For example, Jenkins integration was hard. 

Improving the ease of integration would be beneficial.

I have been using it since July. 

It has been a stable solution for me. 

For me, it has been scalable enough. 

It provides good security. It is a backbone for our security needs. So, that's the biggest benefit for us. 

There is a licensing model in place. 

Overall, I would rate the solution an eight out of ten. I would recommend using it. 

The primary use case for Fortify On Demand in our environment revolves around its critical role in sales and desk operations. It helps identify application vulnerabilities from both a source code and web perspective. It directly detects issues such as SQL injection in the source code. It conducts website scans with customizable configurations to examine potential risks and vulnerabilities, which is crucial during software development. We can avoid risks before moving to the production stage.

One of the most valuable features of Fortify On Demand is its ability to integrate seamlessly with the DevOps lifecycle, particularly in terms of security testing. Injecting security testing into the DevOps process ensures that security measures are incorporated from the development stage onwards. It aligns with the main objective of DevOps, which is to automate and streamline the software development lifecycle, from code commit to deployment. With automation tools orchestrating the pipeline, tasks such as code compilation, testing, and deployment can be carried out rapidly and efficiently. This results in faster time-to-market for features, reducing deployment times from hours to minutes. It enhances trust from customers and cybersecurity teams, as security measures are built into the software from the outset, increasing confidence in the security.

They could provide features for artificial intelligence similar to other vendors like OpenText products.

We have been using Fortify on Demand for about three years.

I rate the platform's stability as seven out of ten.

The initial setup is complicated. It takes around four to five hours to complete, including installation and scanning. I rate the process a seven out of ten.

Fortify On Demand is not highly expensive. It provides options for the number of scans and tests for the on-premise version. The customers utilizing hardware must install the tool for cost-effectiveness and high availability.

The product's cost depends on the type of license. The on-premise licenses are more expensive than the cloud subscriptions. I rate the pricing a six out of ten.

I rate the platform's accuracy for detecting vulnerabilities an eight and a half out of ten. By utilizing Fortify as a comprehensive security testing tool, financial institutions operating at high-security levels gain confidence in the security posture of their applications. It helps deploy and track changes easily as per time-to-time market upgrades.

I advise new users to learn about new features introduced in the last two years. I rate it a nine out of ten.

We use the solution to scan our software. We scan it at every build. We run the scans and read the reports.

The solution is very fast.

The products must provide better integration with build tools. In SonarQube scans, the pull requests are decorated. I don't know if it is a missing integration or a limitation, but I don't see the same feature in Fortify. The developer must be able to see whether the build has failed. I would like the pull request to be decorated like SonarQube. It's just not the same experience with Fortify.

I have a problem with the Java version because our projects now use OpenJDK 7 or 17, but the scan still requires JDK 1.8. It is a problem for me, and I don't know how to change it.

I have been using the solution for a couple of months.

The tool is stable. I have no problem with it. I rate the stability a nine out of ten.

My team has started using it recently. I rate the tool’s scalability a nine out of ten. We don't have any issues whatsoever.

My organization has been using the solution for at least four years. I don’t deal with technical support directly. I would recommend the solution to others. We are dealing with some issues with the report.

The reports might be meaningful, but they sometimes do not match the situation. We cannot really deal with them. We don't know if they are false positives or if they're simply not relevant because they concern vulnerabilities in the development cycle and not in the production operations. It is sort of a mystery. Overall, I rate the tool an eight out of ten.

We use it to scan the bank's applications systematically. This process aims to identify and address security vulnerabilities within the applications, ensuring the robustness of our security measures.

It stands out by generating fewer false positives which has a distinct advantage, as it translates to reduced remediation efforts, requiring less human resources and cost. The tool provides more accurate feedback to the development team, allowing them to focus their efforts on addressing genuine vulnerabilities efficiently.

I appreciate all the features, with a particular emphasis on their vulnerability scanner. For instance, in our environment where two-factor authentication is prevalent across many of our sites, the scanner efficiently identifies vulnerabilities, including those related to second-factor methods or mobile codes. What stands out to me is the user-friendliness of each feature. Given that we're a bank with multiple applications, having the flexibility to customize solutions according to the unique needs of each application is crucial.

It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security. This could enhance the solution significantly. Moreover, considering the evolving threat landscape and the inevitability of zero-day vulnerabilities, implementing mechanisms like heuristic approaches would be advantageous. By incorporating heuristic algorithms or leveraging artificial intelligence, especially in the form of behavioral analysis akin to network security practices, Fortify could evolve into a more resilient solution. This could involve heuristic analysis for source code, the introduction of AI-driven processes for enhanced security, and the identification of security hotspots.

In this company, I have been using it for three months.

When it comes to stability, I haven't observed any issues such as crashes or performance issues during the scanning process. I would rate it ten out of ten.

I would rate its scalability capabilities nine out of ten. Our approach involves a centralized team, and we conduct scans across all applications within UBS. Throughout my experience, we've successfully scanned 150 applications.

The ability to install software often depends on individual circumstances. In my case, coming from a security background, the machines provided in our company are typically set up by the network or DevOps team.

Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings.

We were considering upgrading to the enterprise level, given the need for a robust solution in the banking environment. During this evaluation, we compared Netsparker, Burp Suite, and Fortify. After conducting a proof of concept (POC) that involved testing APIs, websites, and infrastructure arrangements, we presented our analysis to management. Ultimately, Fortify was selected as the preferred choice.

With over 12 years in application security, I've consistently observed the adoption of Fortify in major organizations like Cognizant, Barclays, and Credit Suisse. Across large banks in Europe, Fortify has established a reputation for reliability and effectiveness. Drawing on my experience, I am confident that organizations with clear problem statements and no budget constraints will find Fortify to be a comprehensive solution. Its technical capabilities and features align well with the diverse needs of large organizations in the banking sector. Overall, I would rate it ten out of ten.

We use Fortify on Demand to look at dependency vulnerabilities and vulnerabilities in the source code. We are customers of Micro Focus. 

We've found the depth of scanning that the product provides and the results we get are the most valuable features. 

We need something that's going to be fully integrated with CIT processes from setting up a new microservice to scanning and managing other vulnerabilities. As of now, we don't have that which makes it a painful process. 

I've been using this solution for three years. 

The solution is stable. 

The solution was implemented prior to my joining the company so I have no information regarding the initial setup. 

We're changing our licensing model because we currently pay 1,000 euro per scan which is ridiculous. We're working on changing it to a flat rate.

Whether or not this solution will be useful depends on the maturity of your organization. If you understand what all the messages and the analysis mean, and you can usefully react to it then I think you should absolutely use it. If you're still working out these things, you should probably first go through some learning process and start with some simpler tooling that gives you some insights.

The challenge is always how to make things actionable and that is lacking to some extent. If, for example, there is something that depends on scans for vulnerability for all your dependencies and just pulls requests for you, Fortify doesn't action anything. It leaves all the actioning things to you so in a sense, it creates more work for the developers, but it doesn't help them to do the work.

We're not happy with the solution as a process because of the way it's internally implemented in the bank. On the other hand, the features are quite good so I would rate that aspect higher. On average, I rate this solution seven out of 10. 

We are the central team that manages Fortify end-to-end and provides it as a solution to internal users. We are using SonarQube for code review, but we use Fortify and Nexus IQ  for DevOps.

The vulnerability detection and scanning are awesome features. 

The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE. 

That will help us understand what's affecting the CVE. Initially, it's about finding the safer package version. Fortify should automatically recommend the safest version, so we can go to the vendor and request that. Once we identify the vulnerability, we can implement a remediation plan.

We just started using Fortify on Demand. 

Fortify is stable.

Fortify is scalable enough. We have 10,000-plus users on it.

Micro Focus support is slow, and they should improve that.

We've been working with SonarQube for five years. SonarQube can show us the initial test and how your code is developed over time. It gives us insight into how a specific project is progressing. That's the great thing about SonarQube. Once the code goes into the Fortify or Nexus, it's mostly a safety check. SonarQube catches most of the vulnerabilities in Python at the development stage.

The product itself is easy to set up, but establishing the necessary culture and structure is a bit complex. We need to develop a culture and create sub-teams within the teams. Each team needs a security coordinator who can relate what new things are coming in, such as CVEs or new scans that need to be done.

For maintenance, we have a team of two product owners who are heavily involved with the product itself. We have around three or four people with a good understanding of deploying and maintaining the solution.

I rate Micro Focus Fortify on Demand eight out of 10. It's a great product, and I recommend it. You should deploy it as part of the TechOps implementation. 

I use the solution in my company for security code scans.

The product has a lot of false positives. If the outputs can have fewer false positives, then that will be the greatest benefit the tool can offer.

I have experience with Fortify on Demand. I manage the product in my company.

The solution's technical support is okay and not outstanding.

It is a costly process to evaluate tools.

I rate the tool a six out of ten.

I use the solution to check the software, as the development is done internally, to detect any security breaches. If there is something in the code that could lead to SQL injections or other vulnerabilities, it will be detected.

The most valuable features are the detailed reporting and the ability to set up deep scanning of the software, both of which are in the same place.

There are many false positives identified by the solution. Perhaps this could be improved by refining the defects. There are numerous defects and I need to identify the underlying cause for many of them.

I have been using the solution for a couple of years.

The solution is stable.

The solution is scalable.

We have ten people within our IT department that use the solution.

I used technical support during the integration between Fortify and ALM, but the support staff was not adequately prepared to assist me. I identified that there is a need for development between Fortify on Demand and ALM.net. They initially said that it was working with ALM, but after reading the documentation, I discovered that it only works with Octane, not with ALM.net.

The initial setup was not straightforward because I had the ALM.net, not the .com version, and Fortify on Demand was configured to be integrated with ALM.com, not with ALM.net. This caused me some issues with the integration. When I scanned and identified the defects, these were not automatically raised in ALM, which was a major problem for me. I understood that they needed to do some development in order to make it work with ALM.net. The deployment took no more than one business day.

I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities.

I give the solution an eight out of ten.

I recommend the solution to others.