OpenText Core Application Security Reviews

Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

We previously only did the testing and scanning after deploying applications in production, but now we are doing it in development. We are making sure the code is safe to use in all the environments, not only in production. It has been valuable for us.

Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.

When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.

Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve.

Currently, when we are running a security scan or Azure DevOps pipeline Micro Focus Fortify on Demand will give an overall status. People have to click on the link to read the in-depth results. If there could be some output of the report that can be passed in the pipeline and based on that we can control the next step of the pipeline. For example, if Micro Focus Fortify on Demand is saying the report is critical, do not go any further. If we can have that critical variable as a pipeline output that can be used later it would be really helpful.

I have been using Micro Focus Fortify on Demand for one year.

We have approximately 50 applications that are using this solution and we are expanding our operation to increase usage.

We have developers, DevOps, and engineers using this solution in my organization.

We use SonarQube alongside Micro Focus Fortify on Demand.

The difference between the two is Micro Focus Fortify on Demand handles the security testing and SonarQube does more in-depth level code testing.

The initial setup was simple.

We have an internal DevSecOps team of approximately 15 people that does the implementation of the solution.

Micro Focus Fortify on Demand has saved our company money from the use of automation features. We are able to run the scans automatically from the pipeline saving us a lot of time and communication. Previously it would have taken a few days whereas now it can be completed in 10 minutes.

We make an annual purchase of the licenses we need.

Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us.

I rate Micro Focus Fortify on Demand a seven out of ten.

Micro Focus Fortify on Demand can be deployed on-premise or in the cloud.

We are mainly using Micro Focus Fortify on Demand for security.

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive.

I have been using Micro Focus Fortify on Demand for approximately five years.

The stability of Micro Focus Fortify on Demand is good. I did not face any problems. If we had 100 products then we would have many teams using it.

We have some expansion plans and once that falls in place may increase the number of users using Micro Focus Fortify on Demand.

Micro Focus Fortify on Demand is scalable. Our product team was using the solution but not all of them

We did not need to contact support because we did not have any problems.

We have used many different solutions five years ago.

Micro Focus Fortify on Demand was implemented and managed by our IT team.

Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based.

I would recommend the solution to others.

I rate Micro Focus Fortify on Demand a nine out of ten.

We use it as the source for code review for static code analysis.

The user interface is good.

There are lots of limitations with code technology. It cannot scan .net properly either.

I've been using it for the last five to six years.

The initial setup of this solution on-premises is easy; however, we have had difficulties installing it online in our clients' environments.

We used both in-house and vendor teams for deployment.

On a scale from one to ten, I would rate Micro Focus Fortify on Demand at five because we get better scan results from other tools.

The SAST feature is the most valuable.

I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple.

I have been using this solution for three months. I am a DevOps engineer in customer service.

It's stable right now.

We have only installed the solution on one server.

The implementation process was complex. The documentation was not clear to me.

I'm also evaluating Black Duck and Snyk. I just have a demo – a POC.

I would rate this solution 7 out of 10.

I recommend Fortify, but I need more documentation, especially in integration with CI tools like GitLab and Jenkins. The reporting from Fortify to Jenkins or for GitLab needs to be clarified in documentation.

We are using it for application security testing. We have microservices and applications within the organization, and the testing is being done on a continuous basis right through the development cycle or the development chain.

We are using its latest version. It is deployed on the cloud and on-premises.

It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

It is an extremely robust, scalable, and stable solution.

It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.

It doesn't do software composition analysis. We've asked their product management team to look into that as well.

We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.

I have been using this solution for four years.

It is very stable. 

It is very scalable.

Their tech support is absolutely outstanding. Their tech support is the most responsive tech support I've ever seen.

It is very straightforward to set up. You can set it up in minutes.

If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available.

I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.

We have an application sending service that we are providing to our customers and we are using Micro Focus Fortify on Demand to ensure our applications are secure. 

The most valuable features are the server, scanning, and it has helped identify issues with the security analysis.

We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve.

We are receiving false positives. We then have to repeat the scan even though it is a false positive and tell it to ignore some of those issues. Some of the false positives could be a design issue which we will know, but they keep coming up on the report.

I have found the processes a bit cumbersome for the developers.

I have been using this solution for approximately eight years.

I did not have any problems with the stability of this solution.

The scalability is good.

We did have some issues but we did not contact the technical support of Micro Focus.

The initial setup was a medium effort, not too complex. However, the bulk scan uploads took time. Overall it took an average amount of time and it was easy to integrate and work with.

The solution is a little expensive.

I rate Micro Focus Fortify on Demand a six out of ten.

Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

I have been using this solution for seven or eight months.

I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

I would rate Micro Focus Fortify on Demand a seven out of ten.

We're implementing DevSecOps in Fortify only a part of the big picture. We are implementing the entire secure development lifecycle.

The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

The initial setup is a bit complex.

We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

I've used this solution over the last 12 months at least.

The solution is stable. It's reliable. It doesn't crash or freeze. There aren't bugs or glitches.

We haven't tried to scale the solution just yet. As we didn't take the SaaS solution, scalability may be limited for us. I'm unsure. I can't really comment on that.

Currently, we have about 20 people on the development team.

Right now, we don't plan to increase usage.

The technical support is fine, however, it would be very helpful, especially during implementation, if there was more documentation and help surrounding setup.

We did not use a different solution previously. Before we had this solution, we were just evaluating other solutions and looking at the costs, and trying to bring in something newer, like an integrated automated secure stack, or something like that.

We found that the initial setup a bit complex. It's not exactly straightforward. For a newbie, there's a learning curve, and that can slow things down a bit.

Our deployment took about three to four months.

We only deployed in our company and we didn't use a consultant or integrator. We handled it completely in-house.

At this time, I don't have an answer on the return of investment. As far as I can see, it's necessary. If we got exposed or had a data leak it would cost the company dearly. With that in mind, while I can see there's an ROI, I can't provide an exact number.

We pay for licensing. We do pay an extra cost for implementing the infrastructure into the cloud. 

I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

We're just a customer and we offer consulting services.

We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors.

The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad.

I'd rate the solution ten out of ten. It's the best on the market for me.