OpenText Core Application Security Reviews

We use it for normal, daily source code reviews and code analysis.

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

I would like to see easier integration to CI/CD pipelines. The reporting format could be more user friendly so that it is easy to read.

I've been working with Micro Focus Fortify on Demand for three years.

There were some issues with it before, but I think they have been fixed now.

There were several limitations when I was using it before, but I am sure that they have been fixed by now.

My experience with technical support has been very good.

The initial setup is straightforward and not that complex. We had some support from IT.

The price is fair compared to that of other solutions.

If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security.

I would rate it at eight on a scale from one to ten.

We use Micro Focus Fortify on Demand to access web applications and more.

Reporting could be improved. It would nice to export to an Excel sheet or another spreadsheet. At the moment, my only option is a PDF.

Micro Focus Fortify on Demand is tailored towards more web application APIs, and I would like to see mobile applications added to the next release.

We've been using Micro Focus Fortify on Demand for almost two years.

Focus Fortify on Demand is a stable solution.

Focus Fortify on Demand is a scalable solution. 

The setup and installation were straightforward. 

On a scale from one to ten, I'll give it an eight.

We use it for statistical analysis for Java applications that are used in the collection process of a bank. It is also used for an internal web page. The tellers use this web page in the branches to make money transactions, such as withdrawals, deposits, etc.

The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications.

It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for.

It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. 

They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team.

I have been using this solution for two or three months.

It has been pretty stable.

It is scalable, but we haven't scaled it much. Currently, we have ten users, but it is capable of taking many more users.

Their support is good, but sometimes, they take a bit longer. For high severity incidents, they should properly identify the team that has to be engaged to solve an issue. I would rate them an eight out of ten.

The initial setup was pretty much straightforward. It was quite easy to implement. 

It is quite intuitive, and the training model that they have helps the development team in using it easily. The deployment process took only about two weeks.

In terms of the implementation strategy, it started with a kickoff meeting with the provider who offered the solution. We involved the development team, security information team, and infrastructure team from the beginning. They all knew what can be done with the solution and what role they are going to play in the implementation process, which helped a lot to achieve a pretty short implementation time.

It is cost-effective.

It is a great solution. It is cost-effective for a secure development process. If an enterprise wants to adopt the DevOps process, Micro Focus Fortify on Demand is a great starting point. 

I would rate Micro Focus Fortify on Demand a nine out of ten.

We are architecting applications for e-commerce websites similar to Amazon. Everything is running on the cloud, and Micro Focus Fortify on Demand is totally integrated with our solution at this point in time.

Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices.

Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.

In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication.

They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful.

I have been using this solution for three years.

We have not come across anything major. We have been using it for quite a while, and we are happy with it. 

Scalability is good. Our customer bases are not that huge. Bigger enterprises may have trouble in scaling it, but for our load of work, it is working fine.

We have more than ten users. We are a very small startup, and we don't have too many people. 

Till now, we have not raised any tickets. If we are stuck with something, we just google and find out. We use their documentation, which is good enough. That's why we didn't raise any technical queries or things like that.

It was good. I don't think we struggled that much.

We implemented it ourselves. We have two people to maintain this solution.

We didn't evaluate any other solution. I was trying to find out which solution should I use, and I just saw good reviews of this solution. This was the first solution that we tried out, and we liked it. We started with a trial, and it was doing good. Our necessities were met, so we didn't try to figure out any other competitive tool in the market. 

You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. 

I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.

We have been using Micro Focus Fortify on Demand over the past four years.

This is a very stable solution. Once it is deployed there are not a lot of challenges.

This platform is very much scalable in terms of integrating with other solutions.

We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.

I have not been in touch with technical support from the vendor.

Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.

We did not evaluate other vendors beyond the solutions that we are using.

My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.

I would rate this solution an eight out of ten.

We recommend this product to our customers. We act as vendors and resellers. This is actually one of the solutions we often recommend to our customers most often. Usually, this is the best choice for banking and financial institutions. It is deployed by their development team in-house. They use it to manage and test product lifecycles.  

We actually find all of the product's features valuable. But at this point, we are trying to upsell by adding additional components like RAFT (Re-usable Automation Framework for Testing) to the test cycle.  

Strictly in terms of this product, I think it is a top-notch solution and I think the technology is still the best on the market. What might be improved is maybe just look at the pricing. It is a bit confusing compared to other products that we also sell.  

Whatever innovation they can come up with would be an excellent addition if it adds useful functionality. The only thing I can think of that they might add is something like features you can find in Codebashing that they have not yet implemented. I don't know if it has all of those features. If not, it would be useful for something like that to be added.  

We have been suggesting the product since before the merger with Hewlett Packard.  

This is a very stable product.  

This product is scalable. Most of our customers are enterprise customers. I can point out three off the top of my head. If the product can scale to the enterprise level, it makes sense that it is quite scalable.  

The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to. Micro Focus has a whole lot of solutions that are of value in our region, but it seems that they are not doing a proper job of coordination of knowledge. There is a huge knowledge gap from the Micro Focus team in the way they support businesses. We were hoping that the transition was the thing that affected the lack of better support. But by now we should be able to point to who the person is that is in charge and the person to talk to when it comes to the various products. I really don't know anybody in charge of the technical team to help us properly with issues.  

I think the initial setup for the on-demand product is straightforward. The product installed on-premises is somewhat complex. For this reason, it is better that the on-premises version is installed with the help of integrators or consultants. 

I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.  

What is most useful is how you can have related features upgraded on the tools. The tools themselves have details for the code as well, where the issues have been flagged, and all the vulnerabilities are there, in one place.

The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed.

They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is.

The solution is very stable.

The solution is okay in terms of scalability. I'm still not really familiar with the tool, and I'm still learning from it. So far, I think it has a good ability to scale.

Technical support is okay. They have a platform that you can create tickets on. Once you raise a ticket, support is quick to help you. 

If they wanted to improve technical support they could offer meetings with the developer or security team.

It's a cloud-based solution, so there was no installation involved.

We use the cloud deployment model of the solution.

Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool.

I would rate the solution seven out of ten.

Our primary use case for this solution is static code analysis.

This solution has helped us to improve our security processes.

The static code analyzers are the most valuable features of this solution.

The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports.

The solution is working, so I would say that its stability is fine.

We have approximately twenty users who perform code scanning. They are developers and security experts. We do plan to increase our usage of this solution in the future.

Technical support for this solution is fine.

The initial setup of this solution is straightforward.

It took approximately two hours to deploy, and because it is a cloud-based solution it does not require anybody for maintenance.

We handled the implementation in-house.

All I can say is that it is reducing security issues.

We evaluated Veracode before choosing this solution.

This solution works, so I suggest using it.

I would rate this solution an eight out of ten.