OpenText Core Application Security Reviews

The HP FoD effort allowed my client to utilize this service anytime their internal IT team was overwhelmed with workloads. FoD gives them an option to utilize the additional HP Services when they are overwhelmed with other IT Security needs across the company.

• The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time
• I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification
• The process was easy to follow and we were supported by 24/7 by TAM personnel to help with any fire drills. This was helpful many times when I needed a quick answer late at night or early in the morning

• I believe that sales packages should be posted for single applications, and packages of multiple applications. For example, we have one-time a package for single applications, and 12 month unlimited use for static and a package for static & dynamic testing. It would be nice to see packages posted for a single application, and groups of three, five, or 10 applications. More than 10 applications would need to be custom pricing like you have today.
• I would like it to be easier to understand, and have better packaged reporting capabilities. For most of the reporting I needed, I exported to Excel and then had to produce more visually accepted reports for Executive Clients. With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities.

Because the product is based on HP’s Fortify Platform, the product is great.

I can’t answer this question appropriately yet as I only utilized the service for one application so far.

Customer Service:

10/10 - Christine Bobba, Gerald and the whole TAM Team were very supportive. Stuart Ward does a great job running his TAM Team focused on customer service.

Technical Support:

Jason Powell was really support from a technical perspective. He was able to quickly gather the details we needed to resolve security issues with the code or set up.

I’ve used Rapid7 and Qualys Security Solutions in Managed Service Environments for previous clients. Both are really good solutions, but I’ve not utilized any other On-Demand Solution.

I switched because my client uses HP as its core product set. I needed to use Fortify and the FoD Solution allowed me to be up and running within a few short days.

Super easy deployment and usage of the scanning capabilities. The setup was straightforward, and the ability to enter data and start the correct scan was intuitive.

We did not charge for the product, we charged for our PMO Services to run the product.

We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.

I would suggest, and I have, that companies should utilize the 12 month unlimited test package.

I searched online and FoD allowed me the best opportunity for success due to my client’s timeline.

The security of our consumer-facing web sites is better.

The quality of application security testing reduces risk and gives very few false positives.

New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions. DevOps requires very fast turnaround and I’m not sure HPE Fortify on Demand can do that, although they have a new product in beta for that.

We did not have stability issues.

We did not have scalability issues.

Technical support is very good.

We didn’t have a previous solution.

Setup was not complex, although given our size it was a challenge.

Drive a hard bargain.

We evaluated IBM and Veracode.

Go with the SaaS product.

Security of our applications is a huge concern for everyone now. Using quality products like HPE’s Fortify helped us minimize issues raised by the clients. Therefore, customer satisfaction in terms of the security was high.

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.

Technical support is very good. We had a few issues in the initial setup and the HPE team’s support was commendable.

I did not previously use a different solution.

Initial setup was complex; we ran into lot of memory issues. The Visual Studio plugin was not responsive, either.

An in-house team implemented it. Don’t use the Visual Studio plugin, unless your solution is really small. Otherwise, use the command line setup.

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

Security defects are captured early in the lifecycle and fixed quicker. Usage of Fortify has made developers more aware about security vulnerabilities and their consequences, as well as various secure programming practices.

• Scan wizard: for configuring large scans
• Audit workbench: for on-the-fly defect auditing
• CLI: to integrate the tool into CI/CD

.NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio.

More conventional reporting formats need to be provided.

Also, a provision should be available to generate customized reports.

For code bases heavy on JavaScript, the static scan takes a long time (as long as two days). Even then, the scan crashes at times. Increasing system memory doesn't seem to improve the situation (tried with 16/32 GB system memory).

It requires a high-end system with 8/16/32 GB RAM for stable performance.

I haven't reached out to HP Support so far.

I did not previously use any product for static application security.

Initial setup is quite easy.

Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).

Before choosing this product, we evaluated Veracode and Checkmarx (among licensed), and FindBugs and Yasca (among free).

If you are already using HPE tools and services such as ALM, then Fortify is a good option, as it provides out-of-the-box support for these. Scanning capability-wise, the tool is decent enough, and is also easy to use. However, it generates a large number of false positives after a scan, which can be tedious to verify manually.

Both editions of the product have their advantages, and they complement each other.

Since we adopted HP Fortify, our organization has added more divisions that focus on penetration testing.

HP Fortify already covers the need for security testing and is easy to use for new users. The only thing that comes to mind regarding room for improvement are the security vulnerability updates.

My company has been using this solution for about one year.

I have not encountered any deployment, stability or scalability issues. I haven't had any complaints about technical issues from our client, either.

I have not yet contacted customer service or technical support.

I do know of some software that have similarities, but I’ve never used any of them before.

Most of our clients use straightforward implementation; we recommend straightforward implementation because of the simplicity of the architecture and usage. For example, installing using the best practices for each product.

We implemented it for our customer.

HP Fortify is perfect for any company that creates their own applications or uses vendor-developed ones; it’s great for QA and development phases.

HP Fortify is easy to use and offers lots of integration options; those options allow us to have more diverse implementations that fit the requirements.

The static code analyzer provides views from a security perspective and it is easy to use compared to others.

We use it to evaluate security from the code and provide results from a security perspective as opposed to a developer’s perspective.

Reports can be better visually with graphics such as charts included. Charts (pie, bar, some graph) could show the percentage of the vulnerability categories identified, as opposed to listing them all in a table. At a higher level, it would be nice to aggregate the analysis.

I have used it for 3.5 years.

I did not encounter any deployment issues. It was fairly simple and easy to install/deploy.

Technical support is 6/10. I find the Internet to be more helpful at times than their own tech support in finding answers.

Initial setup was easy and intuitive: just specify the license path and install the product.

We implemented it in-house.

Quality vs quantity: You pay more for a higher-quality product and meets your needs, compared to others that might be cheaper, but you have to crawl to get what you are looking for.

While I did evaluate others, it depends on the budget.

It is a good product to choose for SCA and cloud deployment. If you choose SSC, don’t always look at the price, as the other products might not conduct the same analysis as HP Fortify does. Not all products are created equal.

The solution simply identifies any security flaws that any of our applications might have.

This identification provides us an advantage in that the service itself works to stay abreast and knowledgeable about emerging threats. Rather than have a security team dedicated to that effort, we don’t have to deal with that in a time consuming, direct manner. We don't need to have these skills in-house.

I find that while it does find a lot of legitimate threats, it tends to have a lot of false positives, and there are more false positives than I would like to see. It flags threats that sometimes are not, and when we have to investigate that it takes time. If they could improve the intelligence then I think it could really help the system function more efficiently. The dynamic time scan takes about seven days, and this could be a bit quicker. We like to incorporate the scan into every build cycle and if we have to wait for a seven day business cycle it has to go into our scheduling. If that could be improved there would be a lot of happy people.

It predates my employment; I’m certain we signed up in 2013 – roughly three years ago.

We have had no issues with the deployment.

I would say it’s fairly stable. It’s a web application so of course there are browser hiccups but I would give it a high score for stability. Once in a while there is a page refresh, but nothing major.

We have four applications and we’ve been able to get them all in there, I don’t see it having a limit.

Customer service has been good once we get attention, which comes back to the false positive issue.

Sometimes the results need clarifications. They could be a bit more responsive as once we get someone the interactions have been good and helpful.

This was our first foray into a hosted service.

The deployment was super easy as the interface is straightforward. It was almost too easy.

If you haven’t run any formal scan be prepared for it to come back and be a bit scary.

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

The results it provides are more than 95% accurate, helping us to focus on the right things first.

Our new software procurement process benefited as well as we use this as a central control to provide security assurance and evaluate the quality of our deliverables.

Its ease-of-use has influenced developer behavior and enabled them to follow security principles.

It would be useful if they could integrate secure design reviews, security user stories in Fortify on Demand Portal, and also look for possible options to get just one view of risks for given services (Covering Application, Infrastructure, Pen. Test, etc.).

I’ve used it since 2010.

We've had no issues with deployment.

It’s a very stable product. We've had no issues with instability.

It’s scaled for our needs. We've had no issues with un-scalability.

Customer service is excellent.

The technical support is very good.

We've used various other tools, including the Fortify on-premise solution. We chose Fortify on Demand as it is cost effective, scalable, easy to deploy, and helps us to manage our vulnerabilities centrally.

The initial setup was very easy and straightforward. We were able to roll out this service to all our business units.

We performed the installation in-house.

There is no setup cost as it is an on-demand solution. However, if there is any firewall change required for an internal application, we would need to raise that from our end.

We considered SonarQube, MSFox, and CodeInspect.

Fully utilize this product and its feature as it covers almost everything required for software security assurance.