Lead Information Security Analyst at a financial services firm with 10,001+ employees
Real User
Top 5
May 29, 2025
Our main use cases for Fortify Static Code Analyzer typically involve trying to figure out the critical vulnerabilities. It depends on the type of scans that we are doing, whether it is a release scan or an agile scan, so that affects the amount of data we give them and the timeline for those severity levels. Therefore, it contains all sorts of vulnerabilities. In terms of Fortify Static Code Analyzer's automation capabilities, it has been fine. I have used it in some projects. We haven't onboarded all the projects yet, since we have a very large number of applications in my company. We have only taken the proprietary code for that matter and are running dry runs periodically. We consume reports from disaster control and SSCP. It basically saves us from needing to run multiple scans and not having to provide every time the development team asks for it. We have set it up in a way where they can log in and see the open issues, saving our time by not requiring extra effort.
We are still working with Fortify solution. Everything is all right with Fortify On Demand and Software Security Center, Application Defender. We are satisfied with this solution. We are using dynamic scanning and static scanning from this vendor. We utilize Static Code Analyzer and dynamic DAST with WebInspect.
Fortify Static Code Analyzer ( /products/fortify-static-code-analyzer-reviews ) is used in the software development lifecycle to ensure secure coding. It helps programmers write code in a secure manner, reducing the number of security defects found during penetration testing. It serves as an early stage of quality assurance in security by conducting code scans for security during development.
We use Fortify Static Code Analyzer to analyze our code for security vulnerabilities. It helps us identify and address potential issues, ensuring our software is secure.
Our primary use case for this solution is to analyze the security of our software applications during the development cycle. We use it to identify vulnerabilities and potential security issues before deploying the applications into production. Our environment comprises various software development projects, ranging from web applications to internal tools.
Learn what your peers think about OpenText Static Application Security Testing. Get advice and tips from experienced pros sharing their opinions. Updated: December 2025.
Security DevOps Engineer at a legal firm with 1-10 employees
Real User
Top 20
Dec 13, 2023
We maintain several applications that utilize a mix of custom PHP packages and native functionality. When a package becomes outdated or a security vulnerability emerges within one, our lifecycle management system flags the issue and assigns a threat level of critical, high, or moderate. We prioritize mitigation based on severity, addressing critical issues first. Additionally, we've integrated Fortify on Demand into our build pipeline. This tool scans our codebase for static vulnerabilities as new code is built and performs dynamic scans for potential runtime issues once builds are deployed. We implemented Fortify Static Code Analyzer to ensure our platform meets security standards, stays up-to-date with threats, and streamlines security remediation.
We use the product as a SaaS analysis tool. We review static code. It allows you to find vulnerabilities. The value that combining Fortify and Sonatype is that we use Fortify as a SaaS analysis tool. We review static code and Sonatype allows you to find vulnerabilities. I use it as a security center. I review it for any kind of issues, whether for proof or to deny, the source code, the findings, and then the enterprise can go back and provide their recommendation for how to fix the issue. It is used to scan the code base.
Sr cyber analyst at a energy/utilities company with 10,001+ employees
Real User
Oct 17, 2023
We use Fortify SCA or SAST for scanning the source code, and we use Sonatype Nexus to scan libraries for any vulnerabilities. We get secure code and libraries by combining these two solutions. If we find any issues, we can fix them.
Vice President Application Security North America at BNP Paribas
Real User
Top 20
Aug 25, 2023
Fortify SAST performs static code analysis, which means it reviews the source code or compiled binary code without executing the application. This helps in identifying vulnerabilities, coding errors, and security issues within the codebase. Fortify SAST supports a wide range of programming languages, including popular ones like Java, C/C++, C#, Python, and more. This broad language support makes it suitable for various development environments. It comes with a comprehensive set of security rules and patterns to identify vulnerabilities, including issues related to OWASP Top Ten, CWE (Common Weakness Enumeration), and other industry standards
Code Reviewer at United States Department of Defense
Real User
Oct 18, 2022
I make use of this solution every day in my current position. I have experience in its installation and troubleshooting and always ensure I am up to date with their latest releases. We use this solution to run and scan SQL code.
Senior Architect at a healthcare company with 10,001+ employees
Real User
Apr 10, 2022
Fortify Static Code Analyzer is used for scanning the container image, such as Kubernetes or Docker, and its main role is to do the static security analysis.
We usually run the product through the pipelines through GitLab, CICD, or Jenkins pipelines. I'm currently experimenting with AWS CodePipeline right now with integrating those types of tools into the pipeline.
I work for a company that implements these solutions for customers. So, we've got it everywhere. I've done implementations that are very simple and are developer workstation-based or security analyst desktop-based. We also have implementations all the way up through their big kahuna, which is decentralized and automated scanning.
OpenText Static Application Security Testing empowers teams with efficient vulnerability detection and streamlined secure coding practices, offering comprehensive language support and seamless integration with development tools.OpenText Static Application Security Testing enhances software security during development by accurately identifying vulnerabilities with minimal false positives. It integrates seamlessly with IDEs and CI/CD pipelines, making it highly efficient for early detection of...
Our main use cases for Fortify Static Code Analyzer typically involve trying to figure out the critical vulnerabilities. It depends on the type of scans that we are doing, whether it is a release scan or an agile scan, so that affects the amount of data we give them and the timeline for those severity levels. Therefore, it contains all sorts of vulnerabilities. In terms of Fortify Static Code Analyzer's automation capabilities, it has been fine. I have used it in some projects. We haven't onboarded all the projects yet, since we have a very large number of applications in my company. We have only taken the proprietary code for that matter and are running dry runs periodically. We consume reports from disaster control and SSCP. It basically saves us from needing to run multiple scans and not having to provide every time the development team asks for it. We have set it up in a way where they can log in and see the open issues, saving our time by not requiring extra effort.
We are still working with Fortify solution. Everything is all right with Fortify On Demand and Software Security Center, Application Defender. We are satisfied with this solution. We are using dynamic scanning and static scanning from this vendor. We utilize Static Code Analyzer and dynamic DAST with WebInspect.
Fortify Static Code Analyzer ( /products/fortify-static-code-analyzer-reviews ) is used in the software development lifecycle to ensure secure coding. It helps programmers write code in a secure manner, reducing the number of security defects found during penetration testing. It serves as an early stage of quality assurance in security by conducting code scans for security during development.
We use Fortify Static Code Analyzer to analyze our code for security vulnerabilities. It helps us identify and address potential issues, ensuring our software is secure.
Our primary use case for this solution is to analyze the security of our software applications during the development cycle. We use it to identify vulnerabilities and potential security issues before deploying the applications into production. Our environment comprises various software development projects, ranging from web applications to internal tools.
We use the tool for web-based applications.
We maintain several applications that utilize a mix of custom PHP packages and native functionality. When a package becomes outdated or a security vulnerability emerges within one, our lifecycle management system flags the issue and assigns a threat level of critical, high, or moderate. We prioritize mitigation based on severity, addressing critical issues first. Additionally, we've integrated Fortify on Demand into our build pipeline. This tool scans our codebase for static vulnerabilities as new code is built and performs dynamic scans for potential runtime issues once builds are deployed. We implemented Fortify Static Code Analyzer to ensure our platform meets security standards, stays up-to-date with threats, and streamlines security remediation.
We use the product as a SaaS analysis tool. We review static code. It allows you to find vulnerabilities. The value that combining Fortify and Sonatype is that we use Fortify as a SaaS analysis tool. We review static code and Sonatype allows you to find vulnerabilities. I use it as a security center. I review it for any kind of issues, whether for proof or to deny, the source code, the findings, and then the enterprise can go back and provide their recommendation for how to fix the issue. It is used to scan the code base.
We use Fortify SCA or SAST for scanning the source code, and we use Sonatype Nexus to scan libraries for any vulnerabilities. We get secure code and libraries by combining these two solutions. If we find any issues, we can fix them.
Fortify SAST performs static code analysis, which means it reviews the source code or compiled binary code without executing the application. This helps in identifying vulnerabilities, coding errors, and security issues within the codebase. Fortify SAST supports a wide range of programming languages, including popular ones like Java, C/C++, C#, Python, and more. This broad language support makes it suitable for various development environments. It comes with a comprehensive set of security rules and patterns to identify vulnerabilities, including issues related to OWASP Top Ten, CWE (Common Weakness Enumeration), and other industry standards
I make use of this solution every day in my current position. I have experience in its installation and troubleshooting and always ensure I am up to date with their latest releases. We use this solution to run and scan SQL code.
Fortify Static Code Analyzer is used for scanning the container image, such as Kubernetes or Docker, and its main role is to do the static security analysis.
We usually run the product through the pipelines through GitLab, CICD, or Jenkins pipelines. I'm currently experimenting with AWS CodePipeline right now with integrating those types of tools into the pipeline.
I work for a company that implements these solutions for customers. So, we've got it everywhere. I've done implementations that are very simple and are developer workstation-based or security analyst desktop-based. We also have implementations all the way up through their big kahuna, which is decentralized and automated scanning.