Lead Information Security Analyst at a financial services firm with 10,001+ employees
Real User
Top 5
2025-05-29T08:40:51Z
May 29, 2025
I think Fortify Static Code Analyzer could be improved by updating the number of rule packs according to the latest vulnerabilities we find each year. We have updated to a version that is one less than the current latest version. It would be really helpful to include trending vulnerabilities and how to manage them. While it includes all the OWASP top factors, AI has come into the picture, so those updates should also be considered. I haven't thought much about additional features for improvement since I am using it daily. Most of our work revolves around scanning and providing the results, which sometimes feels like a crunch. However, I believe rule pack updates should be implemented. It feels easy to upgrade to the latest version as well.
I'm not sure if Fortify Static Code Analyzer has AI capabilities. Currently, this solution doesn't quite have what we need. For example, it cannot build a vulnerability rating using AI based on our data. We would appreciate if the AI could give us more information about improvements and reduce the number of false positives, but this solution doesn't have this function yet. ChatGPT can already perform code analysis. If we insert the code to ChatGPT, we get answers, so integration with Fortify would be beneficial. However, there are questions of confidentiality and AI deployment. We are not ready to transfer our code without control to AI instruments. I would appreciate seeing simplified integration with Active Directory and integration with AI instruments in the future.
The deployment of Fortify Static Code Analyzer needs to be simplified. It should be easier to install, perhaps through a container-based approach where everything is combined into one image or pack of containers. This change would facilitate easier installations and ensure all necessary components are connected and ready to use.
False positives need improvement in the future. Fortify's vulnerability remediation guidance helps improve code security, but I think they need to improve the focus of the solution, as it still Contains many bugs and needs a thorough review.
The product could be improved by upgrading and compatibility with databases such as MySQL. Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date. Enhancing integration with ticket management systems like Jira in the next release would facilitate issue tracking and resolution.
Learn what your peers think about OpenText Static Application Security Testing. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize. It throws everything at us at once, which can be overwhelming. While it's not a major issue, I'd like to see it focus on critical vulnerabilities and highlight them upfront. Furthermore, categorizing critical vulnerabilities by platform-specific vulnerabilities and relevance to supported features would be incredibly beneficial. While Fortify Static Code Analyzer has some merit, I believe it still has significant room for improvement. We have encountered a high number of false positives, which has been a major obstacle and resource drain.
One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved. There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process. During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time. It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier. For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.
Vice President Application Security North America at BNP Paribas
Real User
Top 5
2023-08-25T20:10:00Z
Aug 25, 2023
The generation of false positives should be reduced. Although it provides mechanisms to help reduce false positives, ensuring that the reported vulnerabilities are genuine security concerns.
Code Reviewer at United States Department of Defense
Real User
2022-10-18T17:04:48Z
Oct 18, 2022
The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit. CyberRes is a partner I rely on as a first resource if I can't find the answer I need in documentation on Google. The information directly from Fortify is limited.
Senior Architect at a healthcare company with 10,001+ employees
Real User
2022-04-10T11:12:13Z
Apr 10, 2022
Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good. The solution could be more user-friendly. You have the CLI for business people sometimes, we are not able to give a good overview. Generally, the business people you choose would want to see the dashboard.
We use several other tools. We also use SonarQube. If one tool does not meet our requirements, I kind of implement another. We actually use SonarQube and Fortify together as the tools that we use to do the static code and dynamic testing, and also for security. You combine various tools in a pipeline to verify the code. Basically, it's not necessarily a standalone solution. You need to work with others to get what you need. It comes with a hefty licensing fee. We get around it by leveraging SonarQube, which is free. We're trying to get plugins now for SonarQube to match what Fortify could do. It would be ideal if it also had some sort of open-source version we could use.
I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two.
OpenText Static Application Security Testing empowers teams with efficient vulnerability detection and streamlined secure coding practices, offering comprehensive language support and seamless integration with development tools.OpenText Static Application Security Testing enhances software security during development by accurately identifying vulnerabilities with minimal false positives. It integrates seamlessly with IDEs and CI/CD pipelines, making it highly efficient for early detection of...
I think Fortify Static Code Analyzer could be improved by updating the number of rule packs according to the latest vulnerabilities we find each year. We have updated to a version that is one less than the current latest version. It would be really helpful to include trending vulnerabilities and how to manage them. While it includes all the OWASP top factors, AI has come into the picture, so those updates should also be considered. I haven't thought much about additional features for improvement since I am using it daily. Most of our work revolves around scanning and providing the results, which sometimes feels like a crunch. However, I believe rule pack updates should be implemented. It feels easy to upgrade to the latest version as well.
I'm not sure if Fortify Static Code Analyzer has AI capabilities. Currently, this solution doesn't quite have what we need. For example, it cannot build a vulnerability rating using AI based on our data. We would appreciate if the AI could give us more information about improvements and reduce the number of false positives, but this solution doesn't have this function yet. ChatGPT can already perform code analysis. If we insert the code to ChatGPT, we get answers, so integration with Fortify would be beneficial. However, there are questions of confidentiality and AI deployment. We are not ready to transfer our code without control to AI instruments. I would appreciate seeing simplified integration with Active Directory and integration with AI instruments in the future.
The deployment of Fortify Static Code Analyzer needs to be simplified. It should be easier to install, perhaps through a container-based approach where everything is combined into one image or pack of containers. This change would facilitate easier installations and ensure all necessary components are connected and ready to use.
False positives need improvement in the future. Fortify's vulnerability remediation guidance helps improve code security, but I think they need to improve the focus of the solution, as it still Contains many bugs and needs a thorough review.
The product could be improved by upgrading and compatibility with databases such as MySQL. Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date. Enhancing integration with ticket management systems like Jira in the next release would facilitate issue tracking and resolution.
The product shows false positives for Python applications.
Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize. It throws everything at us at once, which can be overwhelming. While it's not a major issue, I'd like to see it focus on critical vulnerabilities and highlight them upfront. Furthermore, categorizing critical vulnerabilities by platform-specific vulnerabilities and relevance to supported features would be incredibly beneficial. While Fortify Static Code Analyzer has some merit, I believe it still has significant room for improvement. We have encountered a high number of false positives, which has been a major obstacle and resource drain.
It would be nice if they had a version suitable for single developers that could be more cost-effective and maybe faster to learn.
One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved. There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process. During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time. It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier. For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.
The generation of false positives should be reduced. Although it provides mechanisms to help reduce false positives, ensuring that the reported vulnerabilities are genuine security concerns.
The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit. CyberRes is a partner I rely on as a first resource if I can't find the answer I need in documentation on Google. The information directly from Fortify is limited.
Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good. The solution could be more user-friendly. You have the CLI for business people sometimes, we are not able to give a good overview. Generally, the business people you choose would want to see the dashboard.
We use several other tools. We also use SonarQube. If one tool does not meet our requirements, I kind of implement another. We actually use SonarQube and Fortify together as the tools that we use to do the static code and dynamic testing, and also for security. You combine various tools in a pipeline to verify the code. Basically, it's not necessarily a standalone solution. You need to work with others to get what you need. It comes with a hefty licensing fee. We get around it by leveraging SonarQube, which is free. We're trying to get plugins now for SonarQube to match what Fortify could do. It would be ideal if it also had some sort of open-source version we could use.
I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two.