Fortify Static Code Analyzer Reviews

Name: Fortify Static Code Analyzer
Brand: OpenText
Rating: 4 (16 reviews)

4.1 out of 5

16 reviews
87% willing to recommend

What is Fortify Static Code Analyzer?

Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible vulnerabilities. Fortify SCA allows users to create safe and secure software quickly. Users are able to discover potential security gaps more quickly with precise outcomes and repair them immediately.

Get the Fortify Static Code Analyzer Buyer's Guide and find out what your peers are saying about Fortify Static Code Analyzer, Veracode, GitLab and more!

Fortify Static Code Analyzer is the #3 ranked solution in top Static Code Analysis solutions. PeerSpot users give Fortify Static Code Analyzer an average rating of 8.2 out of 10. Fortify Static Code Analyzer is most commonly compared to Veracode: Fortify Static Code Analyzer vs Veracode. Fortify Static Code Analyzer is popular among the large enterprise segment, accounting for 73% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 30% of all views.

Buyer's Guide

Fortify Static Code Analyzer

November 2024

Get the report

Helped 814,649 peers since 2012

Featured reviews

Vishal Dhamke

Vice President Application Security North America at BNP Paribas

Setting up Fortify Static Application Security Testing (SAST) involves several steps to ensure that the tool is correctly configured and integrated into your development workflow, for example: installation, license activation, user access and permissions, integration with the development environment, project configuration, custom rules and policies, etc. The initial setup is very easy. I have used the enterprise version and a standalone version. The enterprise version definitely takes an ample amount of time to deploy because it needs to have a server, other logistics, and a proper RBAC in place. The enterprise version would take an ample amount of time, but the standard version is just a few clicks. A team of four to five people is required for the maintenance, and frequent updates are required to keep all the signatures up to date. I would rate the setup a nine out of ten.

Read full review

Vishal Dhamke

Vice President Application Security North America at BNP Paribas

Setting up Fortify Static Application Security Testing (SAST) involves several steps to ensure that the tool is correctly configured and integrated into your development workflow say for instance Installation, License Activation, User Access and Permissions, Integration with Development Environment, Project Configuration, Custom Rules and Policies, etc. The initial setup is very easy, have used the enterprise version and a standalone version. The enterprise version definitely takes an ample amount of time to deploy because it needs to have a server along with other logistics in place along with a proper RBAC. The enterprise version would take an ample amount of time, but the standard version is just a few clicks. A team of four to five people is required for the maintenance and frequent updates are required to keep all the signatures up to date. I would rate the setup a nine out of ten.

Read full review

Maurizio Garofalo

Senior manager at a consultancy with 11-50 employees

They are one of the market leaders, according to Gartner's Magic Quadrant. We use Fortify to reduce application vulnerabilities significantly. In the test environment, we don't just use software code review. Before the use of Fortify, we would test the applications; however, using Fortify allows us to test internationally and to align with various compliance requirements, for example, European banking requirements. It offers efficiency in the deployment of the application. It makes code review much easier pre-deployment. The Fortify FOD Portal is quite useful. It helps centrally manage everything and provides us with a 360-degree view of our AppSec team. The solution truly supports the development team by giving a clear indication of vulnerabilities and providing suggestions on how to deal with vulnerabilities in a clear manner. There is a lot of useful analysis. It can help us map application libraries. The software security center, in terms of managing and tracking risks, is good. It's very consistent. In Italy, the culture of risk analysis is very low. However, it provides very clear reporting. It offers great mapping. It maps both the tests and the severity of the vulnerability. It can help support the goals of risk analysis and help prioritize tasks to deal properly with risk. It can support risk analysis effectively. The testing of the application portfolio is useful. It's also great for regulatory requests, including in the European community. The mapping of the application vulnerabilities provides us a way to respond according to risk. It's very simple to use Fortify. We can fully integrate with GitHub. However, we can also migrate in certain scenarios. We can prepare packages subject to analysis and send them to Fortify. It's not difficult. It's very simple. When Fortify is on-premises with GitHub, remediation is easy. They can suggest and resolve issues directly. Fortify can offer guidance to the development team. So it's not only an identification tool, it's also a tool that can provide remediation for potential vulnerabilities. Now, in the European Union, it's mandatory to analyze software. Fortify has become a necessary product. We might have started using it before there was a regulatory need. However, we now must have something like Fortify in place. It helps us reduce risk exposure on applications through the discoverability of vulnerabilities and weaknesses. It's fully satisfactory. It ensures we are being fully compliant. We chose the solution as it is one of the market leaders, according to Gartner. We can only use the best in the market since it's so integral to our compliance requirements. It ensures we are always compliant with internal and external audits. Fortify does provide real-time feedback on security problems. However, we don't use, at the moment, the functionality of real-time vulnerability analysis during the developer's typing of the code. We check the code afterward. It's helped us free up staff time. We spend less time fixing software deployments. We've reduced the time to market of the implementation phase by 50%. We can test the applications faster, and we can support a number of projects with the same number of people.

Read full review

Fortify Static Code Analyzer mindshare

As of November 2024, the mindshare of Fortify Static Code Analyzer in the Static Code Analysis category stands at 23.2%, up from 18.9% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Static Code Analysis

Key learnings from peers

Valuable Features

"Fortify Static Code Analyzer's most valuable features are its ability to provide best practices for fixing code and its examples and capabilities to address security problems in the code. It effectively identifies security vulnerabilities by analyzing the code and offering insights on improving it."
"The most valuable features include its ability to detect vulnerabilities accurately and its integration with our CI/CD pipeline."
"Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like password credentials and access keys embedded in the code."

Room for Improvement

"False positives need improvement in the future. Fortify's vulnerability remediation guidance helps improve code security, but I think they need to improve the focus of the solution, as it stillcontains many bugs and needs a thorough review."
"Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date."
"The product shows false positives for Python applications."

Pricing

"I rate the pricing of Fortify Static Code Analyzer as a seven out of ten since it is a bit expensive."
"The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements."
"Although I am not responsible for the budget, Fortify SAST is expensive."

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Fortify Static Code Analyzer Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

30%

Computer Software Company

13%

Manufacturing Company

11%

Government

Real Estate/Law Firm

Insurance Company

Healthcare Company

Energy/Utilities Company

University

Retailer

Educational Organization

Comms Service Provider

Media Company

Construction Company

Transportation Company

Aerospace/Defense Firm

Non Profit

Wholesaler/Distributor

Legal Firm

Hospitality Company

Marketing Services Firm

Consumer Goods Company

Outsourcing Company

Performing Arts

Logistics Company

Compare Fortify Static Code Analyzer with alternative products

Learn more about Fortify Static Code Analyzer

Fortify Static Code Analyzer Benefits

CI/CD pipeline security: Fortify SCA integrates well with third-party tools such as ALM Octane, Atlassian Bamboo, Azure DevOps, Eclipse, Jenkins, and Jira. It offers real-time scan results, immediate recommendations, and collaborative auditing, and finds threats faster. It also discovers and prioritizes weaknesses to reduce risk.
Cost-effective: Improves coding actions by training users as they work to better understand the relationship of static application security testing (SAST). Fortify SCA is able to find more vulnerabilities than other solutions and delivers significantly fewer false positives.
Quick and reliable scanning: Fortify SCA will discover and eradicate weaknesses in byte, binary, or source code. SAST is able to stop the bulk of code issues at the start of development. The solution is able to discover 815 specific categories of risk, works through 27 programming languages and more than one million different APIs. Fortify SCA has a positive rate of 100% in the OWASP 1.2 benchmark.

Fortify Static Code Analyzer Features

Flexible deployment: Using Fortify On Demand, users can work in a complete SaaS environment. Fortify Hosted allows users to use on-premises and SaaS to work in a secure virtual space with complete control. Fortify-On-Prem gives users absolute control of the Fortify SCA solution.
Security assistant: Users have an interactive guide as they create code that provides risk analysis and anticipated outcomes. Security Assistant is an outstanding immediate feedback tool that gives instant results with significantly fewer false positives.
Audit assistant: This feature uses machine learning to reduce manual audit time while prioritizing the most important risks to users' networks. It provides automated audits in minutes. Any manual examinations are reduced, all issues are prioritized in accordance with organizational needs, and Fortify SCA consistently provides audit results to all projects.

Results from Real Users

“Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it.” - Arun D., Senior Architect at a healthcare company.

“Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.” - Tom H., Director of Security at Merito

Fortify Static Code Analyzer was previously known as Fortify Static Code Analysis SAST.