Jan 11, 2019
I think the benefit of Fortify on Demand is that it covers all the scan types: DAST, SAST. RASP, and Mobile. The research team that builds the vuln database is solid and well-staffed.
OpenText Core Application Security and SonarQube engage in the application security sector. SonarQube possesses the upper hand due to its extensive feature set and strong community backing.
Features: OpenText Core Application Security enables rapid compliance with guided static and dynamic analysis, cloud-based operation for flexibility, and enhanced dashboard utility. SonarQube supports wide language varieties, excels in project management, and offers advanced code quality insights with robust CI/CD integrations.
Room for Improvement: OpenText could enhance reporting visuals, reduce false positives, and quicken new tech support. SonarQube can improve integration ease in development pipelines, expand dynamic analysis, and minimize false positives.
Ease of Deployment and Customer Service: OpenText provides flexible deployment across on-premises and cloud configurations, but support varies in response speed. SonarQube operates reliably across diverse environments, though its documentation might be improved. Its support is often rated highly by users.
Pricing and ROI: OpenText's pricing is seen as high but compensates with robust security performance, offering a substantial ROI by lowering security risks. SonarQube offers cost-effective solutions, with free community editions beneficial for budget-conscious operations, although some express concerns over lines-of-code licensing expenses.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process.
We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
Support tickets often stay open for one month to three months, which leads to customer frustration.
I had direct interaction with them, which facilitated how we onboarded Fortify.
The community support is quite effective.
The customer service and support for SonarQube Cloud are responsive and helpful.
Integrating it into different solutions is straightforward.
If a customer wants to know the tools and the technology used for their application to scan their application, they provide less information on that.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
I would rate the scalability of SonarQube Server as a 10 because we can configure the server to scan multiple projects based on the number of lines.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
It would be beneficial if Fortify could check for CVEs (Common Vulnerabilities and Exposures) in third-party libraries, which I currently use a separate dependency checker tool for.
One thing I would highlight is if Fortify can focus more on the centralized dashboard of the tools because nowadays, tools such as SentinelOne also exist for identifying security issues, but they have a centralized dashboard that merges their cloud solution and application security side solution together.
It would be better for Fortify on Demand if they could analyze not only the security pillar but also maintainability, portability, and reliability, covering all pillars of ISO 25000.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity.
They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.
Fortify helps me find serious issues, such as developers inadvertently leaving access tokens, including API access tokens, in the source code.
On demand you have two levels of reports: the first from the tool, which is the same as we can get from Fortify on-premises, and a next level reporting made by experts from OpenText, leading to a more condensed and precise report as level three.
Additionally, you can integrate Fortify in CICD pipeline, so you get real-time updates about the security issues in your pipeline.
Some of the static code analysis capabilities are the most beneficial.
I find SonarQube Cloud very easy to use and simple to integrate initially.
It gives precise reports compared to Coverity and has a slightly lower number of false positives.
| Product | Market Share (%) |
|---|---|
| SonarQube | 17.9% |
| OpenText Core Application Security | 3.2% |
| Other | 78.9% |
| Company Size | Count |
|---|---|
| Small Business | 17 |
| Midsize Enterprise | 8 |
| Large Enterprise | 44 |
| Company Size | Count |
|---|---|
| Small Business | 41 |
| Midsize Enterprise | 24 |
| Large Enterprise | 79 |
OpenText Core Application Security offers robust features like static and dynamic scanning, real-time vulnerability tracking, and seamless integration with development platforms, designed to enhance code security and reduce operational costs.
OpenText Core Application Security is a cloud-based, on-demand service providing accurate and deep scanning capabilities with detailed reporting. Its integrations with development platforms ensure an enhanced security layer in the development lifecycle, benefiting users by lowering operational costs and facilitating efficient remediation. The platform addresses needs for intuitive interfaces, API support, and comprehensive vulnerability assessments, helping improve code security and accelerate time-to-market. Despite its strengths, challenges exist around false positives, report clarity, and language support, alongside confusing pricing and package options. Enhancements are sought in areas like CI/CD pipeline configuration, report visualization, scan times, and integration with third-party tools such as GitLab, container scanning, and software composition analysis.
What features define OpenText Core Application Security?Industries like mobile applications, e-commerce, and banking leverage OpenText Core Application Security for its ability to identify vulnerabilities such as SQL injections. Integrating seamlessly with DevSecOps and security auditing processes, this tool supports developers in writing safer code, ensuring secure application deployment and enhancing software assurance.
SonarQube provides comprehensive support for multi-language development, custom coding rules, and quality gates, integrated seamlessly into CI/CD pipelines. It empowers teams with clear insights through intuitive dashboards, identifying vulnerabilities, code smells, and technical debt.
SonarQube is renowned for its extensive capabilities in static code analysis, making it an invaluable tool for maintaining code quality. By fully integrating into development processes, it allows organizations to manage vulnerabilities and ensure compliance with coding standards. Its extensive community and open-source roots contribute to its accessibility, while robust dashboards facilitate code quality monitoring. Despite its strengths, feedback suggests enhancing analysis speed, better integration with DevOps tools, and refining the user interface. Users also point to the need for handling false positives effectively and expanding on AI-based features for dynamic code analysis.
What are SonarQube's main features?In industries like finance and healthcare, SonarQube aids in obtaining regulatory compliance through rigorous code quality assessments. It is implemented to enhance cybersecurity by identifying potential vulnerabilities, while ensuring code meets the stringent standards demanded in these fields. As part of a broader development ecosystem, its integration in CI/CD pipelines ensures smooth and efficient software delivery, catering to phases from code inception to deployment, effectively supporting large-scale and critical software applications.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
