Try our new research platform with insights from 80,000+ expert users
Project Manager at Everis
Real User
Great cost benefit with good stability and reduces exposure and remediation issues
Pros and Cons
  • "The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
  • "There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."

What is our primary use case?

We're implementing DevSecOps in Fortify only a part of the big picture. We are implementing the entire secure development lifecycle.

What is most valuable?

The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

What needs improvement?

There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

The initial setup is a bit complex.

We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

For how long have I used the solution?

I've used this solution over the last 12 months at least.

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.

What do I think about the stability of the solution?

The solution is stable. It's reliable. It doesn't crash or freeze. There aren't bugs or glitches.

What do I think about the scalability of the solution?

We haven't tried to scale the solution just yet. As we didn't take the SaaS solution, scalability may be limited for us. I'm unsure. I can't really comment on that.

Currently, we have about 20 people on the development team.

Right now, we don't plan to increase usage.

How are customer service and support?

The technical support is fine, however, it would be very helpful, especially during implementation, if there was more documentation and help surrounding setup.

Which solution did I use previously and why did I switch?

We did not use a different solution previously. Before we had this solution, we were just evaluating other solutions and looking at the costs, and trying to bring in something newer, like an integrated automated secure stack, or something like that.

How was the initial setup?

We found that the initial setup a bit complex. It's not exactly straightforward. For a newbie, there's a learning curve, and that can slow things down a bit.

Our deployment took about three to four months.

What about the implementation team?

We only deployed in our company and we didn't use a consultant or integrator. We handled it completely in-house.

What was our ROI?

At this time, I don't have an answer on the return of investment. As far as I can see, it's necessary. If we got exposed or had a data leak it would cost the company dearly. With that in mind, while I can see there's an ROI, I can't provide an exact number.

What's my experience with pricing, setup cost, and licensing?

We pay for licensing. We do pay an extra cost for implementing the infrastructure into the cloud. 

Which other solutions did I evaluate?

I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

What other advice do I have?

We're just a customer and we offer consulting services.

We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors.

The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad.

I'd rate the solution ten out of ten. It's the best on the market for me.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jason Lebrecht US - PeerSpot reviewer
Jason Lebrecht USSr. Manager 5G & MEC (Edge) Strategy at Verizon
Top 20Real User

Hello Fernando, great to see that the Fortify solution continues to provide value by reducing risk. Great honest review.



Jason Lebrecht

PeerSpot user
Sr. Manager 5G & MEC (Edge) Strategy at Verizon
Real User
Top 20
We can load the details and within a few days, receive the results of intrusion attacks, although it needs to have better packaged reporting capabilities.
Pros and Cons
  • "I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
  • "With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."

How has it helped my organization?

The HP FoD effort allowed my client to utilize this service anytime their internal IT team was overwhelmed with workloads. FoD gives them an option to utilize the additional HP Services when they are overwhelmed with other IT Security needs across the company.

What is most valuable?

  • The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time
  • I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification
  • The process was easy to follow and we were supported by 24/7 by TAM personnel to help with any fire drills. This was helpful many times when I needed a quick answer late at night or early in the morning

What needs improvement?

  • I believe that sales packages should be posted for single applications, and packages of multiple applications. For example, we have one-time a package for single applications, and 12 month unlimited use for static and a package for static & dynamic testing. It would be nice to see packages posted for a single application, and groups of three, five, or 10 applications. More than 10 applications would need to be custom pricing like you have today.
  • I would like it to be easier to understand, and have better packaged reporting capabilities. For most of the reporting I needed, I exported to Excel and then had to produce more visually accepted reports for Executive Clients. With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities.

What do I think about the stability of the solution?

Because the product is based on HP’s Fortify Platform, the product is great.

What do I think about the scalability of the solution?

I can’t answer this question appropriately yet as I only utilized the service for one application so far.

How are customer service and technical support?

Customer Service:

10/10 - Christine Bobba, Gerald and the whole TAM Team were very supportive. Stuart Ward does a great job running his TAM Team focused on customer service.

Technical Support:

Jason Powell was really support from a technical perspective. He was able to quickly gather the details we needed to resolve security issues with the code or set up.

Which solution did I use previously and why did I switch?

I’ve used Rapid7 and Qualys Security Solutions in Managed Service Environments for previous clients. Both are really good solutions, but I’ve not utilized any other On-Demand Solution.

I switched because my client uses HP as its core product set. I needed to use Fortify and the FoD Solution allowed me to be up and running within a few short days.

How was the initial setup?

Super easy deployment and usage of the scanning capabilities. The setup was straightforward, and the ability to enter data and start the correct scan was intuitive.

What was our ROI?

We did not charge for the product, we charged for our PMO Services to run the product.

What's my experience with pricing, setup cost, and licensing?

We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.

I would suggest, and I have, that companies should utilize the 12 month unlimited test package.

Which other solutions did I evaluate?

I searched online and FoD allowed me the best opportunity for success due to my client’s timeline.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user897402 - PeerSpot reviewer
it_user897402Works at a comms service provider with 10,001+ employees
Real User

Thanks

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
Angelo Quaglia - PeerSpot reviewer
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 5
A fast, stable, and scalable solution that can be used to scan software
Pros and Cons
  • "The solution is very fast."
  • "The products must provide better integration with build tools."

What is our primary use case?

We use the solution to scan our software. We scan it at every build. We run the scans and read the reports.

What is most valuable?

The solution is very fast.

What needs improvement?

The products must provide better integration with build tools. In SonarQube scans, the pull requests are decorated. I don't know if it is a missing integration or a limitation, but I don't see the same feature in Fortify. The developer must be able to see whether the build has failed. I would like the pull request to be decorated like SonarQube. It's just not the same experience with Fortify.

I have a problem with the Java version because our projects now use OpenJDK 7 or 17, but the scan still requires JDK 1.8. It is a problem for me, and I don't know how to change it.

For how long have I used the solution?

I have been using the solution for a couple of months.

What do I think about the stability of the solution?

The tool is stable. I have no problem with it. I rate the stability a nine out of ten.

What do I think about the scalability of the solution?

My team has started using it recently. I rate the tool’s scalability a nine out of ten. We don't have any issues whatsoever.

What other advice do I have?

My organization has been using the solution for at least four years. I don’t deal with technical support directly. I would recommend the solution to others. We are dealing with some issues with the report.

The reports might be meaningful, but they sometimes do not match the situation. We cannot really deal with them. We don't know if they are false positives or if they're simply not relevant because they concern vulnerabilities in the development cycle and not in the production operations. It is sort of a mystery. Overall, I rate the tool an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
ShubhamJoshi - PeerSpot reviewer
Senior Software Engineer at a consultancy with 10,001+ employees
Real User
Speedy and efficient but lacks ability to scan executable files
Pros and Cons
  • "Speed and efficiency are great features."
  • "Takes up a lot of resources which can slow things down."

What is our primary use case?

Our use case of Fortify is for the more than 200 applications that we need to certify as a security team. We certify them for all possible vulnerabilities using Micro Focus to check codes for vulnerabilities and then deploying to a reproduction environment. Once all the vulnerabilities are fixed, we can proceed to production. So we're using it as a kind of DevSecOps model. We are customers of Micro Focus. 

What is most valuable?

To my mind, the best features of this product are its speed and efficiency. It covers a wide variety of languages and even has an option for checking different Java versions.

What needs improvement?

Micro Focus is a bit heavy on resources and uses up a lot of my RAM. My machine tends to slow down when I use it. A beneficial additional feature would be scanning executable files. Currently, it scans the uncompiled code only. I'd also like to see support for additional languages and support for scanning libraries whether they're outdated or not. The solution scans for security vulnerabilities but not for outdated versions or policy violations.

For how long have I used the solution?

I've been using this solution for eight months. 

What do I think about the stability of the solution?

This is a stable product. 

What do I think about the scalability of the solution?

Scalability is lacking in the sense that I cannot run multiple scans at once. It only accepts one scan at a time. On the other hand, if I want to scan two 3GB programs, it will handle that.

How are customer service and support?

We've only contacted customer support once when we had a problem with an update. They were helpful and resolved the issue. 

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is moderately complex and takes a couple of hours. We have 20 users who are developers and ops staff. 

Which other solutions did I evaluate?

We carried out a POC on multiple products and Fortify came out on top.

What other advice do I have?

If you're a beginner, give Fortify a go. If you're a professional, it might be worth looking at other tools because Fortify does have limitations when it comes to scalability and executable codes.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Yash Brahmani - PeerSpot reviewer
Devops Engineer at BNP Paribas
Real User
The vulnerability detection and scanning features are solid
Pros and Cons
  • "The vulnerability detection and scanning are awesome features."
  • "The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."

What is our primary use case?

We are the central team that manages Fortify end-to-end and provides it as a solution to internal users. We are using SonarQube for code review, but we use Fortify and Nexus IQ  for DevOps.

What is most valuable?

The vulnerability detection and scanning are awesome features. 

What needs improvement?

The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE. 

That will help us understand what's affecting the CVE. Initially, it's about finding the safer package version. Fortify should automatically recommend the safest version, so we can go to the vendor and request that. Once we identify the vulnerability, we can implement a remediation plan.

For how long have I used the solution?

We just started using Fortify on Demand. 

What do I think about the stability of the solution?

Fortify is stable.

What do I think about the scalability of the solution?

Fortify is scalable enough. We have 10,000-plus users on it.

How are customer service and support?

Micro Focus support is slow, and they should improve that.

Which solution did I use previously and why did I switch?

We've been working with SonarQube for five years. SonarQube can show us the initial test and how your code is developed over time. It gives us insight into how a specific project is progressing. That's the great thing about SonarQube. Once the code goes into the Fortify or Nexus, it's mostly a safety check. SonarQube catches most of the vulnerabilities in Python at the development stage.

How was the initial setup?

The product itself is easy to set up, but establishing the necessary culture and structure is a bit complex. We need to develop a culture and create sub-teams within the teams. Each team needs a security coordinator who can relate what new things are coming in, such as CVEs or new scans that need to be done.

For maintenance, we have a team of two product owners who are heavily involved with the product itself. We have around three or four people with a good understanding of deploying and maintaining the solution.

What other advice do I have?

I rate Micro Focus Fortify on Demand eight out of 10. It's a great product, and I recommend it. You should deploy it as part of the TechOps implementation. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer2303070 - PeerSpot reviewer
Test Lead at a financial services firm with 10,001+ employees
Real User
Top 5
A highly trusted and comprehensive application security testing solution, known for its seamless integration, advanced technical capabilities, and reliability
Pros and Cons
  • "What stands out to me is the user-friendliness of each feature."
  • "It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."

What is our primary use case?

We use it to scan the bank's applications systematically. This process aims to identify and address security vulnerabilities within the applications, ensuring the robustness of our security measures.

How has it helped my organization?

It stands out by generating fewer false positives which has a distinct advantage, as it translates to reduced remediation efforts, requiring less human resources and cost. The tool provides more accurate feedback to the development team, allowing them to focus their efforts on addressing genuine vulnerabilities efficiently.

What is most valuable?

I appreciate all the features, with a particular emphasis on their vulnerability scanner. For instance, in our environment where two-factor authentication is prevalent across many of our sites, the scanner efficiently identifies vulnerabilities, including those related to second-factor methods or mobile codes. What stands out to me is the user-friendliness of each feature. Given that we're a bank with multiple applications, having the flexibility to customize solutions according to the unique needs of each application is crucial.

What needs improvement?

It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security. This could enhance the solution significantly. Moreover, considering the evolving threat landscape and the inevitability of zero-day vulnerabilities, implementing mechanisms like heuristic approaches would be advantageous. By incorporating heuristic algorithms or leveraging artificial intelligence, especially in the form of behavioral analysis akin to network security practices, Fortify could evolve into a more resilient solution. This could involve heuristic analysis for source code, the introduction of AI-driven processes for enhanced security, and the identification of security hotspots.

For how long have I used the solution?

In this company, I have been using it for three months.

What do I think about the stability of the solution?

When it comes to stability, I haven't observed any issues such as crashes or performance issues during the scanning process. I would rate it ten out of ten.

What do I think about the scalability of the solution?

I would rate its scalability capabilities nine out of ten. Our approach involves a centralized team, and we conduct scans across all applications within UBS. Throughout my experience, we've successfully scanned 150 applications.

What about the implementation team?

The ability to install software often depends on individual circumstances. In my case, coming from a security background, the machines provided in our company are typically set up by the network or DevOps team.

What's my experience with pricing, setup cost, and licensing?

Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings.

Which other solutions did I evaluate?

We were considering upgrading to the enterprise level, given the need for a robust solution in the banking environment. During this evaluation, we compared Netsparker, Burp Suite, and Fortify. After conducting a proof of concept (POC) that involved testing APIs, websites, and infrastructure arrangements, we presented our analysis to management. Ultimately, Fortify was selected as the preferred choice.

What other advice do I have?

With over 12 years in application security, I've consistently observed the adoption of Fortify in major organizations like Cognizant, Barclays, and Credit Suisse. Across large banks in Europe, Fortify has established a reputation for reliability and effectiveness. Drawing on my experience, I am confident that organizations with clear problem statements and no budget constraints will find Fortify to be a comprehensive solution. Its technical capabilities and features align well with the diverse needs of large organizations in the banking sector. Overall, I would rate it ten out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Prasenjit Roy - PeerSpot reviewer
Sr. Cloud Solution Architect - SAP on Azure at Accenture
Real User
Has a good user interface but code technology needs improvement
Pros and Cons
  • "The user interface is good."
  • "There are lots of limitations with code technology. It cannot scan .net properly either."

What is our primary use case?

We use it as the source for code review for static code analysis.

What is most valuable?

The user interface is good.

What needs improvement?

There are lots of limitations with code technology. It cannot scan .net properly either.

For how long have I used the solution?

I've been using it for the last five to six years.

How was the initial setup?

The initial setup of this solution on-premises is easy; however, we have had difficulties installing it online in our clients' environments.

What about the implementation team?

We used both in-house and vendor teams for deployment.

What other advice do I have?

On a scale from one to ten, I would rate Micro Focus Fortify on Demand at five because we get better scan results from other tools.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer1610562 - PeerSpot reviewer
Director at a healthcare company with 10,001+ employees
Real User
Top 5
Useful for security code scans but needs to work on the false positives
Pros and Cons
  • "I use the solution in my company for security code scans."
  • "The product has a lot of false positives."

What is our primary use case?

I use the solution in my company for security code scans.

What needs improvement?

The product has a lot of false positives. If the outputs can have fewer false positives, then that will be the greatest benefit the tool can offer.

For how long have I used the solution?

I have experience with Fortify on Demand. I manage the product in my company.

How are customer service and support?

The solution's technical support is okay and not outstanding.

Which other solutions did I evaluate?

It is a costly process to evaluate tools.

What other advice do I have?

I rate the tool a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.