Try our new research platform with insights from 80,000+ expert users
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
Real User
Easy to use and the reporting is good, but does not support dynamic application security testing
Pros and Cons
  • "Fortify on Demand is easy to use and the reporting is good."
  • "The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood."

What is our primary use case?

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

What is most valuable?

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

What needs improvement?

This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.

This solution would benefit from having more customization available for the reports. 

For how long have I used the solution?

We have been evaluating Fortify on Demand for close to a year.

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.

What do I think about the scalability of the solution?

In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.

How are customer service and support?

I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.

Which solution did I use previously and why did I switch?

We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.

How was the initial setup?

My understanding is the this is not a difficult solution to manage and maintain.

What about the implementation team?

Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.

Which other solutions did I evaluate?

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

What other advice do I have?

Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.

Overall, it is a very good tool and it works well for what it is designed for. 

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees
Real User
Scans run in the background and security analysts are available if an issue comes up
Pros and Cons
  • "One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
  • "It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
  • "If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."

What is our primary use case?

We use it for externally exposed applications that we want to scan before releasing them to production. As you can imagine, it's important to make sure they're secure and that we will not be exposed. For internal apps, we use other static code scanning, primarily SonarQube. But Fortify on Demand is for externally exposed applications.

How has it helped my organization?

Because of the kind of products we deal with, and the kind of customers we have, we have really specific security requirements and practices we need to follow, specifically applying to our SDLC. Our SDLC dictates that we have security scanning, and that improves our code quality. Thankfully, we have never had any kind of serious security flaw or any kind of deviation of the process. We can certainly account for that because of the security tools and analysis that we have prior to moving code to production.

What is most valuable?

One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed. I think that's really useful.

What needs improvement?

It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers. That's one of the reasons we don't use it throughout the company and for all our applications, only for the ones we judge to be most important.

Also, if you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time. 

And it's too expensive to afford to run it for every application all the time. That's certainly something that requires improvement.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

I haven't really encountered any issues with stability.

What do I think about the scalability of the solution?

No issues with scalability. It has been able to handle all our workload so far.

How are customer service and technical support?

Our experience with tech support has been good. We haven't needed support that much but whatever we needed we were able to find on their website. There were a couple of things regarding the licensing and payment that we had to get some help with. But it was quick and easy.

Which solution did I use previously and why did I switch?

We didn't have a previous solution. We researched a couple of the tools, but we ended up using Fortify because of the comprehensive scans they have, and mainly because they are focused on the kind of apps that we have and the kind of requirements we have. They are able to cover most of the standards and practices that we need to adhere to.

How was the initial setup?

The initial setup was straightforward. We had onsite training from HPE to help set up the local environment and first scans, and that was helpful.

What's my experience with pricing, setup cost, and licensing?

The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps. That subscription model is probably something that needs improvement.

Which other solutions did I evaluate?

We looked at CheckMarkx and SonarQube Enterprise. As I said, we are currently using SonarQube for other apps, but we use the open-source version. We tried to use the Enterprise version but it didn't cover all the aspects that we needed it to cover.

What other advice do I have?

Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at.

I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the local scan won't be as fast as the static code scan.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Fernando Vizer - PeerSpot reviewer
Fernando VizerSenior Information Technology Architect at a computer software company with 11-50 employees
Real User

I did a scan, discovered the default only includes critical and high issues, then when I requested to include medium and low ranked issues, they ask me to pay again for a scan. It is annoying and will force me to look for a competitor. It is this way even if it is the same code I already uploaded.

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Harkamal-Singh - PeerSpot reviewer
Solution architect at NTT
Real User
Beneficial functionality, pinpoints issues for resolution, but interface could improve
Pros and Cons
  • "The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution."
  • "Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."

What is our primary use case?

Micro Focus Fortify on Demand is used for detecting vulnerabilities in code, looking at libraries, and finding where there are vulnerabilities within unpatched code.

What is most valuable?

The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution.

The allocations to different members of a team are good. If you find a problem, you can delegate the task to patch the particular code.

What needs improvement?

Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly.

For how long have I used the solution?

I have been using Micro Focus Fortify on Demand for approximately two years.

What do I think about the stability of the solution?

I have found Micro Focus Fortify on Demand stable.

What do I think about the scalability of the solution?

Micro Focus Fortify on Demand is a scalable solution.

We have several customers using this solution. There are approximately 1,000 developers using the solution.

How are customer service and support?

The support from Micro Focus Fortify on Demand is great. They have been very good to answer our questions. They have their own Fortify on Demand team and they will help you resolve your problems.

How was the initial setup?

The initial setup is straightforward. 

The installation can take a couple of hours depending on what the deployment is, such as, on cloud or on-premise. Additionally, the size of the code that will be put on the system can impact the time, but it does not take long. 

What about the implementation team?

We did the implementation ourselves. I was able to use YouTube to help me with the process, there's quite a lot of information on there with Micro Focus going through tutorials on how to use the solution. 

What's my experience with pricing, setup cost, and licensing?

The pricing model it's based on how many applications you wish to scan.

Which other solutions did I evaluate?

I have evaluated other solutions, such as Contrast Security.

What other advice do I have?

I would recommend Micro Focus Fortify on Demand to others.

I rate Micro Focus Fortify on Demand a seven out of ten.

The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior System Analyst at Azurian
Real User
Makes it easy to discover hidden vulnerabilities in our open source libraries
Pros and Cons
  • "One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
  • "During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us."

What is our primary use case?

We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.

In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.

The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far. 

Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.

How has it helped my organization?

Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation. Without it, we would have to spend much more time finding hidden weaknesses in our code.

What is most valuable?

One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.

Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.

What needs improvement?

During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.

Similarly, I would love to see some kind of tracing solution for use in stress testing. So when we stress the application on a certain page or on a certain platform, we would be able to see a complete stress test report which could quickly tell us about weak points or failures in the application. 

Further potential for improvement is that, when we deploy our Java WAR files for review in the QA area, we want to be able to create a report in Fortify on Demand right from within this deployment stage. So it might inspect or check the solution's Java WAR package directly and come up with a report in this crucial phase of QA. 

For how long have I used the solution?

I have been using Fortify on Demand for about a month or so. 

What do I think about the stability of the solution?

Overall, we have not had any issues with stability, although we have not used it for very long.

What do I think about the scalability of the solution?

We have had no problems with scalability in our current use case, which is only one client at the moment. As a cloud service, it has satisfied our requirements well and we haven't had any situations where scalability is an issue.

How are customer service and technical support?

When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually. I think that they could work on reacting faster to support questions.

Which solution did I use previously and why did I switch?

We have also tried SonarQube, but Fortify on Demand appealed to us more due to their source code review with emphasis on open source vulnerabilities. Fortify seems stronger in that aspect and we like to use many open source libraries in our work. 

How was the initial setup?

The setup is easy and it only takes about 30 minutes to perform a basic code review in Java when dealing with WAR files.

It can get more complicated when you want to fine-tune the reporting interface to give only the details that you want to see. This is because the initial configuration depends on other variables like the scope of the review, the client's preferences, the technician's preferences, and other factors.

When it comes to launching Fortify on Demand and connecting it to our codebase, it's quite easy. Getting quick reviews done on WAR files is a relatively simple procedure.

What about the implementation team?

Our company implements Fortify on Demand ourselves on behalf of our client. When the client requests any changes, we then implement it for them.

What's my experience with pricing, setup cost, and licensing?

We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.

In our case, we are constrained by the client's budget, but others might find that the price is not too bad. It all depends on the budget.

What other advice do I have?

For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including:

  • Very useful source code review and vulnerability detection.
  • Clear and easy-to-read test results and reports.
  • Good integration with other platforms during development.

I would rate Fortify on Demand a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Vishal Karanjkar - PeerSpot reviewer
Site Head - IOT NW Products & Solutions at Itron, Inc.
Real User
Beneficial report results, reliable, and scalable
Pros and Cons
  • "While using Micro Focus Fortify on Demand we have been very happy with the results and findings."
  • "Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive."

What is our primary use case?

Micro Focus Fortify on Demand can be deployed on-premise or in the cloud.

We are mainly using Micro Focus Fortify on Demand for security.

What is most valuable?

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

What needs improvement?

Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive.

For how long have I used the solution?

I have been using Micro Focus Fortify on Demand for approximately five years.

What do I think about the stability of the solution?

The stability of Micro Focus Fortify on Demand is good. I did not face any problems. If we had 100 products then we would have many teams using it.

We have some expansion plans and once that falls in place may increase the number of users using Micro Focus Fortify on Demand.

What do I think about the scalability of the solution?

Micro Focus Fortify on Demand is scalable. Our product team was using the solution but not all of them

How are customer service and support?

We did not need to contact support because we did not have any problems.

Which solution did I use previously and why did I switch?

We have used many different solutions five years ago.

What about the implementation team?

Micro Focus Fortify on Demand was implemented and managed by our IT team.

What's my experience with pricing, setup cost, and licensing?

Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based.

What other advice do I have?

I would recommend the solution to others.

I rate Micro Focus Fortify on Demand a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user512112 - PeerSpot reviewer
Technical Lead at a tech services company with 10,001+ employees
Real User
Our client uses the audit workbench for on-the-fly defect auditing. .NET code scanning is still dependent on building the code base before running any scan.
Pros and Cons
  • "Audit workbench: for on-the-fly defect auditing."
  • ".NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio."

How has it helped my organization?

Security defects are captured early in the lifecycle and fixed quicker. Usage of Fortify has made developers more aware about security vulnerabilities and their consequences, as well as various secure programming practices.

What is most valuable?

  • Scan wizard: for configuring large scans
  • Audit workbench: for on-the-fly defect auditing
  • CLI: to integrate the tool into CI/CD

What needs improvement?

.NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio.

More conventional reporting formats need to be provided.

Also, a provision should be available to generate customized reports.

What do I think about the stability of the solution?

For code bases heavy on JavaScript, the static scan takes a long time (as long as two days). Even then, the scan crashes at times. Increasing system memory doesn't seem to improve the situation (tried with 16/32 GB system memory).

It requires a high-end system with 8/16/32 GB RAM for stable performance.

How are customer service and technical support?

I haven't reached out to HP Support so far.

Which solution did I use previously and why did I switch?

I did not previously use any product for static application security.

How was the initial setup?

Initial setup is quite easy.

What's my experience with pricing, setup cost, and licensing?

Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).

Which other solutions did I evaluate?

Before choosing this product, we evaluated Veracode and Checkmarx (among licensed), and FindBugs and Yasca (among free).

What other advice do I have?

If you are already using HPE tools and services such as ALM, then Fortify is a good option, as it provides out-of-the-box support for these. Scanning capability-wise, the tool is decent enough, and is also easy to use. However, it generates a large number of false positives after a scan, which can be tedious to verify manually.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
GM - Technology at a outsourcing company with 10,001+ employees
Real User
Effective security analysis, stable, but occasional false positives
Pros and Cons
  • "The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
  • "We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."

What is our primary use case?

We have an application sending service that we are providing to our customers and we are using Micro Focus Fortify on Demand to ensure our applications are secure. 

What is most valuable?

The most valuable features are the server, scanning, and it has helped identify issues with the security analysis.

What needs improvement?

We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve.

We are receiving false positives. We then have to repeat the scan even though it is a false positive and tell it to ignore some of those issues. Some of the false positives could be a design issue which we will know, but they keep coming up on the report.

I have found the processes a bit cumbersome for the developers.

For how long have I used the solution?

I have been using this solution for approximately eight years.

What do I think about the stability of the solution?

I did not have any problems with the stability of this solution.

What do I think about the scalability of the solution?

The scalability is good.

How are customer service and technical support?

We did have some issues but we did not contact the technical support of Micro Focus.

How was the initial setup?

The initial setup was a medium effort, not too complex. However, the bulk scan uploads took time. Overall it took an average amount of time and it was easy to integrate and work with.

What's my experience with pricing, setup cost, and licensing?

The solution is a little expensive.

What other advice do I have?

I rate Micro Focus Fortify on Demand a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1263261 - PeerSpot reviewer
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
Real User
Good development platform integration promotes a culture of Security by design
Pros and Cons
  • "The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
  • "This solution would be improved if the code-quality perspective were added to it, on top of the security aspect."

What is our primary use case?

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

What is most valuable?

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

What needs improvement?

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.

For how long have I used the solution?

We have been using Micro Focus Fortify on Demand over the past four years.

What do I think about the stability of the solution?

This is a very stable solution. Once it is deployed there are not a lot of challenges.

What do I think about the scalability of the solution?

This platform is very much scalable in terms of integrating with other solutions.

We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.

How are customer service and technical support?

I have not been in touch with technical support from the vendor.

Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.

Which solution did I use previously and why did I switch?

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

How was the initial setup?

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

What about the implementation team?

I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.

Which other solutions did I evaluate?

We did not evaluate other vendors beyond the solutions that we are using.

What other advice do I have?

My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.