Try our new research platform with insights from 80,000+ expert users
reviewer1078392 - PeerSpot reviewer
Security Systems Analyst at a retailer with 5,001-10,000 employees
Real User
An extremely scalable, flexible, and stable solution that reduces the overall risk and gives us assurance
Pros and Cons
  • "Being able to reduce risk overall is a very valuable feature for us."
  • "They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it."

What is our primary use case?

All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.

How has it helped my organization?

Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.

What is most valuable?

Being able to reduce risk overall is a very valuable feature for us.

What needs improvement?

They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.

What do I think about the scalability of the solution?

It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.

How are customer service and support?

Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.

Which solution did I use previously and why did I switch?

This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.

How was the initial setup?

The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.

What about the implementation team?

It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.

I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.

What was our ROI?

Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.

What's my experience with pricing, setup cost, and licensing?

Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.

What other advice do I have?

We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.

The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.

The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.

I would rate Micro Focus Fortify on Demand a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user326421 - PeerSpot reviewer
Solution Security Architect with 1,001-5,000 employees
Real User
It has added a very quick turnaround for security code reviews, allowing us to integrate this function into the overall development and testing lifecycle.

What is most valuable?

  • It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
  • Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

How has it helped my organization?

It has added a very quick turnaround for security code reviews which allowed us to integrate this (formerly missing) function into the overall development and testing lifecycle.

What needs improvement?

It needs to support more languages.

For how long have I used the solution?

I've used it for three months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Excellent – from the PoC through setup and implementation; we received timely and knowledgeable support whenever we need it.

Which solution did I use previously and why did I switch?

We tried to do it by hand (which was very time consuming and error-prone) and some tools built-in to Visual Studio (which was not widely accepted by individuals).

How was the initial setup?

We had some issue with logins and account setups, but received excellent support.

What about the implementation team?

We implemented it ourselves with the help of HP.

What was our ROI?

Don’t know since the project got cancelled.

What other advice do I have?

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
PeerSpot user
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Leaderboard
It provides an independent review of third-party applications, allowing organizations to test software before purchasing. But try the free version first as there's no "right" way to measure ROI.

What is most valuable?

I was able to quickly pass compliance with HIPAA.
Correlated static and dynamic results with detailed priority guidance.
Accurate results, tailored to each application.
All results manually reviewed by application security experts .
Central testing program management for all applications.

How has it helped my organization?

HP Fortify on Demand provides an independent review of third-party applications, allowing organizations to test software before purchasing, and also allowing software vendors to demonstrate the security of their software. Third-party vendors can upload the source code and/or provide a URL, review the results, and then publish a report back to their customer.

This service compels commercial vendors to take action to proactively fix vulnerabilities, while allowing them to remain in control of their applications. Security professionals can demand that high-priority problems be addressed and verified during the procurement or upgrade process, prior to acceptance. HP Fortify on Demand serves as an independent third-party solution to conduct unbiased analysis of applications and provide a detailed tamper-proof report back to the security team.

What needs improvement?

You are going to like the new detailed reporting. It can correlate the results from different forms of testing and prioritize them by severity to present the truest representation of application risk.

For how long have I used the solution?

1 year

What was my experience with deployment of the solution?

It was very easy to install and deploy.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

No. Scalable infrastructure allows for fast turnaround times and it has no limitations based on lines of code, megabytes, or anything else.

How are customer service and technical support?

Customer Service:

Good

Technical Support:

Good

Which solution did I use previously and why did I switch?

I currently use other solutions. We gave HP Fortify on Demand a try and we are very happy with the results.

How was the initial setup?

Yes. Very easy.

What about the implementation team?

We tried the free version first and then we acquired the software the product website.

What was our ROI?

Keep in mind that the calculation for return on investment and, therefore the definition, can be modified to suit the situation. It all depends on what you include as returns and costs. The definition of the term in the broadest sense just attempts to measure the profitability of an investment and, as such, there is no one "right" calculation. But, I have to say the client is very satisfied.

What's my experience with pricing, setup cost, and licensing?

Try the free version first.

Which other solutions did I evaluate?

I am already using other software. We wanted to try it and it works like a charm.

What other advice do I have?

Trust me, you want to be able to do automated and manual testing on a web application that is live.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
PeerSpot user
Jaime Baracaldo - PeerSpot reviewer
Chief Information Officer at Location world
Real User
Top 10
Has good price and support and works very well for web applications
Pros and Cons
  • "We have the option to test applications with or without credentials."
  • "They have very good support, but there is always room for improvement."

What is our primary use case?

We use this solution for our web applications. 

What is most valuable?

We have the option to scan web applications on demand. We have the option to do dynamic analysis. We also have an on-premise solution for static code analysis.

We have the option to test applications with or without credentials.

What needs improvement?

Overall, it's very good. They have very good support, but there is always room for improvement.

For how long have I used the solution?

I've been using this solution for two to three years.

How are customer service and support?

They are helpful, and we have a good relationship with them. I'd rate them an eight out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

It was straightforward. It took us two or three months because we had to integrate with our DevOps and pipeline solutions. It took a bit of extra time.

In terms of maintenance, we need to update the version. Micro Focus releases new versions every two months or so.

What about the implementation team?

We had our DevOps manager, and then we had two people from IT. We also had the support of the provider. We also worked with a partner to help us to implement faster.

What's my experience with pricing, setup cost, and licensing?

I'd rate it an eight out of ten in terms of pricing.

What other advice do I have?

Overall, I'd rate it a nine out of ten. We are very satisfied with it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Omar Abdelhamied Ahmed - PeerSpot reviewer
Financial Analyst at Arab Investment Bank
Real User
SAST is valuable, but there needs to be improvement in CI integration and with GitLab or Jenkins
Pros and Cons
  • "The SAST feature is the most valuable."
  • "I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple."

What is most valuable?

The SAST feature is the most valuable.

What needs improvement?

I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple.

For how long have I used the solution?

I have been using this solution for three months. I am a DevOps engineer in customer service.

What do I think about the stability of the solution?

It's stable right now.

What do I think about the scalability of the solution?

We have only installed the solution on one server.

How was the initial setup?

The implementation process was complex. The documentation was not clear to me.

Which other solutions did I evaluate?

I'm also evaluating Black Duck and Snyk. I just have a demo – a POC.

What other advice do I have?

I would rate this solution 7 out of 10.

I recommend Fortify, but I need more documentation, especially in integration with CI tools like GitLab and Jenkins. The reporting from Fortify to Jenkins or for GitLab needs to be clarified in documentation.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1529571 - PeerSpot reviewer
Acquisitions Leader at a healthcare company with 10,001+ employees
Real User
Outstanding support, efficient API, and one of the best tools for the Shift Left approach
Pros and Cons
  • "It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support."
  • "It is an extremely robust, scalable, and stable solution."
  • "It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers."
  • "We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."

What is our primary use case?

We are using it for application security testing. We have microservices and applications within the organization, and the testing is being done on a continuous basis right through the development cycle or the development chain.

We are using its latest version. It is deployed on the cloud and on-premises.

What is most valuable?

It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

It is an extremely robust, scalable, and stable solution.

It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

What needs improvement?

It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.

It doesn't do software composition analysis. We've asked their product management team to look into that as well.

We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.

For how long have I used the solution?

I have been using this solution for four years.

What do I think about the stability of the solution?

It is very stable. 

What do I think about the scalability of the solution?

It is very scalable.

How are customer service and technical support?

Their tech support is absolutely outstanding. Their tech support is the most responsive tech support I've ever seen.

How was the initial setup?

It is very straightforward to set up. You can set it up in minutes.

What other advice do I have?

If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available.

I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user488208 - PeerSpot reviewer
Specialist Master/Manager at a consultancy with 10,001+ employees
Real User
We use it to evaluate code from a security perspective as opposed to a developer’s perspective.

Valuable Features

The static code analyzer provides views from a security perspective and it is easy to use compared to others.

Improvements to My Organization

We use it to evaluate security from the code and provide results from a security perspective as opposed to a developer’s perspective.

Room for Improvement

Reports can be better visually with graphics such as charts included. Charts (pie, bar, some graph) could show the percentage of the vulnerability categories identified, as opposed to listing them all in a table. At a higher level, it would be nice to aggregate the analysis.

Use of Solution

I have used it for 3.5 years.

Deployment Issues

I did not encounter any deployment issues. It was fairly simple and easy to install/deploy.

Customer Service and Technical Support

Technical support is 6/10. I find the Internet to be more helpful at times than their own tech support in finding answers.

Initial Setup

Initial setup was easy and intuitive: just specify the license path and install the product.

Implementation Team

We implemented it in-house.

ROI

Quality vs quantity: You pay more for a higher-quality product and meets your needs, compared to others that might be cheaper, but you have to crawl to get what you are looking for.

Other Solutions Considered

While I did evaluate others, it depends on the budget.

Other Advice

It is a good product to choose for SCA and cloud deployment. If you choose SSC, don’t always look at the price, as the other products might not conduct the same analysis as HP Fortify does. Not all products are created equal.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a vendor partner.
PeerSpot user
Elina Petrovna - PeerSpot reviewer
Elina PetrovnaProfessor at BitBrainery University
Real User

The weakest component of Fortify is SSC. Very difficult to customize, huge infrastructure to implement and maintain and costly

Alejandro Merida - PeerSpot reviewer
Enterprise Solutions Architect at CONTPAQi
MSP
Top 20
Easy deployment, simple to use, and effective application security
Pros and Cons
  • "The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security."
  • "Micro Focus Fortify on Demand can improve by having more graphs. For example, to show the improvement of the level of security."

What is our primary use case?

I am using Micro Focus Fortify on Demand for SAT analogies and data analysis.

What is most valuable?

The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security.

What needs improvement?

Micro Focus Fortify on Demand can improve by having more graphs. For example,  to show the improvement of the level of security.

For how long have I used the solution?

I have been using Micro Focus Fortify on Demand for approximately six months.

What do I think about the stability of the solution?

Micro Focus Fortify on Demand is stable.

What do I think about the scalability of the solution?

The scalability of Micro Focus Fortify on Demand is good.

We have eight users using this solution. We plan to increase our usage in the future.

How are customer service and support?

The technical support of Micro Focus Fortify on Demand is very good.

How was the initial setup?

The initial setup of Micro Focus Fortify on Demand was simple. The deployment took approximately three or four days.

What about the implementation team?

We have used a consultant for one deployment in the past. We have two people that do the deployment of the solution.

What's my experience with pricing, setup cost, and licensing?

There are different costs for Micro Focus Fortify on Demand depending on the assessments you want to use. There is only a standard license needed to use the solution.

What other advice do I have?

Micro Focus Fortify on Demand is a very easy-to-use solution. You don't need some technical staff. It's very easy to implement and use the application. I don't require assistance I only have my advisories that are users.

I rate Micro Focus Fortify on Demand a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.