Try our new research platform with insights from 80,000+ expert users
reviewer2107677 - PeerSpot reviewer
Cyber Security Specialist at a computer software company with 51-200 employees
Real User
Top 20
User-friendly, stable, and scalable
Pros and Cons
  • "The solution is user-friendly."
  • "I would like the solution to add AI support."

What is our primary use case?

The solution is used for web application listing, like, SaaS.

What is most valuable?

The solution is user-friendly.

What needs improvement?

I would like the solution to add AI support.

For how long have I used the solution?

I have been using the solution for one month.

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

I give the stability a nine out of ten.

What do I think about the scalability of the solution?

I give the scalability a nine out of ten.

We have three people using the solution in our organization.

How are customer service and support?

I am satisfied with the technical support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used SonarQube which is an open-source solution. We switched because we needed an easy-to-understand and configure UI.

How was the initial setup?

I give the initial setup a nine out of ten. The deployment took a few hours and required one person to implement.

What other advice do I have?

I give the solution a nine out of ten.

I recommend the solution to others and I am totally satisfied with it.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1468542 - PeerSpot reviewer
Principal Solutions Architect at a security firm with 11-50 employees
Real User
A good scanner that performs different types of scans and keeps everything in one place, but it needs more streamlined installation procedure and a bit more automation
Pros and Cons
  • "Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
  • "It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

What is our primary use case?

Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

What is most valuable?

Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

What needs improvement?

It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

For how long have I used the solution?

I have been using this solution for seven or eight months.

What do I think about the stability of the solution?

I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

What do I think about the scalability of the solution?

Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

How are customer service and technical support?

Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

How was the initial setup?

As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

What other advice do I have?

It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

I would rate Micro Focus Fortify on Demand a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
reviewer1210665 - PeerSpot reviewer
Production Manager for Nearshore SWaT at a computer software company with 1,001-5,000 employees
Real User
Top 20
Stable and shows the vulnerabilities online while checking the code, but it is quite expensive
Pros and Cons
  • "The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them."
  • "The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."

What is our primary use case?

We use Micro Focus Fortify on Demand to check the vulnerabilities of developments that we perform.

What is most valuable?

The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them.

What needs improvement?

The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools.

For how long have I used the solution?

I have been using this product for four years. 

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is scalable. However, it poses a challenge in terms of pricing and licensing.

How are customer service and technical support?

I haven't contacted their support, but I know that a team was in touch with Fortify technical support because they do get to have a lot of questions about migrating the software, licensing, and other stuff. They contact the support quite often. I know that they get responses, not always the ones they would like, but they do get a response from them.

Which solution did I use previously and why did I switch?

I have used SonarQube but not at the same level. It has some functionalities that are related to security. It does not go as deep as Micro Focus Fortify on Demand. 

We have evaluated other tools that are competitors of Micro Focus Fortify on Demand, but we still decided to keep Micro Focus Fortify on Demand.

How was the initial setup?

I wasn't responsible for setting it up. 

What about the implementation team?

We have a team that works with the product. All development teams work with this team to accomplish the goals. Everything was set up by this team, and afterward, the development team just has to look at the reports and vulnerabilities so that they can run scans.

What's my experience with pricing, setup cost, and licensing?

It is quite expensive. Pricing and the licensing model could be improved. 

What other advice do I have?

Before using it, evaluate other possibilities because it's quite expensive if you don't have the need to use it. For example, replace it with SonarQube or another competitor's tool that may not do quite the same thing, but it is enough for what you want for your objectives. It could be a cheaper way to get to those goals.

I would rate Micro Focus Fortify on Demand a seven out of ten. Improvement in pricing would be the biggest thing that would improve the scoring.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1050960 - PeerSpot reviewer
CISO at a retailer with 1,001-5,000 employees
Real User
Detects vulnerabilities and provides useful suggestions, but doesn't understand complex websites
Pros and Cons
  • "The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
  • "Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."

What is our primary use case?

We use Fortify on Demand to test our e-commerce website. We do static codes testing before it goes live.

How has it helped my organization?

Before we migrate a new code to our production website, it is scanned with Fortify and all security vulnerabilities are identified. Then we try to remediate them so we don't expose ourselves.

I've been involved in deciding what's right or wrong. I've been involved in deciding on the product early on, and then if we should go on-premise or in the cloud, if we should build it into part of the software development life cycle or if we should do it on demand before we go to production. I've been involved in a lot of that. I've been involved in working with the development team to decide what is a vulnerability and what is not, and which vulnerabilities we need to take to heart, regardless if we understand what it is that we should ignore, and regardless of the fact that we think it's highly critical.

What is most valuable?

The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for.

The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it. 

What needs improvement?

Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. And they try to look at it saying, "Okay. From a pure standards perspective, this is a critical vulnerability for you." Which in reality, if you would really try to exploit it, you'd see that we actually did cross a little something around it, and the vulnerability is not there. So they would expect to have a certain type of a formatting requirement around a specific field to avoid being able to put in special characters. They would assume that because we don't have that, it's a vulnerability. But in reality, you actually do have a custom function that has been defined somewhere else in the code and these fields are subject to that function. I don't carry along with that in the same way as the application really does. That's something that we found that needs improvement.

We're actually going to transfer from them, and the main reason is that there is nobody home. We could have tickets open with them for months trying to escalate and have them remediate certain false positives as I described. We have had no success bringing this product to a level that we feel there's not too much noise. It gives you specifically what you need. You could take it at face value and run with it.

We're going to switch to Checkmarx. We're in the middle of the deployment.

For how long have I used the solution?

We've been using Fortify on Demand for eight years or so.

What do I think about the stability of the solution?

Stability is good. The product works.

What do I think about the scalability of the solution?

Scalability is irrelevant to us because it's in the cloud. For the past few years, we've been using it in the cloud, so it's a common scanner. It's not handling transactions. It's not a firewall or an antivirus that you have doing real-time transactions. It looks at the code and the volume of code we migrate. We write a lot of code every week, but it's still within reason. We're not talking about thousands of developers sending code at the same time. So I don't think that scalability was much in our conversation.

The product is being used by the e-commerce application development team, and we have senior developers who are responsible to scan and evaluate security concerns that come out of the product. We also have a lead security person and a development team who are responsible to oversee this and ensure that the issues are being addressed.

Deployment and maintenance, are not really applicable because it was somebody at DNH working with the company, setting it up. We did not put it into part of the platform of real-time migration, such that the code automatically goes there, marks it, and allows it to go to production or not. We didn't go that route, so it really didn't need too many people to be involved in the deployment.

How are customer service and technical support?

The technical support is just not there. We have open tickets. They don't respond. Even if they respond, we don't see eye to eye. As the company got sold and bought, the support got worse.

How was the initial setup?

Our website is complex, so the setup is also complex. By definition, we expected it to be complex, and Checkmarx should also be complex because of the culture, habits, and complexity of our custom-developed website. Our website is not an off-the-shelf product, so there's a lot of complexity that comes with it by nature. But that's okay.

The initial deployment goal was to scan every bit and byte of code on the production e-commerce site. That was the plan. We started rolling this out and then we started sending tests. We went back and forth on whether we should make it in-line automatic that we scan sales, in a way that it would not allow the code to move further, or if we should do it off to the side, such that the application development life cycle continues to run separately, while somebody is scanning it making sure we dissolve all the issues. So we tried both routes. There are benefits to each, and it's definitely safer to do it in-line. Again, the culture, habits, and technology's use mean that it is not always best to do it in-line because it could become too complicated and break too many things. So we actually switched that. There is a person that does that. It's not built into the migration system by default. Somebody is scanning it and then moves to the next one.

What about the implementation team?

We worked with them and they helped us deploy. We tried a few different versions. We tried on-premise, and then we went to the cloud. Fortify on Demand is the cloud-based version, which we're using now.

Our experience with their developer team was good. But now, over time, the company went from a partner to a disconnected environment. Overall, the experience started out with a back and forth and an active relationship but over time, they became very disconnected.

What's my experience with pricing, setup cost, and licensing?

It's a yearly contract, but I don't remember the dollar amount.

Which other solutions did I evaluate?

I don't remember if we evaluated anybody else. I think Fortify was recommended through a consultant. Some years ago, there were not so many vendors at a time playing in this arena. There's not so many today for static analysis, but I don't think that we really evaluated any others.

What other advice do I have?

I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So I would not advise anybody to go to Fortify based on the fact that they really don't have a very forthcoming support team and availability.

Could be the other options would provide professional services, but that's not the point. The point is that if you want to pick up the phone and send them an email, open a ticket saying that, "This is a false positive," somebody should get back to you. So I don't think that Fortify's a viable option still these days based on the fact of where they sit and how they operate.

I would rate the product a four out of ten. It works. The reason why I give it a four is because of the limitations of the product to understand the dynamics of our website and the number of things that are not working smoothly due to the fact that our website is complex.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Application Security Specialist at a tech services company with 5,001-10,000 employees
Real User
Allows for more efficient and custom integration by allowing customized enhancements through the API support
Pros and Cons
  • "The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product)."
  • "Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA."
  • "The biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility."

What is our primary use case?

When choosing a software security product, we expect the product not only has the ability to find exploits, but also has educational and instructional capabilities related to exploits. This makes both the security auditor's job easier and helps the software developer to improve himself and write safer code. Here we have seen that the Micro Focus family has exactly what we want. For this reason, we chose Micro Focus software security products. In addition, the quality of the support and updating services ensures that we gain confidence in their products.

How has it helped my organization?

In large software development teams, the most important issue related to software and application security is to identify vulnerabilities and weaknesses quickly and accurately, then to gather those findings on a common platform so  they can be distributed and tracked by teams and developers. 

Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA. This facilitates error and vulnerability management and makes the "Secure Software Development Lifecycle" work well.

What is most valuable?

The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product). It also allows for more efficient and custom integration by allowing customized enhancements through the API support offered through the SSC portal.

What needs improvement?

Though it is generally close to perfection, the biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility. Since there are different templates on TFS in particular (CMMI, Agile etc.), the configuration for different templates can also be customized with the flexibility to be provided here.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user455427 - PeerSpot reviewer
Development and Database Manager at a financial services firm with 501-1,000 employees
Vendor
It works to identify security flaws that any of our applications might have.

What is most valuable?

The solution simply identifies any security flaws that any of our applications might have.

How has it helped my organization?

This identification provides us an advantage in that the service itself works to stay abreast and knowledgeable about emerging threats. Rather than have a security team dedicated to that effort, we don’t have to deal with that in a time consuming, direct manner. We don't need to have these skills in-house.

What needs improvement?

I find that while it does find a lot of legitimate threats, it tends to have a lot of false positives, and there are more false positives than I would like to see. It flags threats that sometimes are not, and when we have to investigate that it takes time. If they could improve the intelligence then I think it could really help the system function more efficiently. The dynamic time scan takes about seven days, and this could be a bit quicker. We like to incorporate the scan into every build cycle and if we have to wait for a seven day business cycle it has to go into our scheduling. If that could be improved there would be a lot of happy people.

For how long have I used the solution?

It predates my employment; I’m certain we signed up in 2013 – roughly three years ago.

What was my experience with deployment of the solution?

We have had no issues with the deployment.

What do I think about the stability of the solution?

I would say it’s fairly stable. It’s a web application so of course there are browser hiccups but I would give it a high score for stability. Once in a while there is a page refresh, but nothing major.

What do I think about the scalability of the solution?

We have four applications and we’ve been able to get them all in there, I don’t see it having a limit.

How are customer service and technical support?

Customer Service:

Customer service has been good once we get attention, which comes back to the false positive issue.

Technical Support:

Sometimes the results need clarifications. They could be a bit more responsive as once we get someone the interactions have been good and helpful.

Which solution did I use previously and why did I switch?

This was our first foray into a hosted service.

How was the initial setup?

The deployment was super easy as the interface is straightforward. It was almost too easy.

What other advice do I have?

If you haven’t run any formal scan be prepared for it to come back and be a bit scary.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Omar Sánchez (Mr.Tech) - PeerSpot reviewer
Omar Sánchez (Mr.Tech)Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
LeaderboardConsultant

Support is offered through phone and a password-protected web portal, and also through email. In addition, the standard price allows for quarterly updates for the latest security tests for code review. Phone support is available 6 a.m. to 6 p.m. Pacific Standard Time.

Kangkan Goswami - PeerSpot reviewer
Advisor Solution Architect at a tech services company with 10,001+ employees
Real User
Top 20
Moderately priced solution with fantastic stability
Pros and Cons
  • "Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud."
  • "An improvement would be the ability to get vulnerabilities flowing automatically into another system."

What is our primary use case?

I mainly use Fortify on Demand for static scanning.

What is most valuable?

Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud.

What needs improvement?

An improvement would be the ability to get vulnerabilities flowing automatically into another system.

For how long have I used the solution?

I've been using Fortify on Demand for over a year.

What do I think about the stability of the solution?

Fortify on Demand's stability is fantastic - I've never seen slowness, and it performs consistently.

Which solution did I use previously and why did I switch?

I previously used ShiftLeft, but Fortify on Demand gives me a portal, and it's much easier to get details about the issues affecting us.

How was the initial setup?

The initial setup is very simple because no installation is necessary - you just need to access the application and configure it. 

What about the implementation team?

We used a vendor team.

What's my experience with pricing, setup cost, and licensing?

Fortify on Demand is moderately priced, but its pricing could be more flexible.

What other advice do I have?

I would rate Fortify on Demand nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
S S RAMA KRISHNA MURTHY  SURI - PeerSpot reviewer
Senior Manager at valuelabs LLP
MSP
It supports most languages and integrates well with other solutions
Pros and Cons
  • "Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support."
  • "We have some stability issues, but they are minimal."

What is our primary use case?

Fortify is used for static scans — cold-scanning.

What is most valuable?

Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support.

What needs improvement?

We have some stability issues, but they are minimal.

For how long have I used the solution?

We've been using Fortify for two or three years

What do I think about the stability of the solution?

Fortify is stable. 

What do I think about the scalability of the solution?

Fortify is scalable. 

How are customer service and support?

Whenever we have any issues, Micro Focus support has been helpful. They have lots of products, and they're established in the market. When you open a ticket, you get an immediate response by phone.

How was the initial setup?

The initial setup is straightforward and the second or third-tier support is available whenever we face an issue or something. Most of the components are plug-and-play, so it doesn't take much time. 

What other advice do I have?

I rate Micro Focus Fortify on Demand. This is a good solution for doing static analysis. There is also a dynamic component, but we haven't used it because we are unsure how flexible it is. We are using it only for static scanning.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.