Try our new research platform with insights from 80,000+ expert users
it_user1345719 - PeerSpot reviewer
Project Analyst at a financial services firm with 1,001-5,000 employees
Real User
A cost-effective and intuitive solution for checking vulnerabilities during the development process
Pros and Cons
  • "The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
  • "It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."

What is our primary use case?

We use it for statistical analysis for Java applications that are used in the collection process of a bank. It is also used for an internal web page. The tellers use this web page in the branches to make money transactions, such as withdrawals, deposits, etc.

What is most valuable?

The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications.

It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for.

What needs improvement?

It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. 

They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team.

For how long have I used the solution?

I have been using this solution for two or three months.

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

It has been pretty stable.

What do I think about the scalability of the solution?

It is scalable, but we haven't scaled it much. Currently, we have ten users, but it is capable of taking many more users.

How are customer service and support?

Their support is good, but sometimes, they take a bit longer. For high severity incidents, they should properly identify the team that has to be engaged to solve an issue. I would rate them an eight out of ten.

How was the initial setup?

The initial setup was pretty much straightforward. It was quite easy to implement. 

It is quite intuitive, and the training model that they have helps the development team in using it easily. The deployment process took only about two weeks.

In terms of the implementation strategy, it started with a kickoff meeting with the provider who offered the solution. We involved the development team, security information team, and infrastructure team from the beginning. They all knew what can be done with the solution and what role they are going to play in the implementation process, which helped a lot to achieve a pretty short implementation time.

What's my experience with pricing, setup cost, and licensing?

It is cost-effective.

What other advice do I have?

It is a great solution. It is cost-effective for a secure development process. If an enterprise wants to adopt the DevOps process, Micro Focus Fortify on Demand is a great starting point. 

I would rate Micro Focus Fortify on Demand a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user692322 - PeerSpot reviewer
Digital Security Integration Lead at a non-tech company with 10,001+ employees
Real User
The quality of application security testing reduces risk and gives very few false positives.
Pros and Cons
  • "The quality of application security testing reduces risk and gives very few false positives."
  • "New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."

How has it helped my organization?

The security of our consumer-facing web sites is better.

What is most valuable?

The quality of application security testing reduces risk and gives very few false positives.

What needs improvement?

New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions. DevOps requires very fast turnaround and I’m not sure HPE Fortify on Demand can do that, although they have a new product in beta for that.

What do I think about the stability of the solution?

We did not have stability issues.

What do I think about the scalability of the solution?

We did not have scalability issues.

How are customer service and technical support?

Technical support is very good.

Which solution did I use previously and why did I switch?

We didn’t have a previous solution.

How was the initial setup?

Setup was not complex, although given our size it was a challenge.

What's my experience with pricing, setup cost, and licensing?

Drive a hard bargain.

Which other solutions did I evaluate?

We evaluated IBM and Veracode.

What other advice do I have?

Go with the SaaS product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user712167 - PeerSpot reviewer
it_user712167General Manager - Application Security at a tech consulting company with 51-200 employees
Real User

Yes, It does have less positives. After being a premium customer and having taken the annual / 3 yr subscription option, we can opt for + (plus) services by which we can have a manual AUDIT to manually review our code for the 1st time. This helps reduce most of the false positives and developers and team in-charges can concentrate on actual issues / vulnerabilities or the weaknesses in existing application which is assessed. - Manoj Purandare, India

Buyer's Guide
Fortify on Demand
December 2024
Learn what your peers think about Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
it_user441546 - PeerSpot reviewer
Information Security Lead Consultant & Application Security Specialist at a energy/utilities company with 1,001-5,000 employees
Vendor
It's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

What is most valuable?

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

How has it helped my organization?

The results it provides are more than 95% accurate, helping us to focus on the right things first.

Our new software procurement process benefited as well as we use this as a central control to provide security assurance and evaluate the quality of our deliverables.

Its ease-of-use has influenced developer behavior and enabled them to follow security principles.

What needs improvement?

It would be useful if they could integrate secure design reviews, security user stories in Fortify on Demand Portal, and also look for possible options to get just one view of risks for given services (Covering Application, Infrastructure, Pen. Test, etc.).

For how long have I used the solution?

I’ve used it since 2010.

What was my experience with deployment of the solution?

We've had no issues with deployment.

What do I think about the stability of the solution?

It’s a very stable product. We've had no issues with instability.

What do I think about the scalability of the solution?

It’s scaled for our needs. We've had no issues with un-scalability.

How are customer service and technical support?

Customer Service:

Customer service is excellent.

Technical Support:

The technical support is very good.

Which solution did I use previously and why did I switch?

We've used various other tools, including the Fortify on-premise solution. We chose Fortify on Demand as it is cost effective, scalable, easy to deploy, and helps us to manage our vulnerabilities centrally.

How was the initial setup?

The initial setup was very easy and straightforward. We were able to roll out this service to all our business units.

What about the implementation team?

We performed the installation in-house.

What's my experience with pricing, setup cost, and licensing?

There is no setup cost as it is an on-demand solution. However, if there is any firewall change required for an internal application, we would need to raise that from our end.

Which other solutions did I evaluate?

We considered SonarQube, MSFox, and CodeInspect.

What other advice do I have?

Fully utilize this product and its feature as it covers almost everything required for software security assurance.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
Helps us to stay updated with the newest languages and versions coming out
Pros and Cons
  • "It improves future security scans."
  • "Fortify helps us to stay updated with the newest languages and versions coming out."
  • "Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
  • "We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."

What is our primary use case?

We previously used it for static and dynamic scans, but now we use it only for dynamic scans.

We have close to 85 products in-house, so we run a lot of scans.

How has it helped my organization?

We are using lost programming languages, because we have a lot of product development going on because we have a product-based company. Fortify helps us to stay updated with the newest languages and versions coming out. We can run our scans on a timely basis.

What is most valuable?

We can run our scans properly on it. It improves future security scans.

What needs improvement?

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

There are no stability issues. Though, we would like the scans to run faster.

What do I think about the scalability of the solution?

We have no scaling issues.

How are customer service and technical support?

Tech support has been a great help. They always respond to us in a timely manner.

Whenever we contact support, they assist us in running our scans.

Which solution did I use previously and why did I switch?

We did not have another solution before. We tried other solutions, but they were not as good as Fortify.

How was the initial setup?

I was not involved in the initial implementation.

What's my experience with pricing, setup cost, and licensing?

The pricing is expensive.

Which other solutions did I evaluate?

Currently, Checkmarx offers us a graphically, revised run.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1250178 - PeerSpot reviewer
Security Information Manager at a tech services company with 10,001+ employees
Real User
Solid usability for security and vulnerability issues
Pros and Cons
  • "The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues."
  • "In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise. In the next release, we need more reports and more analytic views for all the applications. There is no enterprise view in Fortify. I would like enterprise views and reports."

What is our primary use case?

I use it for SAST, security analysis static code.

What is most valuable?

The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues.

What needs improvement?

In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise.

In the next release, we need more reports and more analytic views for all the  applications. There is no enterprise view in Fortify. I would like enterprise views and reports.

For how long have I used the solution?

I am using Micro Focus Fortify on Demand for one year.

What do I think about the stability of the solution?

It is very stable.

What do I think about the scalability of the solution?

It is scalable. Micro Focus Fortify on Demand requires a big hardware with a big processing capacity, but it is scalable.

How are customer service and support?

Their customer support is very good. I sometimes need it, and I get the answer quickly. They are very helpful.

How was the initial setup?

The initial setup is not so easy, but not so difficult. I would say it is medium difficulty.

What other advice do I have?

On a scale of one to ten, I would give Micro Focus Fortify on Demand an eight.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Information Security Engineer at a comms service provider with 501-1,000 employees
Real User
Provides a lower number of false positives and is reliable and easy to use
Pros and Cons
  • "The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
  • "Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."

What is our primary use case?

We use it for normal, daily source code reviews and code analysis.

What is most valuable?

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

What needs improvement?

I would like to see easier integration to CI/CD pipelines. The reporting format could be more user friendly so that it is easy to read.

For how long have I used the solution?

I've been working with Micro Focus Fortify on Demand for three years.

What do I think about the stability of the solution?

There were some issues with it before, but I think they have been fixed now.

What do I think about the scalability of the solution?

There were several limitations when I was using it before, but I am sure that they have been fixed by now.

How are customer service and technical support?

My experience with technical support has been very good.

How was the initial setup?

The initial setup is straightforward and not that complex. We had some support from IT.

What's my experience with pricing, setup cost, and licensing?

The price is fair compared to that of other solutions.

What other advice do I have?

If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security.

I would rate it at eight on a scale from one to ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user506661 - PeerSpot reviewer
Senior Lead at a computer software company with 1,001-5,000 employees
Real User
Helps us identify security vulnerability earlier in the development.
Pros and Cons
  • "We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
  • "The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."

How has it helped my organization?

Security of our applications is a huge concern for everyone now. Using quality products like HPE’s Fortify helped us minimize issues raised by the clients. Therefore, customer satisfaction in terms of the security was high.

What is most valuable?

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

What needs improvement?

The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.

How are customer service and technical support?

Technical support is very good. We had a few issues in the initial setup and the HPE team’s support was commendable.

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

Initial setup was complex; we ran into lot of memory issues. The Visual Studio plugin was not responsive, either.

What about the implementation team?

An in-house team implemented it. Don’t use the Visual Studio plugin, unless your solution is really small. Otherwise, use the command line setup.

Which other solutions did I evaluate?

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user399378 - PeerSpot reviewer
Director of Information Technology at a tech consulting company with 501-1,000 employees
Consultant
It enforces source-code scanning and finding vulnerabilities in source code. It would be nice if it could manage the false positives better.

Valuable Features

It enforces source-code scanning, finding vulnerabilities in source code.

Improvements to My Organization

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

Room for Improvement

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

Scalability Issues

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Customer Service and Technical Support

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

Initial Setup

The initial setup was pretty easy and straightforward.

Other Advice

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.