Fortify on Demand Reviews

The security of our consumer-facing web sites is better.

The quality of application security testing reduces risk and gives very few false positives.

New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions. DevOps requires very fast turnaround and I’m not sure HPE Fortify on Demand can do that, although they have a new product in beta for that.

We did not have stability issues.

We did not have scalability issues.

Technical support is very good.

We didn’t have a previous solution.

Setup was not complex, although given our size it was a challenge.

Drive a hard bargain.

We evaluated IBM and Veracode.

Go with the SaaS product.

I use it for SAST, security analysis static code.

The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues.

In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise.

In the next release, we need more reports and more analytic views for all the  applications. There is no enterprise view in Fortify. I would like enterprise views and reports.

I am using Micro Focus Fortify on Demand for one year.

It is very stable.

It is scalable. Micro Focus Fortify on Demand requires a big hardware with a big processing capacity, but it is scalable.

Their customer support is very good. I sometimes need it, and I get the answer quickly. They are very helpful.

The initial setup is not so easy, but not so difficult. I would say it is medium difficulty.

On a scale of one to ten, I would give Micro Focus Fortify on Demand an eight.

We use it for normal, daily source code reviews and code analysis.

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

I would like to see easier integration to CI/CD pipelines. The reporting format could be more user friendly so that it is easy to read.

I've been working with Micro Focus Fortify on Demand for three years.

There were some issues with it before, but I think they have been fixed now.

There were several limitations when I was using it before, but I am sure that they have been fixed by now.

My experience with technical support has been very good.

The initial setup is straightforward and not that complex. We had some support from IT.

The price is fair compared to that of other solutions.

If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security.

I would rate it at eight on a scale from one to ten.

We previously used it for static and dynamic scans, but now we use it only for dynamic scans.

We have close to 85 products in-house, so we run a lot of scans.

We are using lost programming languages, because we have a lot of product development going on because we have a product-based company. Fortify helps us to stay updated with the newest languages and versions coming out. We can run our scans on a timely basis.

We can run our scans properly on it. It improves future security scans.

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

There are no stability issues. Though, we would like the scans to run faster.

We have no scaling issues.

Tech support has been a great help. They always respond to us in a timely manner.

Whenever we contact support, they assist us in running our scans.

We did not have another solution before. We tried other solutions, but they were not as good as Fortify.

I was not involved in the initial implementation.

The pricing is expensive.

Currently, Checkmarx offers us a graphically, revised run.

The solution simply identifies any security flaws that any of our applications might have.

This identification provides us an advantage in that the service itself works to stay abreast and knowledgeable about emerging threats. Rather than have a security team dedicated to that effort, we don’t have to deal with that in a time consuming, direct manner. We don't need to have these skills in-house.

I find that while it does find a lot of legitimate threats, it tends to have a lot of false positives, and there are more false positives than I would like to see. It flags threats that sometimes are not, and when we have to investigate that it takes time. If they could improve the intelligence then I think it could really help the system function more efficiently. The dynamic time scan takes about seven days, and this could be a bit quicker. We like to incorporate the scan into every build cycle and if we have to wait for a seven day business cycle it has to go into our scheduling. If that could be improved there would be a lot of happy people.

It predates my employment; I’m certain we signed up in 2013 – roughly three years ago.

We have had no issues with the deployment.

I would say it’s fairly stable. It’s a web application so of course there are browser hiccups but I would give it a high score for stability. Once in a while there is a page refresh, but nothing major.

We have four applications and we’ve been able to get them all in there, I don’t see it having a limit.

Customer service has been good once we get attention, which comes back to the false positive issue.

Sometimes the results need clarifications. They could be a bit more responsive as once we get someone the interactions have been good and helpful.

This was our first foray into a hosted service.

The deployment was super easy as the interface is straightforward. It was almost too easy.

If you haven’t run any formal scan be prepared for it to come back and be a bit scary.

Fortify on Demand is primarily used in DevSecOps in a banking environment.

Fortify on Demand could be improved with support in Russia.

I've been working with Fortify on Demand for two years.

Fortify on Demand is stable.

Fortify on Demand can be scaled very easily.

Deployment takes between four to six months.

We use an in-house team.

Fortify on Demand is affordable, and its licensing comes with a year of support.

I would give Fortify on Demand a rating of nine out of ten.

Security of our applications is a huge concern for everyone now. Using quality products like HPE’s Fortify helped us minimize issues raised by the clients. Therefore, customer satisfaction in terms of the security was high.

We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients.

The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.

Technical support is very good. We had a few issues in the initial setup and the HPE team’s support was commendable.

I did not previously use a different solution.

Initial setup was complex; we ran into lot of memory issues. The Visual Studio plugin was not responsive, either.

An in-house team implemented it. Don’t use the Visual Studio plugin, unless your solution is really small. Otherwise, use the command line setup.

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

The results it provides are more than 95% accurate, helping us to focus on the right things first.

Our new software procurement process benefited as well as we use this as a central control to provide security assurance and evaluate the quality of our deliverables.

Its ease-of-use has influenced developer behavior and enabled them to follow security principles.

It would be useful if they could integrate secure design reviews, security user stories in Fortify on Demand Portal, and also look for possible options to get just one view of risks for given services (Covering Application, Infrastructure, Pen. Test, etc.).

I’ve used it since 2010.

We've had no issues with deployment.

It’s a very stable product. We've had no issues with instability.

It’s scaled for our needs. We've had no issues with un-scalability.

Customer service is excellent.

The technical support is very good.

We've used various other tools, including the Fortify on-premise solution. We chose Fortify on Demand as it is cost effective, scalable, easy to deploy, and helps us to manage our vulnerabilities centrally.

The initial setup was very easy and straightforward. We were able to roll out this service to all our business units.

We performed the installation in-house.

There is no setup cost as it is an on-demand solution. However, if there is any firewall change required for an internal application, we would need to raise that from our end.

We considered SonarQube, MSFox, and CodeInspect.

Fully utilize this product and its feature as it covers almost everything required for software security assurance.