For someone considering Fortify Static Code Analyzer, I'd recommend checking other options like Checkmarx, as it might be a better fit depending on their use case. Overall, I would rate the product a five out of ten.
Fortify Static Code Analyzer has been a valuable tool for our organization's security efforts. However, organizations should be prepared to invest time and resources in managing and upgrading the solution to maximize its effectiveness.
Cloud Security Analyst at a agriculture with 1-10 employees
Real User
Top 5
2024-04-01T13:46:40Z
Apr 1, 2024
I haven't customized many rules, but some customizations that have been applied have been particularly useful in our pipeline. For instance, if our application is found to be very vulnerable, we don't proceed with deployment. We utilize static analysis, and the pipeline is halted until the vulnerabilities are addressed. Similarly, I've applied this approach in Fortify Static Code Analyzer and Checkmark SCA to stop the execution pipeline for highly vulnerable applications. I utilize validation in the code to manage false positives in the results. In this case, the application helps identify false positives, and I spend extra time validating them. I would recommend Fortify Static Code Analyzer for .NET applications and not for Python ones. I rate it an eight out of ten.
I would rate Fortify Static Code Analyzer a seven out of ten. Since we started the integration of Fortify Static Code Analyzer from the beginning, it has not yet significantly freed up the time of our security team. However, it has helped make the process more efficient, and the integration is still in progress. Organizations that are still using manual methods to find vulnerabilities should try Fortify Static Code Analyzer. If it is within their budget, Fortify Static Code Analyzer will work well for them. We utilize the Fortify Static Code Analyzer across various locations and projects, making it the go-to tool for security analysis in most of our development initiatives. We are a large corporation with high traffic. For larger platforms with strong automation needs, I recommend Fortify Static Code Analyzer.
I do not use the open-source components of Fortify. However, we use other tools for open-source stuff. I'd advise people who are still using manual methods to find vulnerabilities to adopt some sort of scanner to cut the time spent by 100%. I'd rate the solution ten out of ten. I would advise other potential users that you need to make sure your source code can work with Fortify.
To someone whose company is still using manual methods to find vulnerabilities, I would say that when you automate it, you control it. You give more power to people, especially from a security point of view. I would recommend Fortify SAST if you have money and multiple teams. It is useful for multiple teams, but for a small company with one team of two to three people, I would not recommend it. If you have a big community with many organizations and many development teams, it is worth it. Overall, I would rate Fortify SAST an eight out of ten.
Learn what your peers think about Fortify Static Code Analyzer. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
Vice President Application Security North America at BNP Paribas
Real User
Top 5
2023-08-25T20:10:00Z
Aug 25, 2023
Fortify SAST is a valuable tool for organizations committed to ensuring the security of their software applications. It helps prevent security vulnerabilities from making their way into production code, reducing the risk of data breaches and other security incidents. However, the effectiveness of Fortify SAST depends on proper configuration, rule selection, and integration into the development process. I would rate the overall solution an eight out of ten.
This is an excellent product and but is not for the faint at heart. You will need to be willing to learn and take the time to get to grips with how it works. I like it compared to some of the other static codes that I've used in the past. I would rate this solution a nine out of ten.
Senior Architect at a healthcare company with 10,001+ employees
Real User
2022-04-10T11:12:13Z
Apr 10, 2022
We are looking for a different solution. My advice for others is to look for other solutions before you choose Fortify Static Code Analyzer. I rate Fortify Static Code Analyzer an eight out of ten.
I'm not sure which version of the solution we're using. I can't recall the exact version number off-hand. I deal with the dev-ops engineers. We usually go for items that are cost-effective. If you've got the money for the license, then it's definitely a good solution to have. We have it at a higher level platform, however, I only use it at a certain level for our development environment. I'd rate the solution at a nine out of ten. It's a great product, however, it's a bit expensive.
I would advise others to definitely do their homework in planning. It is not something where you just open the box and go. There needs to be some foresight, some planning, and a lot of input from various stakeholders. You got to talk to your infrastructure team and make sure that you have suitable hardware for this in order for it to perform at its peak. I would rate Fortify Static Code Analyzer an eight out of ten.
Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible...
For someone considering Fortify Static Code Analyzer, I'd recommend checking other options like Checkmarx, as it might be a better fit depending on their use case. Overall, I would rate the product a five out of ten.
Fortify Static Code Analyzer has been a valuable tool for our organization's security efforts. However, organizations should be prepared to invest time and resources in managing and upgrading the solution to maximize its effectiveness.
I haven't customized many rules, but some customizations that have been applied have been particularly useful in our pipeline. For instance, if our application is found to be very vulnerable, we don't proceed with deployment. We utilize static analysis, and the pipeline is halted until the vulnerabilities are addressed. Similarly, I've applied this approach in Fortify Static Code Analyzer and Checkmark SCA to stop the execution pipeline for highly vulnerable applications. I utilize validation in the code to manage false positives in the results. In this case, the application helps identify false positives, and I spend extra time validating them. I would recommend Fortify Static Code Analyzer for .NET applications and not for Python ones. I rate it an eight out of ten.
I would rate Fortify Static Code Analyzer a seven out of ten. Since we started the integration of Fortify Static Code Analyzer from the beginning, it has not yet significantly freed up the time of our security team. However, it has helped make the process more efficient, and the integration is still in progress. Organizations that are still using manual methods to find vulnerabilities should try Fortify Static Code Analyzer. If it is within their budget, Fortify Static Code Analyzer will work well for them. We utilize the Fortify Static Code Analyzer across various locations and projects, making it the go-to tool for security analysis in most of our development initiatives. We are a large corporation with high traffic. For larger platforms with strong automation needs, I recommend Fortify Static Code Analyzer.
I do not use the open-source components of Fortify. However, we use other tools for open-source stuff. I'd advise people who are still using manual methods to find vulnerabilities to adopt some sort of scanner to cut the time spent by 100%. I'd rate the solution ten out of ten. I would advise other potential users that you need to make sure your source code can work with Fortify.
To someone whose company is still using manual methods to find vulnerabilities, I would say that when you automate it, you control it. You give more power to people, especially from a security point of view. I would recommend Fortify SAST if you have money and multiple teams. It is useful for multiple teams, but for a small company with one team of two to three people, I would not recommend it. If you have a big community with many organizations and many development teams, it is worth it. Overall, I would rate Fortify SAST an eight out of ten.
Fortify SAST is a valuable tool for organizations committed to ensuring the security of their software applications. It helps prevent security vulnerabilities from making their way into production code, reducing the risk of data breaches and other security incidents. However, the effectiveness of Fortify SAST depends on proper configuration, rule selection, and integration into the development process. I would rate the overall solution an eight out of ten.
This is an excellent product and but is not for the faint at heart. You will need to be willing to learn and take the time to get to grips with how it works. I like it compared to some of the other static codes that I've used in the past. I would rate this solution a nine out of ten.
We are looking for a different solution. My advice for others is to look for other solutions before you choose Fortify Static Code Analyzer. I rate Fortify Static Code Analyzer an eight out of ten.
I'm not sure which version of the solution we're using. I can't recall the exact version number off-hand. I deal with the dev-ops engineers. We usually go for items that are cost-effective. If you've got the money for the license, then it's definitely a good solution to have. We have it at a higher level platform, however, I only use it at a certain level for our development environment. I'd rate the solution at a nine out of ten. It's a great product, however, it's a bit expensive.
I would advise others to definitely do their homework in planning. It is not something where you just open the box and go. There needs to be some foresight, some planning, and a lot of input from various stakeholders. You got to talk to your infrastructure team and make sure that you have suitable hardware for this in order for it to perform at its peak. I would rate Fortify Static Code Analyzer an eight out of ten.