As an expert, a lot of what I've seen in the tool is to use the principle of defense in-depth. Because that is the objective of Application Security, Fortify. Customers often need to look at their current security architecture, security gateways, rules, and policies. To best utilize Fortify is to shift left, to use all of the tools and plugins that Fortify has throughout the SDLC process, to use the IDE tools, including the board tools, to use all of these respective tools together. And to shift left, to start from the IDE perspective, before source code even goes into production, before it even reaches a build environment. It is to reduce bug densities by shifting left. Use Fortify to get your bug densities and your security or your attack surfaces to reduce it by shifting left from inception, before the code is even written. They can scrutinize, go into Fortify tools, analyze them, and progressively test your code using all the tools that Fortify provides. A lot of customers already use their own tools and their own third-party tools. It's best to use one security architecture. So for instance, rather use Fortify with Brakeman and RASP, use the Fortify suite of tools as your one architecture instead of using several third-party tools. It's always good to centralize your security architecture and use one architecture for your entire security posture instead of using different tools. Fortify has all the capabilities to centralize your security attack methodology. So, your attack surface comes from different perspectives. It comes from an open-source code perspective. So you've got open-source code. You have proprietary code. You have repositories. You have different places where your code is, even in Azure. We even have a plugin for Azure. The point is to use all of the capabilities of Fortify as your central tool instead of using disparate tools that do not integrate with Fortify, that do not work with Fortify. It's always good to have one solid architecture as opposed to multiple disjointed tools. Overall, I would rate it a ten out of ten. I've used several technologies and tools, even open-source or free tools, over the last fifteen years. In my opinion, from the perspective of the many tools used and other competitors, I have found Fortify to be the most reliable. They kind of align with my principles and the principles of cybersecurity specialists with defense-in-depth and shifting left. Because those are very important principles to me. And also confidentiality, integrity, and availability. They align with all of those pillars and building blocks of cybersecurity.
I rate the platform's accuracy for detecting vulnerabilities an eight and a half out of ten. By utilizing Fortify as a comprehensive security testing tool, financial institutions operating at high-security levels gain confidence in the security posture of their applications. It helps deploy and track changes easily as per time-to-time market upgrades. I advise new users to learn about new features introduced in the last two years. I rate it a nine out of ten.
Test Lead at a financial services firm with 10,001+ employees
Real User
Top 5
2023-10-31T10:42:24Z
Oct 31, 2023
With over 12 years in application security, I've consistently observed the adoption of Fortify in major organizations like Cognizant, Barclays, and Credit Suisse. Across large banks in Europe, Fortify has established a reputation for reliability and effectiveness. Drawing on my experience, I am confident that organizations with clear problem statements and no budget constraints will find Fortify to be a comprehensive solution. Its technical capabilities and features align well with the diverse needs of large organizations in the banking sector. Overall, I would rate it ten out of ten.
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 5
2023-08-11T11:25:34Z
Aug 11, 2023
My organization has been using the solution for at least four years. I don’t deal with technical support directly. I would recommend the solution to others. We are dealing with some issues with the report. The reports might be meaningful, but they sometimes do not match the situation. We cannot really deal with them. We don't know if they are false positives or if they're simply not relevant because they concern vulnerabilities in the development cycle and not in the production operations. It is sort of a mystery. Overall, I rate the tool an eight out of ten.
Fortify has excellent support for various programming languages. Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases. This advantage may not be present in SonarQube. Additionally, if a feature is not offered out of the box, Fortify allows customization, providing flexibility. Apart from dynamic security testing, Fortify is reliable for generating and distributing v-scan reports to multiple stakeholders, making it less of a hassle for the CAC team as most tasks are automated. I would rate Fortify on Demand as an eight.
Cloud Architecture Head at PagoNxt Merchant Solutions S.L.
Real User
Top 5
2023-05-11T11:17:05Z
May 11, 2023
Whether or not this solution will be useful depends on the maturity of your organization. If you understand what all the messages and the analysis mean, and you can usefully react to it then I think you should absolutely use it. If you're still working out these things, you should probably first go through some learning process and start with some simpler tooling that gives you some insights. The challenge is always how to make things actionable and that is lacking to some extent. If, for example, there is something that depends on scans for vulnerability for all your dependencies and just pulls requests for you, Fortify doesn't action anything. It leaves all the actioning things to you so in a sense, it creates more work for the developers, but it doesn't help them to do the work. We're not happy with the solution as a process because of the way it's internally implemented in the bank. On the other hand, the features are quite good so I would rate that aspect higher. On average, I rate this solution seven out of 10.
If you're a beginner, give Fortify a go. If you're a professional, it might be worth looking at other tools because Fortify does have limitations when it comes to scalability and executable codes.
Micro Focus Fortify on Demand is a very easy-to-use solution. You don't need some technical staff. It's very easy to implement and use the application. I don't require assistance I only have my advisories that are users. I rate Micro Focus Fortify on Demand a nine out of ten.
I rate Micro Focus Fortify on Demand. This is a good solution for doing static analysis. There is also a dynamic component, but we haven't used it because we are unsure how flexible it is. We are using it only for static scanning.
I rate Micro Focus Fortify on Demand eight out of 10. It's a great product, and I recommend it. You should deploy it as part of the TechOps implementation.
I would rate this solution 7 out of 10. I recommend Fortify, but I need more documentation, especially in integration with CI tools like GitLab and Jenkins. The reporting from Fortify to Jenkins or for GitLab needs to be clarified in documentation.
I would recommend Micro Focus Fortify on Demand to others. I rate Micro Focus Fortify on Demand a seven out of ten. The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.
R&D at a tech services company with 51-200 employees
Real User
2022-01-04T21:41:00Z
Jan 4, 2022
My advice to others is if you choose Micro Focus Fortify on Demand, it's very simple to use. If they choose the on-premise version for the static code, they will need a person to manage it to be sure that it's integrated with all the pipelines that they developed. I rate Micro Focus Fortify on Demand a seven out of ten.
Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us. I rate Micro Focus Fortify on Demand a seven out of ten.
If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available. I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.
Information Security Engineer at a comms service provider with 501-1,000 employees
Real User
2021-05-08T09:55:10Z
May 8, 2021
If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security. I would rate it at eight on a scale from one to ten.
Principal Solutions Architect at a security firm with 11-50 employees
Real User
2021-03-24T06:34:27Z
Mar 24, 2021
It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products. I would rate Micro Focus Fortify on Demand a seven out of ten.
We're just a customer and we offer consulting services. We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors. The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad. I'd rate the solution ten out of ten. It's the best on the market for me.
For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including: * Very useful source code review and vulnerability detection. * Clear and easy-to-read test results and reports. * Good integration with other platforms during development. I would rate Fortify on Demand a nine out of ten.
Security Systems Analyst at a retailer with 5,001-10,000 employees
Real User
2020-12-06T06:23:06Z
Dec 6, 2020
We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward. The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end. The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you. I would rate Micro Focus Fortify on Demand a nine out of ten.
Project Analyst at a financial services firm with 1,001-5,000 employees
Real User
2020-10-30T08:22:22Z
Oct 30, 2020
It is a great solution. It is cost-effective for a secure development process. If an enterprise wants to adopt the DevOps process, Micro Focus Fortify on Demand is a great starting point. I would rate Micro Focus Fortify on Demand a nine out of ten.
You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.
Production Manager for Nearshore SWaT at GFI Portugal
Real User
Top 20
2020-08-23T08:17:00Z
Aug 23, 2020
Before using it, evaluate other possibilities because it's quite expensive if you don't have the need to use it. For example, replace it with SonarQube or another competitor's tool that may not do quite the same thing, but it is enough for what you want for your objectives. It could be a cheaper way to get to those goals. I would rate Micro Focus Fortify on Demand a seven out of ten. Improvement in pricing would be the biggest thing that would improve the scoring.
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
Real User
2020-01-12T12:03:00Z
Jan 12, 2020
My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul. I would rate this solution an eight out of ten.
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
Real User
2020-01-12T12:02:00Z
Jan 12, 2020
Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered. Overall, it is a very good tool and it works well for what it is designed for. I would rate this solution a seven out of ten.
Chief Executive & Certified Security Administrator at Boch Systems Company Limited
Reseller
2020-01-07T06:27:00Z
Jan 7, 2020
I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution. On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.
Senior Application Security Analyst at a financial services firm with 10,001+ employees
Real User
2019-08-19T05:47:00Z
Aug 19, 2019
We use the cloud deployment model of the solution. Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool. I would rate the solution seven out of ten.
I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So I would not advise anybody to go to Fortify based on the fact that they really don't have a very forthcoming support team and availability. Could be the other options would provide professional services, but that's not the point. The point is that if you want to pick up the phone and send them an email, open a ticket saying that, "This is a false positive," somebody should get back to you. So I don't think that Fortify's a viable option still these days based on the fact of where they sit and how they operate. I would rate the product a four out of ten. It works. The reason why I give it a four is because of the limitations of the product to understand the dynamics of our website and the number of things that are not working smoothly due to the fact that our website is complex.
Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees
Real User
2018-08-14T07:42:00Z
Aug 14, 2018
Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at. I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the local scan won't be as fast as the static code scan.
Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.
Fortify on Demand Features
Fortify on Demand has many valuable key features. Some of the most useful ones...
As an expert, a lot of what I've seen in the tool is to use the principle of defense in-depth. Because that is the objective of Application Security, Fortify. Customers often need to look at their current security architecture, security gateways, rules, and policies. To best utilize Fortify is to shift left, to use all of the tools and plugins that Fortify has throughout the SDLC process, to use the IDE tools, including the board tools, to use all of these respective tools together. And to shift left, to start from the IDE perspective, before source code even goes into production, before it even reaches a build environment. It is to reduce bug densities by shifting left. Use Fortify to get your bug densities and your security or your attack surfaces to reduce it by shifting left from inception, before the code is even written. They can scrutinize, go into Fortify tools, analyze them, and progressively test your code using all the tools that Fortify provides. A lot of customers already use their own tools and their own third-party tools. It's best to use one security architecture. So for instance, rather use Fortify with Brakeman and RASP, use the Fortify suite of tools as your one architecture instead of using several third-party tools. It's always good to centralize your security architecture and use one architecture for your entire security posture instead of using different tools. Fortify has all the capabilities to centralize your security attack methodology. So, your attack surface comes from different perspectives. It comes from an open-source code perspective. So you've got open-source code. You have proprietary code. You have repositories. You have different places where your code is, even in Azure. We even have a plugin for Azure. The point is to use all of the capabilities of Fortify as your central tool instead of using disparate tools that do not integrate with Fortify, that do not work with Fortify. It's always good to have one solid architecture as opposed to multiple disjointed tools. Overall, I would rate it a ten out of ten. I've used several technologies and tools, even open-source or free tools, over the last fifteen years. In my opinion, from the perspective of the many tools used and other competitors, I have found Fortify to be the most reliable. They kind of align with my principles and the principles of cybersecurity specialists with defense-in-depth and shifting left. Because those are very important principles to me. And also confidentiality, integrity, and availability. They align with all of those pillars and building blocks of cybersecurity.
I rate the tool a six out of ten.
We use Burpsuite for dynamic code analysis. Fortify on Demand is a good tool for static code analysis. I rate it a nine out of ten.
I rate the platform's accuracy for detecting vulnerabilities an eight and a half out of ten. By utilizing Fortify as a comprehensive security testing tool, financial institutions operating at high-security levels gain confidence in the security posture of their applications. It helps deploy and track changes easily as per time-to-time market upgrades. I advise new users to learn about new features introduced in the last two years. I rate it a nine out of ten.
With over 12 years in application security, I've consistently observed the adoption of Fortify in major organizations like Cognizant, Barclays, and Credit Suisse. Across large banks in Europe, Fortify has established a reputation for reliability and effectiveness. Drawing on my experience, I am confident that organizations with clear problem statements and no budget constraints will find Fortify to be a comprehensive solution. Its technical capabilities and features align well with the diverse needs of large organizations in the banking sector. Overall, I would rate it ten out of ten.
My organization has been using the solution for at least four years. I don’t deal with technical support directly. I would recommend the solution to others. We are dealing with some issues with the report. The reports might be meaningful, but they sometimes do not match the situation. We cannot really deal with them. We don't know if they are false positives or if they're simply not relevant because they concern vulnerabilities in the development cycle and not in the production operations. It is sort of a mystery. Overall, I rate the tool an eight out of ten.
Fortify has excellent support for various programming languages. Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases. This advantage may not be present in SonarQube. Additionally, if a feature is not offered out of the box, Fortify allows customization, providing flexibility. Apart from dynamic security testing, Fortify is reliable for generating and distributing v-scan reports to multiple stakeholders, making it less of a hassle for the CAC team as most tasks are automated. I would rate Fortify on Demand as an eight.
Whether or not this solution will be useful depends on the maturity of your organization. If you understand what all the messages and the analysis mean, and you can usefully react to it then I think you should absolutely use it. If you're still working out these things, you should probably first go through some learning process and start with some simpler tooling that gives you some insights. The challenge is always how to make things actionable and that is lacking to some extent. If, for example, there is something that depends on scans for vulnerability for all your dependencies and just pulls requests for you, Fortify doesn't action anything. It leaves all the actioning things to you so in a sense, it creates more work for the developers, but it doesn't help them to do the work. We're not happy with the solution as a process because of the way it's internally implemented in the bank. On the other hand, the features are quite good so I would rate that aspect higher. On average, I rate this solution seven out of 10.
Overall, I'd rate it a nine out of ten. We are very satisfied with it.
I give the solution a nine out of ten. I recommend the solution to others and I am totally satisfied with it.
If you're a beginner, give Fortify a go. If you're a professional, it might be worth looking at other tools because Fortify does have limitations when it comes to scalability and executable codes.
I would rate Fortify on Demand nine out of ten.
Micro Focus Fortify on Demand is a very easy-to-use solution. You don't need some technical staff. It's very easy to implement and use the application. I don't require assistance I only have my advisories that are users. I rate Micro Focus Fortify on Demand a nine out of ten.
I would give Fortify on Demand a rating of nine out of ten.
I would recommend the solution to others. I rate Micro Focus Fortify on Demand a nine out of ten.
I rate Micro Focus Fortify on Demand. This is a good solution for doing static analysis. There is also a dynamic component, but we haven't used it because we are unsure how flexible it is. We are using it only for static scanning.
I rate Micro Focus Fortify on Demand eight out of 10. It's a great product, and I recommend it. You should deploy it as part of the TechOps implementation.
On a scale from one to ten, I would rate Micro Focus Fortify on Demand at five because we get better scan results from other tools.
I would rate this solution 7 out of 10. I recommend Fortify, but I need more documentation, especially in integration with CI tools like GitLab and Jenkins. The reporting from Fortify to Jenkins or for GitLab needs to be clarified in documentation.
I would recommend Micro Focus Fortify on Demand to others. I rate Micro Focus Fortify on Demand a seven out of ten. The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.
On a scale of one to ten, I would give Micro Focus Fortify on Demand an eight.
My advice to others is if you choose Micro Focus Fortify on Demand, it's very simple to use. If they choose the on-premise version for the static code, they will need a person to manage it to be sure that it's integrated with all the pipelines that they developed. I rate Micro Focus Fortify on Demand a seven out of ten.
Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us. I rate Micro Focus Fortify on Demand a seven out of ten.
If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available. I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.
I rate Micro Focus Fortify on Demand a six out of ten.
If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security. I would rate it at eight on a scale from one to ten.
It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products. I would rate Micro Focus Fortify on Demand a seven out of ten.
We're just a customer and we offer consulting services. We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors. The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad. I'd rate the solution ten out of ten. It's the best on the market for me.
For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including: * Very useful source code review and vulnerability detection. * Clear and easy-to-read test results and reports. * Good integration with other platforms during development. I would rate Fortify on Demand a nine out of ten.
We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward. The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end. The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you. I would rate Micro Focus Fortify on Demand a nine out of ten.
On a scale from one to ten, I'll give it an eight.
It is a great solution. It is cost-effective for a secure development process. If an enterprise wants to adopt the DevOps process, Micro Focus Fortify on Demand is a great starting point. I would rate Micro Focus Fortify on Demand a nine out of ten.
You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.
Before using it, evaluate other possibilities because it's quite expensive if you don't have the need to use it. For example, replace it with SonarQube or another competitor's tool that may not do quite the same thing, but it is enough for what you want for your objectives. It could be a cheaper way to get to those goals. I would rate Micro Focus Fortify on Demand a seven out of ten. Improvement in pricing would be the biggest thing that would improve the scoring.
My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul. I would rate this solution an eight out of ten.
Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered. Overall, it is a very good tool and it works well for what it is designed for. I would rate this solution a seven out of ten.
I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution. On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.
We use the cloud deployment model of the solution. Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool. I would rate the solution seven out of ten.
This solution works, so I suggest using it. I would rate this solution an eight out of ten.
I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So I would not advise anybody to go to Fortify based on the fact that they really don't have a very forthcoming support team and availability. Could be the other options would provide professional services, but that's not the point. The point is that if you want to pick up the phone and send them an email, open a ticket saying that, "This is a false positive," somebody should get back to you. So I don't think that Fortify's a viable option still these days based on the fact of where they sit and how they operate. I would rate the product a four out of ten. It works. The reason why I give it a four is because of the limitations of the product to understand the dynamics of our website and the number of things that are not working smoothly due to the fact that our website is complex.
Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.
Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at. I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the local scan won't be as fast as the static code scan.