False positives need improvement in the future. Fortify's vulnerability remediation guidance helps improve code security, but I think they need to improve the focus of the solution, as it still Contains many bugs and needs a thorough review.
The product could be improved by upgrading and compatibility with databases such as MySQL. Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date. Enhancing integration with ticket management systems like Jira in the next release would facilitate issue tracking and resolution.
Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize. It throws everything at us at once, which can be overwhelming. While it's not a major issue, I'd like to see it focus on critical vulnerabilities and highlight them upfront. Furthermore, categorizing critical vulnerabilities by platform-specific vulnerabilities and relevance to supported features would be incredibly beneficial. While Fortify Static Code Analyzer has some merit, I believe it still has significant room for improvement. We have encountered a high number of false positives, which has been a major obstacle and resource drain.
One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved. There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process. During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time. It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier. For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.
Learn what your peers think about Fortify Static Code Analyzer. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
Vice President Application Security North America at BNP Paribas
Real User
Top 5
2023-08-25T20:10:00Z
Aug 25, 2023
The generation of false positives should be reduced. Although it provides mechanisms to help reduce false positives, ensuring that the reported vulnerabilities are genuine security concerns.
The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit. CyberRes is a partner I rely on as a first resource if I can't find the answer I need in documentation on Google. The information directly from Fortify is limited.
Senior Architect at a healthcare company with 10,001+ employees
Real User
2022-04-10T11:12:13Z
Apr 10, 2022
Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good. The solution could be more user-friendly. You have the CLI for business people sometimes, we are not able to give a good overview. Generally, the business people you choose would want to see the dashboard.
We use several other tools. We also use SonarQube. If one tool does not meet our requirements, I kind of implement another. We actually use SonarQube and Fortify together as the tools that we use to do the static code and dynamic testing, and also for security. You combine various tools in a pipeline to verify the code. Basically, it's not necessarily a standalone solution. You need to work with others to get what you need. It comes with a hefty licensing fee. We get around it by leveraging SonarQube, which is free. We're trying to get plugins now for SonarQube to match what Fortify could do. It would be ideal if it also had some sort of open-source version we could use.
I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two.
Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible...
False positives need improvement in the future. Fortify's vulnerability remediation guidance helps improve code security, but I think they need to improve the focus of the solution, as it still Contains many bugs and needs a thorough review.
The product could be improved by upgrading and compatibility with databases such as MySQL. Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date. Enhancing integration with ticket management systems like Jira in the next release would facilitate issue tracking and resolution.
The product shows false positives for Python applications.
Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize. It throws everything at us at once, which can be overwhelming. While it's not a major issue, I'd like to see it focus on critical vulnerabilities and highlight them upfront. Furthermore, categorizing critical vulnerabilities by platform-specific vulnerabilities and relevance to supported features would be incredibly beneficial. While Fortify Static Code Analyzer has some merit, I believe it still has significant room for improvement. We have encountered a high number of false positives, which has been a major obstacle and resource drain.
It would be nice if they had a version suitable for single developers that could be more cost-effective and maybe faster to learn.
One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved. There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process. During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time. It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier. For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.
The generation of false positives should be reduced. Although it provides mechanisms to help reduce false positives, ensuring that the reported vulnerabilities are genuine security concerns.
The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit. CyberRes is a partner I rely on as a first resource if I can't find the answer I need in documentation on Google. The information directly from Fortify is limited.
Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good. The solution could be more user-friendly. You have the CLI for business people sometimes, we are not able to give a good overview. Generally, the business people you choose would want to see the dashboard.
We use several other tools. We also use SonarQube. If one tool does not meet our requirements, I kind of implement another. We actually use SonarQube and Fortify together as the tools that we use to do the static code and dynamic testing, and also for security. You combine various tools in a pipeline to verify the code. Basically, it's not necessarily a standalone solution. You need to work with others to get what you need. It comes with a hefty licensing fee. We get around it by leveraging SonarQube, which is free. We're trying to get plugins now for SonarQube to match what Fortify could do. It would be ideal if it also had some sort of open-source version we could use.
I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support. The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff. I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two.