Sold by: OpenText
Deployed on AWS
Build software resilience from a partner you can trust with application security as a service. Achieve all the advantages of security testing, vulnerability management, tailored expertise, and support without the need for additional infrastructure or resources.
4.1
Overview
Fortify is the only application provider to offer static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and mobile application testing (MAST) on demand so you can choose the solution that is right for your business. Our Application Security Testing solutions are best for organizations looking for software resilience for modern development from a partner they can trust.
When Security Matters in DevOps Fortify integrates into your existing development toolchain seamlessly, giving you the highest quality findings and remediation advice during every stage, creating more secure software. With Fortify, you don't need to trade quality of results for speed.
Modern AppSec for your Cloud Transformation Whether your app is fully cloud-native or just beginning to modernize, Fortify has you covered every stop of the way. Fortify is purpose built to secure the rapidly evolving technologies and architectures with the flexibility to recognize no two applications are the same - all backed by constantly evolving intelligence on new attack vectors.
Evolve the security of your software supply chain Be confident in everything that goes into the applications you deliver to your customers and users by evolving the security of your software supply chain. Protect the integrity of your software and SDLC with precise identification, matching, and results from proprietary research data on custom code and third-party risks. With Fortify, trust the future of your software supply chain.
Your trusted partner for enterprise grade AppSec Make application security part of your organizations fabric as you scale from one to hundreds or even thousands of apps with a partner and ecosystem you can trust. Fortify delivers a holistic, inclusive and extensible platform that supports the breadth of your software portfolio and teams with a comprehensive suite of products and services that guide you throughout your journey.
We have pre-packaged scan bundles listed. Different scanning services would require various quantity of assessment units - AU. Please visit: https://www.microfocus.com/media/guide/fortify-on-demand-service-description.pdf for more information. Please click this URL to request a private offer: http://www.microfocus.com/FOD_privateproposal
Highlights
- Static assessments detect over 1137 unique categories of vulnerabilities across 29 programming languages that span over 1 million individual APIs. CyberRes Fortify is Iron Bank approved and included in Platform One - P1 as part of the United States Department of Defense Enterprise DevSecOps initiative
- Automate security in the CI/CD pipeline with Swagger-supported RESTful APIs, GitHub repository, and plugins for a large set of ecosystem partners offering DevOps, VSTS, and Jenkins.
- First and leading application security as a service solution to be JAB authorized and FedRAMP certified. Fortify has been a Leader in the Gartner Magic Quadrant for application security testing for 8 consecutive years
Details
Sold by
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
1 AU | Assessment Units (at least 4 and less than 99 quantity) | $996.00 |
1 AU (>100) | 100+ Assessment Units with Managed Support | $864.00 |
15 Static AU | 15 Static Applications, Single Security Assessments | $14,190.00 |
60 Static AU | 15 Static Applications, Security Assessment Subscriptions | $54,360.00 |
10 Mobile AU | 10 Mobile Applications, Single Security Assessments | $9,960.00 |
40 Mobile AU | 10 Mobile Applications, Security Assessment Subscriptions | $37,840.00 |
30 Dynamic AU | 15 Dynamic Website, Single Security Assessment | $28,380.00 |
90 Dynamic AU | 15 Dynamic Website, Security Assessment Subscriptions | $81,540.00 |
20 API AU | 10 Dynamic API, Single Security Assessments | $18,920.00 |
60 API AU | 10 Dynamic API, Security Assessment Subscriptions | $54,360.00 |
Vendor refund policy
No Refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
Vendor support
Live Support via Chat, Email, Portal, and Digital Courseware https://ams.fortify.com/contact-us , https://emea.fortify.com/contact-us ,
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By OpenText
By Checkmarx
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Static Application Security Testing
Detects over 1137 unique categories of vulnerabilities across 29 programming languages spanning over 1 million individual APIs
Dynamic and Interactive Application Security Testing
Offers dynamic application security testing (DAST), interactive application security testing (IAST), and mobile application security testing (MAST) capabilities on demand
CI/CD Pipeline Integration
Integrates into development toolchain with Swagger-supported RESTful APIs, GitHub repository support, and plugins for DevOps, VSTS, and Jenkins ecosystem partners
Software Supply Chain Security
Provides precise identification and matching of custom code and third-party risks using proprietary research data to protect software integrity and SDLC
Cloud-Native Application Support
Purpose-built to secure rapidly evolving cloud-native technologies and architectures with flexibility to adapt to diverse application requirements and emerging attack vectors
Static Application Security Testing
Identifies vulnerabilities and weaknesses in custom code with support for 25+ languages and frameworks, scanning uncompiled code and re-scanning only new or modified code.
Software Composition Analysis
Identifies and prioritizes open source vulnerabilities, takes inventory of open source components and dependencies, and evaluates risks of open source licenses.
Infrastructure as Code Analysis
Detects security misconfigurations in IaC templates using KICS to prevent errors such as open storage buckets, insecure databases, and excessive privileges.
Real-time IDE Security Scanning
Provides real-time vulnerability detection during IDE development for both human-generated and AI-generated code, identifying vulnerabilities, unmasked secrets, vulnerable container images, and malicious open source packages.
Agentic-AI Remediation
Generates remediation suggestions using AI agents that access proprietary databases and customized AI models to provide context-aware code fixes with interactive refinement capabilities.
Risk Contextualization Engine
Proprietary Risk Graph that contextualizes security findings from third-party tools and native solutions based on likelihood and impact of risk to minimize backlogs and triage time.
Multi-Tool Security Integration
Aggregates and enriches security findings from SAST, SCA, CSPM, runtime API security tools, and manual processes including bug bounty programs and penetration testing.
Supply Chain Security Monitoring
Monitors commits to flag anomalous developer behavior and surfaces risky material code changes for integrated software supply chain security assessment.
Source Control Integration
API-based integration with source control managers to create complete inventory of applications, supply chain components, their risks, and changes over time.
LLM-Enriched Remediation Guidance
Provides large language model-enriched remediation guidance tied to code owners and root causes to improve remediation cycles and reduce developer friction.
Standard contract
No
No
No
Customer reviews
ShitanshuKumar
Automated security testing has strengthened continuous risk monitoring and compliance reporting
Reviewed on Mar 19, 2026
Review from a verified AWS customer
What is our primary use case?
For OpenText Core Application Security , I currently support a couple of my clients who are using Fortify on Demand for their web application, CRM , and sales platform.
Many good features of Fortify on Demand include SAST and DAST capabilities, and you can do sandboxing of a few features when you're testing web applications. You can create environments and recreate scenarios. I can walk you through the platform itself, taking about six to eight hours, because I have been working on the product as a product specialist and product manager, so I know the ins and outs of it.
Before Micro Focus OpenText , I used multiple solutions like Synopsys, which offers very promising competition.
What is most valuable?
The biggest advantage of this tool, Fortify on Demand, is that it is very scalable; it provides all the features just in time, and you do not need to have massive deployment or a lot of compute capabilities to use the product—that's the beauty of it. It is supporting a few of the largest deployment web applications globally.
Fortify on Demand supports most of the major integrations and gives an opportunity to integrate custom-built solutions. For enterprise licenses, if you consume more than a couple of custom integrations, each would be a separate cost, allowing integration with any solution.
Automated risk assessment helps ensure that continuous risk analysis is happening; you get automated reports through a set of rules, batch scripts, and relating to different logs and events—that's how continuous assessment occurs.
Our solutions like SAST and DAST are compliant, allowing compliance with CMMI levels. Additionally, integration with ArcSight provides various compliance reporting for PCI, HI-TRUST, HIPAA, FCC, ISO 27001, 22301, and 27701.
What needs improvement?
Areas for improvement should be contextualized post the OpenText acquisition, but back when I was working with Micro Focus, they focused heavily on enterprise-centric solutions. Now, after the acquisition, there is a shift towards supporting SMBs, and Fortify on Demand gained immense traction afterward. Prior to that, Micro Focus catered primarily to enterprise deals, leading to a heavy infrastructure focus which posed challenges.
Currently, Fortify on Demand primarily caters to web-based application security; this could be an area of improvement in the future.
I would say OpenText Core Application Security is not very user-friendly in terms of price; it is quite high. People consider buying luxury items like a Mercedes, where price is not a concern, but first-time buyers often need to be price-sensitive and may compromise on certain features.
For how long have I used the solution?
I have used OpenText Core Application Security for approximately three years.
What do I think about the stability of the solution?
OpenText Core Application Security is stable and has minimal downtime, benefitting from AWS cloud availability; the last downtime I recall was six months ago for a few minutes.
What do I think about the scalability of the solution?
Fortify is superior to many solutions because of its scalability and that it does not require massive compute capabilities for its SAST and sandboxing features.
Threat response time improves as much correlation happens; by inducing different data points, you have a clearer vision of your infrastructure, reducing threat response time. We have observed a reduction in up to 68 to 72 percent in threat response time when all solutions are working in harmony with proper orchestration.
How are customer service and support?
The technical support from OpenText is very good.
Which solution did I use previously and why did I switch?
As a vendor, I was part of Micro Focus while I was taking care of OpenText Core Application Security.
Before Micro Focus OpenText, I used multiple solutions like Synopsys, which offers very promising competition.
How was the initial setup?
As a SaaS solution, OpenText Core Application Security is now easy to install, unlike prior versions that required more expertise.
What was our ROI?
There are indeed savings with OpenText Core Application Security because when investing in a security solution, the efficacy depends on the orchestration and the layers in place. Many failures in achieving ROI stem from configurations, not deployments. A notable example is securing an important transportation application for a different country—a situation demanding stringent security measures.
There is definitive ROI if OpenText Core Application Security is deployed properly; it substantially reduces efforts in securing the solution while averting various application-related risks.
What other advice do I have?
I use Fortify on Demand for monitoring up to a certain extent; it provides monitoring and helps analyze and identify issues that could propagate in the application. When used in conjunction with ArcSight and other solutions, it gives a lot of analytics which allows you to make predictions and be proactive rather than reactive in security.
When it comes to custom integration, it usually takes about seven to ten days. This does improve threat response time in general.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Wagner Azevedo
Dynamic testing has improved real-time attack simulation and strengthens continuous DevOps security
Reviewed on Mar 18, 2026
Review from a verified AWS customer
What is our primary use case?
My usual use cases for OpenText Core Application Security include SAST and static testing, which covers the majority of the CVAs or CVSS that we have in the deployments.
The dynamic application security testing feature is the most valuable and useful for me so far, because the synapse does not have that—it has only FCA or CBON. The best application security tools support this testing, and usually, the customer wants to do tests while running, simulating real-world attacks. This is why OpenText Core Application Security is important, as it enables the customer to do that. The second is the SCA; I also support the customer in managing vulnerabilities for free open-source libraries and components. We can perform vulnerability management and handle the CVEs and licenses, of course, when we are talking about intellectual property.
The integration of OpenText Core Application Security with existing systems for security operations benefits us by providing vulnerability management and quality gates; without both, we will always have vulnerable applications running for our customers. This is the main benefit. The other benefit is related to the infrastructure; we leverage OpenText Core Application Security using the SaaS model, so we do not have to deploy any applications inside the customer environment. We can reduce the false positives and have a better approach to handle vulnerability management, making it the best tool for continuous integration with DevOps pipelines such as GitHub, Jenkins, and Azure DevOps.
What is most valuable?
The dynamic application security testing feature is the most valuable and useful for me so far, because the synapse does not have that—it has only FCA or CBON. The best application security tools support this testing, and usually, the customer wants to do tests while running, simulating real-world attacks. This is why OpenText Core Application Security is important, as it enables the customer to do that. The second is the SCA; I also support the customer in managing vulnerabilities for free open-source libraries and components. We can perform vulnerability management and handle the CVEs and licenses, of course, when we are talking about intellectual property.
The integration of OpenText Core Application Security with existing systems for security operations benefits us by providing vulnerability management and quality gates; without both, we will always have vulnerable applications running for our customers. This is the main benefit. The other benefit is related to the infrastructure; we leverage OpenText Core Application Security using the SaaS model, so we do not have to deploy any applications inside the customer environment. We can reduce the false positives and have a better approach to handle vulnerability management, making it the best tool for continuous integration with DevOps pipelines such as GitHub, Jenkins, and Azure DevOps.
What needs improvement?
I know OpenText is developing Aviator, similar to ChatGPT, with LLM inside the OpenText Core Application Security environment. However, I understand they do not have it for the on-premises environment. If customers need to implement it inside, or if they have data residency obligations, they will not be able to use Aviator. Perhaps in the future, they can make a module for Aviator to be usable in transit environments; that would be useful.
For how long have I used the solution?
I have been working with OpenText Core Application Security for one year.
What do I think about the stability of the solution?
I have had no problems regarding the stability and reliability of OpenText Core Application Security. However, I am not a heavy user, so I do not have any insights about any downtime or issues.
My customers have never expressed any concerns about reliability issues.
What do I think about the scalability of the solution?
OpenText Core Application Security is highly scalable; it is running on the cloud, and elasticity is one of the best points of a cloud environment.
I rate the scalability of OpenText Core Application Security at least an eight since it is not running inside the customer environment.
How are customer service and support?
I have not needed to communicate with the technical support of OpenText Core Application Security or OpenText support.
For me, the documentation is adequate; I do not feel they need to add more information or use cases to what is available.
What other advice do I have?
I have been working with OpenText Core Application Security for code security and AppSec, GitHub advanced security, and the hyperscaler tools such as Azure Defender, AWS Security Hub, and WiredDaddy, covering all the AWS ecosystem tools. I am quite familiar with the Google Security Center, and I come from Palo Alto.
OpenText Core Application Security helps maintain compliance standards with a faster remediation cycle, as we know the vulnerabilities, and everybody knows that the developers can perform fixes more quickly. This is important for compliance. The second point relates to PCI DSS, the framework for security concerning payment methods. I know that OpenText Core Application Security also provides access to OpenText trainings, enabling us to check all the requirements for PCI DSS.
Himanshu_Tyagi
Supports secure development pipelines and improves issue detection but limits internal visibility and needs broader dashboard integration
Reviewed on Nov 11, 2025
Review from a verified AWS customer
What is our primary use case?
I have been working with AWS cloud for the past six to seven years, and in my current role, I am working on AWS cloud.
Fortify was used for scanning applications to identify dynamic security vulnerabilities. Another solution from Fortify named Fortify Source Code Analyzer, basically SCA , scans lines of code for different technologies, such as ASP.NET , VB.NET, and Java-based applications. It scans different lines of code for an application and flags vulnerabilities, and on the basis of that vulnerability, a security professional has to identify false positives and then report it to the internal application team.
When security issues are identified in the early stage of the software development life cycle, it really helps because if threats are identified early, the product being developed by the application development team has fewer security issues. There is no product that doesn't have any issues. Obviously, the team tries to build a solution that has zero issues, but that is hypothetical. When threats are identified in the early software development life cycle, it gives confidence among the team and provides a fair idea that the application being developed will be a viable solution for the customer.
Whenever any security vulnerability is identified by Fortify or OpenText , it gives information about whether that particular security issue is non-compliant related to PCI, ISO 27001, or SOC 2. It provides a fair understanding that this security vulnerability should be prioritized because if you don't fix this vulnerability, your application will be non-compliant and your compliance goal will ultimately fail. So it helps a lot.
What is most valuable?
Fortify on Demand is a good service. Since it is fully being managed by OpenText , after Micro Focus acquired Fortify, all services are managed by the Fortify team when a customer is using Fortify on Demand. When you are seeing the application and the vulnerabilities which have been identified by their tool, you can see the issues. However, the visibility of the actual work being done is by the Fortify team. If you want to fully outsource your services, then it's a very good solution.
The best feature is that it supports many language frameworks. VB.NET was not available previously, but later they onboarded VB.NET as well, which is a legacy-based application, but some organizations still use VB.NET, so they have onboarded it, which is a good thing. Another aspect I appreciated about Fortify is that it gives a good understanding of the issues. The false positive rate is less, and they give valid issues. The invalid issues identified by Fortify are fewer. That is a good aspect. Additionally, you can integrate Fortify in CICD pipeline, so you get real-time updates about the security issues in your pipeline.
What needs improvement?
If you have an internal team and you want your internal team to validate false positives, basically to determine whether it's a valid issue or an invalid issue, then I wouldn't recommend it much. That was the only reason we migrated from Fortify on Demand to another solution.
Fortify has another tool which is Fortify WebInspect . On Demand is the outsourcing solution, and WebInspect you can use with your in-house team, which is basically the product developed by the Fortify team. For automated scanning, Fortify helps a lot.
Regarding the visibility for the internal team, everyone is moving toward the DevSecOps side, and Fortify team has made good progress that you can integrate into your CICD pipeline. One thing I would highlight is if Fortify can focus more on the centralized dashboard of the tools because nowadays, tools such as SentinelOne also exist for identifying security issues, but they have a centralized dashboard that merges their cloud solution and application security side solution together. If you have one tool that works for different solutions, it helps a lot.
They are doing good, but they should invest more on the AI side as well because AI security is evolving these days. On the cloud side, they have already made good progress, but I believe they should explore the new area related to AI security as well.
For how long have I used the solution?
I have been using Fortify on Demand, Veracode , Checkmarx, and SonarQube for close to ten years. If you are asking particularly about Fortify, I will say seven years.
What do I think about the stability of the solution?
I have not experienced any issue with stability, reliability, crashes, or downtimes. The support was very good, and since I had direct interaction with the Fortify team, I didn't raise any escalation because the support was very good in my experience.
What do I think about the scalability of the solution?
It was very good and scalable. The only thing I mentioned before was that they provide limited understanding of what tools they're working on. If a customer wants to know the tools and the technology used for their application to scan their application, they provide less information on that.
How are customer service and support?
My experience with the technical support customer service team of Fortify was pretty good; I would rate it four out of five.
I had direct contact with Fortify team and the sales director. I had direct interaction with them, which facilitated how we onboarded Fortify.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We switched to Checkmarx.
When you talk about the key differences between Fortify and Checkmarx, we migrated from Fortify to Checkmarx because at that time, Fortify was not supporting VB.NET application, and our main application was using VB.NET. We raised the case with Fortify team about any plan in their future release to onboard VB.NET, but they didn't give us a good answer because they were saying they would try to onboard VB.NET into their platform in a year. A customer won't wait for one year to assess their application.
How was the initial setup?
When you talk about static application source code testing, we had to involve the Fortify team to create an LDAP role for us. Regarding Fortify on Demand, it was pretty much straightforward because we just needed to configure our application in their platform. We had to enter the information for our application, and the rest was done by the Fortify team. Fortify on Demand was very simple. Regarding the SAST part, I won't say it was hard, but it was a little bit complicated, and when we raised cases with their technical support team, they resolved our queries and we onboarded the tool into our environment.
What about the implementation team?
It depends upon your license which you have used. We were assessing 180 applications, and our license cost was $200,000.
It depends upon if you get a good offer from Fortify team. Regarding the cost-effective part, it is a bit expensive to be honest because some good organizations can obviously afford it, but if you talk about small organizations, I'm afraid they won't be going ahead with Fortify because it's an expensive solution.
Which other solutions did I evaluate?
When you talk about the key differences between Fortify and Checkmarx, we migrated from Fortify to Checkmarx because at that time, Fortify was not supporting VB.NET application, and our main application was using VB.NET. We raised the case with Fortify team about any plan in their future release to onboard VB.NET, but they didn't give us a good answer because they were saying they would try to onboard VB.NET into their platform in a year. A customer won't wait for one year to assess their application.
The pros of Fortify include that you get a good understanding of the issues identified by the application. They continuously send notifications that the scan is being paused and the customer has to initiate the scan because the application scan has failed for some reason. The timely notification and visibility of issues identified is good, and the false positive aspect is also good.
Coming to Checkmarx, when we onboarded it, our primary reason was the VB.NET issue, and Checkmarx also has very good coverage on Java-based applications. The majority of our applications were on Java, and Checkmarx did a great job on the coverage of assessing our applications. Regarding the accuracy of issues, I find it almost the same for Fortify and Checkmarx. I didn't find much difference on the false positive side either.
What other advice do I have?
If you want to onboard a solution for your application security side, I will definitely recommend Fortify because for your application, when you get a fair understanding of the security issues in the early stage of the software development life cycle, it's a very good thing.
I have worked on Fortify on Demand. I have used it six months ago.
Our applications were hosted on AWS cloud, and Fortify identified security vulnerabilities on our cloud platform. Our application which was hosted in AWS cloud showed that they provide good visibility. However, every tool has some pros and cons. If you ask me that if I want to recommend Fortify on Demand, it's obviously a good service which can be used by any organization when they are building a team. But if you have an in-house team which is working on many solutions, then it won't fit into their umbrella.
Fortify on Demand was the on-demand service provided by Fortify that was assessing all our applications. When applications hosted on AWS cloud were being assessed, Fortify was identifying issues for the application which was hosted on AWS cloud.
My experience with the technical support customer service team of Fortify was pretty good; I would rate it four out of five. Overall, I would rate this review a seven.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Diego Caicedo Lescano
Allows portfolio-wide analysis and reporting but needs better support and integration
Reviewed on Nov 10, 2025
Review provided by PeerSpot
What is our primary use case?
I am familiar with all of the ADM portfolio, Application Delivery Management, including UFT, Unified Functional Testing, and we are building LoadRunner for security, specifically for the Cyber Res portfolio, which is Fortify, and for the other portfolio, SMAX for Service Desk and monitoring.
What is most valuable?
The best features with Fortify on Demand include having analysis for any product based on analysis points. With on-premise, you have to buy the license for each application. The licensing model is better on demand than on-premises. Another feature is that on demand you have two levels of reports: the first from the tool, which is the same as we can get from Fortify on-premises, and a next level reporting made by experts from OpenText , leading to a more condensed and precise report as level three.
What needs improvement?
It would be better for Fortify on Demand if they could analyze not only the security pillar but also maintainability, portability, and reliability, covering all pillars of ISO 25000. We have another tool that does that, such as SonarQube .
A quality code analysis feature is needed, as our customers often ask for those features, which are not available in Fortify on Demand or on-premises, where we only have static and dynamic code analysis.
OpenText Core Application Security 's integration with existing systems has a lack of integration, and it would be better if it had more open integration.
For how long have I used the solution?
We have been dealing with Fortify for around eight years. The initial installation for on-demand was one of the first installations. Licenses in each product vary. The licensing in on-demand SaaS is different than on-premises, and that is the main difference.
How are customer service and support?
I would rate the support for OpenText at no more than three out of ten; it is really bad, and we encounter a lot of problems when getting support.
Support tickets often stay open for one month to three months, which leads to customer frustration. The wait time for a customer is too much. We understand the technology, but customers do not like paying for that kind of support.
Which solution did I use previously and why did I switch?
SonarQube is used as a different solution for SAST .
The main difference between Fortify and SonarQube is that SonarQube is a complete solution for SAST plus quality code analysis, focusing on five pillars, which according to ISO 25000 includes security as one pillar.
Q1 from Idera is another solution that covers five pillars and is great compared to Fortify, which only addresses the security pillar. There are significant differences in findings, as each solution has different findings, but SonarQube is the best for SAST findings.
How was the initial setup?
The setup for on-demand is straightforward and better because we do not have to install any components like we do for on-premises, making it easy.
What other advice do I have?
I do have experience with OpenText.
I would be willing to provide a review for an OpenText product, and we are partners from OpenText, selling a lot of products since UFT, functional testing, performance testing, and some of those products.
Andres has experience with LoadRunner Cloud , so Andres is the person to contact.
I do have experience with Fortify on Demand as well as Fortify on-premises, but I am the general manager, not the technician. Andres is the technician, and you can have a call with Andres, Alex, or Henry to get any review or feedback on the products.
For Fortify on Demand, the experience is less than three years—around two years, not more than that.
I am familiar with Fortify and Real User Monitoring.
The pricing is better for the customer, but it is not easy to understand the new pricing points. For us as partners, it is cheaper than the other licensing models, but for the customer, understanding how many points apply to each application can be confusing.
The overall review rating for this product is 7 out of 10.
reviewer2646048
Security tool identifies access token exposure while improvement needed in false positives handling
Reviewed on Jan 31, 2025
Review provided by PeerSpot
What is our primary use case?
I primarily use Fortify to check for sensitive information disclosure in the source code and for identifying security vulnerabilities. These types of issues are scanned by Fortify.
What is most valuable?
Fortify helps me find serious issues, such as developers inadvertently leaving access tokens, including API access tokens, in the source code. Fortify is effective in identifying such oversights, making it a really helpful tool despite its problems. It is valuable in improving our overall security posture by catching significant errors.
What needs improvement?
There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as password exposure.
Additionally, it would be beneficial if Fortify could check for CVEs (Common Vulnerabilities and Exposures) in third-party libraries, which I currently use a separate dependency checker tool for. Implementing AI technologies for enhanced security testing would also be a positive development.
For how long have I used the solution?
This product has been used in my company for more than two years.
How was the initial setup?
We have a dedicated Fortify team, along with service teams with developers involved in the deployment process. It does not take longer than thirty minutes to deploy.
What other advice do I have?
Based on the experience of our company, I would recommend Fortify. It is helpful despite its problems, and I rate it as a seven out of ten.
It effectively detects serious security issues, adding to our confidence in using it as a vital tool in our processes.