OpenText Core Application Security (Fortify)

I am familiar with all of the ADM portfolio, Application Delivery Management, including UFT, Unified Functional Testing, and we are building LoadRunner  for security, specifically for the Cyber Res portfolio, which is Fortify, and for the other portfolio, SMAX for Service Desk and monitoring.

The best features with Fortify on Demand include having analysis for any product based on analysis points. With on-premise, you have to buy the license for each application. The licensing model is better on demand than on-premises. Another feature is that on demand you have two levels of reports: the first from the tool, which is the same as we can get from Fortify on-premises, and a next level reporting made by experts from OpenText , leading to a more condensed and precise report as level three.

It would be better for Fortify on Demand if they could analyze not only the security pillar but also maintainability, portability, and reliability, covering all pillars of ISO 25000. We have another tool that does that, such as SonarQube .

A quality code analysis feature is needed, as our customers often ask for those features, which are not available in Fortify on Demand or on-premises, where we only have static and dynamic code analysis.

OpenText Core Application Security 's integration with existing systems has a lack of integration, and it would be better if it had more open integration.

We have been dealing with Fortify for around eight years. The initial installation for on-demand was one of the first installations. Licenses in each product vary. The licensing in on-demand SaaS is different than on-premises, and that is the main difference.

I would rate the support for OpenText  at no more than three out of ten; it is really bad, and we encounter a lot of problems when getting support.

Support tickets often stay open for one month to three months, which leads to customer frustration. The wait time for a customer is too much. We understand the technology, but customers do not like paying for that kind of support.

SonarQube  is used as a different solution for SAST .

The main difference between Fortify and SonarQube is that SonarQube is a complete solution for SAST  plus quality code analysis, focusing on five pillars, which according to ISO 25000 includes security as one pillar.

Q1 from Idera is another solution that covers five pillars and is great compared to Fortify, which only addresses the security pillar. There are significant differences in findings, as each solution has different findings, but SonarQube is the best for SAST findings.

The setup for on-demand is straightforward and better because we do not have to install any components like we do for on-premises, making it easy.

I do have experience with OpenText.

I would be willing to provide a review for an OpenText product, and we are partners from OpenText, selling a lot of products since UFT, functional testing, performance testing, and some of those products.

Andres has experience with LoadRunner Cloud , so Andres is the person to contact.

I do have experience with Fortify on Demand as well as Fortify on-premises, but I am the general manager, not the technician. Andres is the technician, and you can have a call with Andres, Alex, or Henry to get any review or feedback on the products.

For Fortify on Demand, the experience is less than three years—around two years, not more than that.

I am familiar with Fortify and Real User Monitoring.

The pricing is better for the customer, but it is not easy to understand the new pricing points. For us as partners, it is cheaper than the other licensing models, but for the customer, understanding how many points apply to each application can be confusing.

The overall review rating for this product is 7 out of 10.

I primarily use Fortify to check for sensitive information disclosure in the source code and for identifying security vulnerabilities. These types of issues are scanned by Fortify.

Fortify helps me find serious issues, such as developers inadvertently leaving access tokens, including API access tokens, in the source code. Fortify is effective in identifying such oversights, making it a really helpful tool despite its problems. It is valuable in improving our overall security posture by catching significant errors.

There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as password exposure.

Additionally, it would be beneficial if Fortify could check for CVEs (Common Vulnerabilities and Exposures) in third-party libraries, which I currently use a separate dependency checker tool for. Implementing AI technologies for enhanced security testing would also be a positive development.

This product has been used in my company for more than two years.

We have a dedicated Fortify team, along with service teams with developers involved in the deployment process. It does not take longer than thirty minutes to deploy.

Based on the experience of our company, I would recommend Fortify. It is helpful despite its problems, and I rate it as a seven out of ten.

It effectively detects serious security issues, adding to our confidence in using it as a vital tool in our processes.

Fortify On Demand is a cloud-based service/software-as-a-service model. Fortify On-Prem, which I have implemented, is an on-prem service where the customer provides the server infrastructure, and then Fortify On Demand comes fully implemented out of the box.

But you're still able to connect all of your Git repositories and your build environments like Maven and Gradle and all these different build environments, even like Jenkins that customers are using. It's fully connected either whether it's on-prem or cloud, and then you can do a full scan analysis of your security posture.

SAST and DAST scanning. Dynamic application scanning as well as static application scanning. So that would be websites, and you can do an audit and crawl scan of your web-based or web-facing applications, and then also scan your source code of your static application code.

The source code analyzer is the actual tool. It's the engine that sits behind Fortify. And this engine or this intelligence is within your tools. So, the great thing about Fortify is that you have plugins for your build environment. So when you're building and executing that code, you can scan that code at that interval. You can shift left. The commonality is that you want to shift left. You want to find threats early in production, as early as before it actually goes into production. It saves money that way, so you don't have to recode or reinvent your entire architecture.

We also have plugins for your actual interface. We call them IDEs. It's the interface where the developer will actually code and write programs. So from there, the source analyzer will give an analysis, and the developer can fix the code.

Then the second gateway that we have is our plugins work in both environments. So when the developer has written and remediated and fixed some of the issues, in the build environment, when he's testing his code, when it's actually running the application, the Source Code Analyzer will then analyze it again, and then there can be remediation. The code can be fixed.

We even have a tool called RASP, which is a tool that works in production. So even when your code is now being published, it's now an actual application, it's a live application, we have a RASP tool also in Fortify that also further on, in real-time, will scan and do an analysis of your code to find any zero-day attacks or threats or emerging threats. And then, again, from the dashboard interface, you'll be able to remediate.

And you can also do on-demand, we build AI Audit Assistance 2.0. It's the GEM 2.0 tool that we now have in Fortify that uses artificial intelligence where you can set thresholds. You can set a score to say that if I am sure, or if the system is sure with absolute certainty, with 90% accuracy, there is, in fact, a threat or a high risk; it will find those vulnerabilities and give you a score.

So, what it does is actually reduce the time spent on false positives. When you have false positives, you have to scrutinize all of them. We've got a lot of new technologies and methods within Fortify that allow us to reduce the false-positive rate that you generally find with scanning tools because we're using artificial intelligence as well as the source code analyzer tool. All of this has been built over years and years of development and research, and it actually gives you a better rate of reducing false positives, and you can then remediate actual threats. So, the tool has a lot of value.

The reduction of false positives is in the region of 98% or more. We now have even a new tool or AI product line called Aviator. So Fortify, OpenText Fortify now harnesses the power of artificial intelligence within the architecture, which will reduce your false-positive rate and actually give you scores on actual threats that it finds. Then, the threats and the threshold scores, the threats that are not seen as a low risk or a medium risk, can still be tended to.

So, it doesn't exclude the thresholds. It will still give you a full analysis, but it will, with surety and with the correct analysis, give you the threats that do matter, the threats that you do need to tend to immediately.

By doing this, you also reduce the time to threat response because in cybersecurity, your time to threat response is very important. You need to ensure that you detect the threats early and that your response time is also very quick to reduce any business impact or downtime to a business. So, this is where Fortify really excels with all the new technology and artificial intelligence metrics that we have within our architecture.

The source code analyzer is the most effective for identifying security vulnerabilities. It is the engine or the artificial intelligence behind the scanning engine that does the actual analysis of the data, and they then create an FPR file. This FPR file can then be further analyzed and tested at ScanCentral, which is your centralized dashboard for security auditing and remediation.

So from there, once you've got the artifact or this file, which is created from scanning all of your applications, it gives you a comprehensive overview of the vulnerability scores or the bug densities of your code, and then you can further analyze and test those codes and draw reports from ScanCentral.

So, these reports are against the OWASP Top ten. So you've got different reports that will give you a detailed analysis of your scan data, and it also does it in a dashboard format. So you then get a comprehensive report, and you can also draw a developer's workbook report, which you can send to developers where they actually have a bird's eye view or code-level view of the vulnerabilities and the recommendations are made by Fortify on how you can remediate those threats or vulnerabilities.

And you can then improve your bug density and scores, and you can also do that from the dashboard interface. You can also remediate and within the dashboard, change your score. So you have the dashboard, which gives you a comprehensive overview across all the applications. Also, as you remediate and fix your code, the dashboards update your scores, and then you have a view, and you can control your bug densities across all of the applications once you've onboarded each and every application. And that's across all your DAST and SAST applications. And this is on a centralized dashboard.

Fortify is constantly improving. Their tools and their interfaces are modernized with every new feature or every new version. I constantly see improvements by OpenText. OpenText is very intuitive. They're also implementing a lot of new AI capabilities with the NerdTools, which I think is remarkable.

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve.

That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively.

But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand.

But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively.

So training is required. All skills are needed to learn how to use the tool.

I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool.

It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

I've been working with Fortify On Demand for two years.

I would rate the stability a ten out of ten. It is very stable.

It is a very scalable solution. Our customers are in banking and insurance. It's currently used by some of the major US banks. So, a lot of our clients are in the banking, insurance, and services industries.

I would rate the scalability a ten out of ten. It is suitable for medium to large businesses.

Customer support is amazing. They've got community forums, customer resources, a lot of free resources, and their premium support is very effective. So they have proper support internationally. They've been very good.

Fortify on Demand is fully functional and fully integrated with an open-source analysis tool that's fully integrated with Fortify on Demand. So, Fortify on Demand is easy to use. It's intuitive. No implementation or training is required.

Fortify on-prem requires a bit of work, but I was able to set up, in a lab environment, the controllers, the scanners, the architecture, and all of the different servers in a virtualized environment. You could set it up quite relatively easily without requiring major training because the user guides are very easy to follow. I've set up lab environments within an hour.

So you could literally set up your entire on-prem Fortify solution within an hour because it is a very simple process to follow. The setup, installation, and configuration of the files are not that difficult to do. So you could effectively do it within an hour. You could set up the entire environment.

I would rate my experience with the initial setup an eight out of ten, where ten being easy and one being difficult.

Cloud and on-prem. So that it's hybrid. There's three tiers for deployment model. You can do Fortify on Demand, which is a fully functional system on the cloud. Fortify On Prem, which is a system where your Fortify system is installed on client servers or on-premises. And then hybrid would be a combination of both services where you have some implementation with the client and some in the cloud.

I am the implementer.

Fortify on Demand improved the overall security posture our customers. Fortify on Demand has reduced not only bug densities but also their attack surface quite drastically. And it's in real-time because it's got real-time dashboards, and their security teams are more proactive. It's a lot easier for them to implement their security mechanisms and gateways because Fortify allows that. I have seen a dramatic reduction in bug densities and incidents. So, a major reduction in security incidents as a result of using Fortify.

In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive.

The licenses for Fortify On Demand are generally bought in units. So it's scalable in terms of pricing. It's tailored for the customer in terms of the amount of units the customer requires or the number of applications or users that the customer will onboard onto the system. So it is scalable in that regard.

As an expert, a lot of what I've seen in the tool is to use the principle of defense in-depth. Because that is the objective of Application Security, Fortify. Customers often need to look at their current security architecture, security gateways, rules, and policies.

To best utilize Fortify is to shift left, to use all of the tools and plugins that Fortify has throughout the SDLC process, to use the IDE tools, including the board tools, to use all of these respective tools together. And to shift left, to start from the IDE perspective, before source code even goes into production, before it even reaches a build environment. It is to reduce bug densities by shifting left. Use Fortify to get your bug densities and your security or your attack surfaces to reduce it by shifting left from inception, before the code is even written. They can scrutinize, go into Fortify tools, analyze them, and progressively test your code using all the tools that Fortify provides.

A lot of customers already use their own tools and their own third-party tools. It's best to use one security architecture. So for instance, rather use Fortify with Brakeman and RASP, use the Fortify suite of tools as your one architecture instead of using several third-party tools. It's always good to centralize your security architecture and use one architecture for your entire security posture instead of using different tools. Fortify has all the capabilities to centralize your security attack methodology.

So, your attack surface comes from different perspectives. It comes from an open-source code perspective. So you've got open-source code. You have proprietary code. You have repositories. You have different places where your code is, even in Azure. We even have a plugin for Azure. The point is to use all of the capabilities of Fortify as your central tool instead of using disparate tools that do not integrate with Fortify, that do not work with Fortify. It's always good to have one solid architecture as opposed to multiple disjointed tools.

Overall, I would rate it a ten out of ten. I've used several technologies and tools, even open-source or free tools, over the last fifteen years. In my opinion, from the perspective of the many tools used and other competitors, I have found Fortify to be the most reliable. They kind of align with my principles and the principles of cybersecurity specialists with defense-in-depth and shifting left. Because those are very important principles to me. And also confidentiality, integrity, and availability. They align with all of those pillars and building blocks of cybersecurity.

I use the solution in my company for security code scans.

The product has a lot of false positives. If the outputs can have fewer false positives, then that will be the greatest benefit the tool can offer.

I have experience with Fortify on Demand. I manage the product in my company.

The solution's technical support is okay and not outstanding.

It is a costly process to evaluate tools.

I rate the tool a six out of ten.