Sign in
Sign in
or
Create a new account
Agent Mode
Categories
Your Saved List Become a Channel Partner Sell in AWS Marketplace Amazon Web Services Home Help

OpenText Core Application Security (Fortify)

OpenText

Reviews from AWS customer

3 AWS reviews

External reviews

45 reviews
from and

External reviews are not included in the AWS star rating for the product.

4-star reviews ( Show all reviews )

    ShitanshuKumar

Automated security testing has strengthened continuous risk monitoring and compliance reporting

  • March 19, 2026
  • Review from a verified AWS customer

What is our primary use case?

For OpenText Core Application Security, I currently support a couple of my clients who are using Fortify on Demand for their web application, CRM, and sales platform.

Many good features of Fortify on Demand include SAST and DAST capabilities, and you can do sandboxing of a few features when you're testing web applications. You can create environments and recreate scenarios. I can walk you through the platform itself, taking about six to eight hours, because I have been working on the product as a product specialist and product manager, so I know the ins and outs of it.

Before Micro Focus OpenText, I used multiple solutions like Synopsys, which offers very promising competition.

What is most valuable?

The biggest advantage of this tool, Fortify on Demand, is that it is very scalable; it provides all the features just in time, and you do not need to have massive deployment or a lot of compute capabilities to use the product—that's the beauty of it. It is supporting a few of the largest deployment web applications globally.

Fortify on Demand supports most of the major integrations and gives an opportunity to integrate custom-built solutions. For enterprise licenses, if you consume more than a couple of custom integrations, each would be a separate cost, allowing integration with any solution.

Automated risk assessment helps ensure that continuous risk analysis is happening; you get automated reports through a set of rules, batch scripts, and relating to different logs and events—that's how continuous assessment occurs.

Our solutions like SAST and DAST are compliant, allowing compliance with CMMI levels. Additionally, integration with ArcSight provides various compliance reporting for PCI, HI-TRUST, HIPAA, FCC, ISO 27001, 22301, and 27701.

What needs improvement?

Areas for improvement should be contextualized post the OpenText acquisition, but back when I was working with Micro Focus, they focused heavily on enterprise-centric solutions. Now, after the acquisition, there is a shift towards supporting SMBs, and Fortify on Demand gained immense traction afterward. Prior to that, Micro Focus catered primarily to enterprise deals, leading to a heavy infrastructure focus which posed challenges.

Currently, Fortify on Demand primarily caters to web-based application security; this could be an area of improvement in the future.

I would say OpenText Core Application Security is not very user-friendly in terms of price; it is quite high. People consider buying luxury items like a Mercedes, where price is not a concern, but first-time buyers often need to be price-sensitive and may compromise on certain features.

For how long have I used the solution?

I have used OpenText Core Application Security for approximately three years.

What do I think about the stability of the solution?

OpenText Core Application Security is stable and has minimal downtime, benefitting from AWS cloud availability; the last downtime I recall was six months ago for a few minutes.

What do I think about the scalability of the solution?

Fortify is superior to many solutions because of its scalability and that it does not require massive compute capabilities for its SAST and sandboxing features.

Threat response time improves as much correlation happens; by inducing different data points, you have a clearer vision of your infrastructure, reducing threat response time. We have observed a reduction in up to 68 to 72 percent in threat response time when all solutions are working in harmony with proper orchestration.

How are customer service and support?

The technical support from OpenText is very good.

Which solution did I use previously and why did I switch?

As a vendor, I was part of Micro Focus while I was taking care of OpenText Core Application Security.

Before Micro Focus OpenText, I used multiple solutions like Synopsys, which offers very promising competition.

How was the initial setup?

As a SaaS solution, OpenText Core Application Security is now easy to install, unlike prior versions that required more expertise.

What was our ROI?

There are indeed savings with OpenText Core Application Security because when investing in a security solution, the efficacy depends on the orchestration and the layers in place. Many failures in achieving ROI stem from configurations, not deployments. A notable example is securing an important transportation application for a different country—a situation demanding stringent security measures.

There is definitive ROI if OpenText Core Application Security is deployed properly; it substantially reduces efforts in securing the solution while averting various application-related risks.

What other advice do I have?

I use Fortify on Demand for monitoring up to a certain extent; it provides monitoring and helps analyze and identify issues that could propagate in the application. When used in conjunction with ArcSight and other solutions, it gives a lot of analytics which allows you to make predictions and be proactive rather than reactive in security.

When it comes to custom integration, it usually takes about seven to ten days. This does improve threat response time in general.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)

    Wagner Azevedo

Dynamic testing has improved real-time attack simulation and strengthens continuous DevOps security

  • March 18, 2026
  • Review from a verified AWS customer

What is our primary use case?

My usual use cases for OpenText Core Application Security include SAST and static testing, which covers the majority of the CVAs or CVSS that we have in the deployments.

The dynamic application security testing feature is the most valuable and useful for me so far, because the synapse does not have that—it has only FCA or CBON. The best application security tools support this testing, and usually, the customer wants to do tests while running, simulating real-world attacks. This is why OpenText Core Application Security is important, as it enables the customer to do that. The second is the SCA; I also support the customer in managing vulnerabilities for free open-source libraries and components. We can perform vulnerability management and handle the CVEs and licenses, of course, when we are talking about intellectual property.

The integration of OpenText Core Application Security with existing systems for security operations benefits us by providing vulnerability management and quality gates; without both, we will always have vulnerable applications running for our customers. This is the main benefit. The other benefit is related to the infrastructure; we leverage OpenText Core Application Security using the SaaS model, so we do not have to deploy any applications inside the customer environment. We can reduce the false positives and have a better approach to handle vulnerability management, making it the best tool for continuous integration with DevOps pipelines such as GitHub, Jenkins, and Azure DevOps.

What is most valuable?

The dynamic application security testing feature is the most valuable and useful for me so far, because the synapse does not have that—it has only FCA or CBON. The best application security tools support this testing, and usually, the customer wants to do tests while running, simulating real-world attacks. This is why OpenText Core Application Security is important, as it enables the customer to do that. The second is the SCA; I also support the customer in managing vulnerabilities for free open-source libraries and components. We can perform vulnerability management and handle the CVEs and licenses, of course, when we are talking about intellectual property.

The integration of OpenText Core Application Security with existing systems for security operations benefits us by providing vulnerability management and quality gates; without both, we will always have vulnerable applications running for our customers. This is the main benefit. The other benefit is related to the infrastructure; we leverage OpenText Core Application Security using the SaaS model, so we do not have to deploy any applications inside the customer environment. We can reduce the false positives and have a better approach to handle vulnerability management, making it the best tool for continuous integration with DevOps pipelines such as GitHub, Jenkins, and Azure DevOps.

What needs improvement?

I know OpenText is developing Aviator, similar to ChatGPT, with LLM inside the OpenText Core Application Security environment. However, I understand they do not have it for the on-premises environment. If customers need to implement it inside, or if they have data residency obligations, they will not be able to use Aviator. Perhaps in the future, they can make a module for Aviator to be usable in transit environments; that would be useful.

For how long have I used the solution?

I have been working with OpenText Core Application Security for one year.

What do I think about the stability of the solution?

I have had no problems regarding the stability and reliability of OpenText Core Application Security. However, I am not a heavy user, so I do not have any insights about any downtime or issues.

My customers have never expressed any concerns about reliability issues.

What do I think about the scalability of the solution?

OpenText Core Application Security is highly scalable; it is running on the cloud, and elasticity is one of the best points of a cloud environment.

I rate the scalability of OpenText Core Application Security at least an eight since it is not running inside the customer environment.

How are customer service and support?

I have not needed to communicate with the technical support of OpenText Core Application Security or OpenText support.

For me, the documentation is adequate; I do not feel they need to add more information or use cases to what is available.

What other advice do I have?

I have been working with OpenText Core Application Security for code security and AppSec, GitHub advanced security, and the hyperscaler tools such as Azure Defender, AWS Security Hub, and WiredDaddy, covering all the AWS ecosystem tools. I am quite familiar with the Google Security Center, and I come from Palo Alto.

OpenText Core Application Security helps maintain compliance standards with a faster remediation cycle, as we know the vulnerabilities, and everybody knows that the developers can perform fixes more quickly. This is important for compliance. The second point relates to PCI DSS, the framework for security concerning payment methods. I know that OpenText Core Application Security also provides access to OpenText trainings, enabling us to check all the requirements for PCI DSS.

    Manikantha Nagireddy

An user-friendly solution for static code analysis

  • May 16, 2024
  • Review provided by PeerSpot

What is our primary use case?

We use the tool for static code analysis.

What is most valuable?

The solution is user-friendly. One feature I find very effective is the tool's automatic scanning capability. It scans replicas of the code developers write and automatically detects any vulnerabilities. The integration with CI/CD tools is also useful for plugins.

The tool's AI feature analyzes security threats and recommends updating the code accordingly. One major issue that AI detected for us was logging issues and hardware vulnerabilities. Fortify On Demand identified these, allowing our developers to address and fix the issues.

What needs improvement?

Fortify on Demand needs to improve its pricing.

For how long have I used the solution?

I have been working with the product for two years.

What do I think about the stability of the solution?

I rate Fortify on Demand's stability an eight out of ten.

What do I think about the scalability of the solution?

I rate the tool's scalability an eight out of ten. My company has around 25 users.

How was the initial setup?

The initial setup experience with Fortify On Demand was straightforward for us. We installed the plugin and integrated it with our existing tools and logins. There was no need for configuration or setup—it was quite simple. The deployment time varies based on the code complexity. Once vulnerabilities are identified, the support team provides the necessary fixes.

What's my experience with pricing, setup cost, and licensing?

Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten.

What other advice do I have?

We use Burpsuite for dynamic code analysis. Fortify on Demand is a good tool for static code analysis. I rate it a nine out of ten.

    Javad_Talebi

Identifies critical vulnerabilities and offers good scanning capabilities

  • March 01, 2024
  • Review provided by PeerSpot

What is our primary use case?

I have used Fortify on Demand for security scanning, along with outsourcing to companies that scan our systems and report vulnerabilities. My work has involved securing our APIs and systems.

We use Fortify across all stages of the environment: development, test, and production. We even use it for disaster recovery.

Whenever we deploy our Jenkins pipelines, the system automatically scans our Git repository to fix security vulnerabilities. All the security vulnerabilities are then created as tasks in Jira, so we can fix them as quickly as possible.

How has it helped my organization?

We have added it to our operational toolkit to ensure it's part of our development spectrum. We added it directly into our Jenkins pipelines.

We have some products that are publicly accessible via phone or website. These products need to be extra secure because they rely on firewalls, and hackers could potentially exploit them. Fortify on Demand provided us with valuable information on how to fix a critical API vulnerability.

So, Fortify on Demand identifies critical vulnerabilities. We have two security scans. One is Fortify on Demand, and the other is for an outsourced company. For Fortify, you assign the specific branch of code you want to scan. You can scan the code you're currently deploying through Jenkins pipelines. Since it's external, you can also scan other brands if needed. Otherwise, you can specify which specific brands or smaller branches to scan within your entire codebase.

What is most valuable?

The scanning capabilities, particularly for our repositories, have been invaluable.

What needs improvement?

There is room for improvement in the integration process, especially with the pipeline system, which could be streamlined. Making changes and configuring it for different systems, like desktop environments, is challenging.

For example, Jenkins integration was hard.

Improving the ease of integration would be beneficial.

For how long have I used the solution?

I have been using it since July.

What do I think about the stability of the solution?

It has been a stable solution for me.

What do I think about the scalability of the solution?

For me, it has been scalable enough.

What was our ROI?

It provides good security. It is a backbone for our security needs. So, that's the biggest benefit for us.

What's my experience with pricing, setup cost, and licensing?

There is a licensing model in place.

What other advice do I have?

Overall, I would rate the solution an eight out of ten. I would recommend using it.

    AhmedElkholy

Works as a comprehensive security testing tool with an easy upgradation process

  • February 06, 2024
  • Review provided by PeerSpot

What is our primary use case?

The primary use case for Fortify On Demand in our environment revolves around its critical role in sales and desk operations. It helps identify application vulnerabilities from both a source code and web perspective. It directly detects issues such as SQL injection in the source code. It conducts website scans with customizable configurations to examine potential risks and vulnerabilities, which is crucial during software development. We can avoid risks before moving to the production stage.

What is most valuable?

One of the most valuable features of Fortify On Demand is its ability to integrate seamlessly with the DevOps lifecycle, particularly in terms of security testing. Injecting security testing into the DevOps process ensures that security measures are incorporated from the development stage onwards. It aligns with the main objective of DevOps, which is to automate and streamline the software development lifecycle, from code commit to deployment. With automation tools orchestrating the pipeline, tasks such as code compilation, testing, and deployment can be carried out rapidly and efficiently. This results in faster time-to-market for features, reducing deployment times from hours to minutes. It enhances trust from customers and cybersecurity teams, as security measures are built into the software from the outset, increasing confidence in the security.

What needs improvement?

They could provide features for artificial intelligence similar to other vendors like OpenText products.

For how long have I used the solution?

We have been using Fortify on Demand for about three years.

What do I think about the stability of the solution?

I rate the platform's stability as seven out of ten.

How was the initial setup?

The initial setup is complicated. It takes around four to five hours to complete, including installation and scanning. I rate the process a seven out of ten.

What was our ROI?

Fortify On Demand is not highly expensive. It provides options for the number of scans and tests for the on-premise version. The customers utilizing hardware must install the tool for cost-effectiveness and high availability.

What's my experience with pricing, setup cost, and licensing?

The product's cost depends on the type of license. The on-premise licenses are more expensive than the cloud subscriptions. I rate the pricing a six out of ten.

What other advice do I have?

I rate the platform's accuracy for detecting vulnerabilities an eight and a half out of ten. By utilizing Fortify as a comprehensive security testing tool, financial institutions operating at high-security levels gain confidence in the security posture of their applications. It helps deploy and track changes easily as per time-to-time market upgrades.

I advise new users to learn about new features introduced in the last two years. I rate it a nine out of ten.

    Mollie M.

Great Product

  • January 25, 2024
  • Review provided by G2

What do you like best about the product?
The application allows me to work more efficiently, by not having to go back and correct errors. Allows for open communication.
What do you dislike about the product?
The platform can be touchy depending on the computer system you are using it on.
What problems is the product solving and how is that benefiting you?
Helping with runtime monitoring

    hitiksha s.

Review form micro focus fortify app

  • December 18, 2023
  • Review provided by G2

What do you like best about the product?
It helps to manage risk from third- party application.
What do you dislike about the product?
It is easy to use.
There is no major drawback about this tool.
What problems is the product solving and how is that benefiting you?
It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits.

    Alfas A.

Best

  • December 06, 2023
  • Review provided by G2

What do you like best about the product?
Very easy to use and a lot of features..
What do you dislike about the product?
I ccount find any downside as of now. LOVED IT
What problems is the product solving and how is that benefiting you?
harnesses the power of application security data across the Software Development Lifecycle (SDLC) by measuring and improving the efficiency, accuracy, and value to an organization.

    Ajinkya M.

Safe and Secured Barrier

  • November 04, 2023
  • Review provided by G2

What do you like best about the product?
We can reduce the risk posed by third-party apps with the use of Micro Focus Fortify, a RASP solution. Real-time visibility and vulnerability protection are provided.

Additionally, clean-up rules are enforced by this instrument. With the most advanced security research supporting it, this offers the most comprehensive runtime monitoring and protection, as well as the most advanced static and dynamic application security testing solutions.
What do you dislike about the product?
There is no major drawback about this tool except network interruption at times which has a scope of improvement.
What problems is the product solving and how is that benefiting you?
Our company's extranet security is managed in real-time via Micro Focus Fortify Application Defender. By protecting critical data, this security posture reduces the likelihood of cyberattacks.

With the use of this tool, we can promptly detect and address security risks that safeguard data. It guarantees our clients' trust.

    sohrab a.

Review of MicroFocus Application Defender

  • October 30, 2023
  • Review provided by G2

What do you like best about the product?
MicroFocus is a security company which provides verious kind of security and fortify application defender is one of their tool. It is an RASP Solution designed to help us to mitigate risk from third party applications. It provides visibility and protecting software vulnerability in real time.
What do you dislike about the product?
It is an open text software application manager use to manage the unstructured data for verious professional service firm and government agency. It help to manage larg amount of data. It work on on primise or cloud as well. It can run on low end server machines.
What problems is the product solving and how is that benefiting you?
It help to provide visibility into application also it is good at being a great software protector. It help us to manage huge amount of containt for various companies. It also protects our device from third party applications and secure it from verious vulnerability.

showing 1 - 10