We use the solution to scan our software. We scan it at every build. We run the scans and read the reports.
External reviews
45 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Fortify Application Defender
What do you like best about the product?
One of the best cybersecurity softwares available in the market.
What do you dislike about the product?
There is nothing specific , I assume the lag time is also good.
What problems is the product solving and how is that benefiting you?
We test our applications on various environments which are open to threats and vulnerabilities.
A fast, stable, and scalable solution that can be used to scan software
What is our primary use case?
What is most valuable?
The solution is very fast.
What needs improvement?
The products must provide better integration with build tools. In SonarQube scans, the pull requests are decorated. I don't know if it is a missing integration or a limitation, but I don't see the same feature in Fortify. The developer must be able to see whether the build has failed. I would like the pull request to be decorated like SonarQube. It's just not the same experience with Fortify.
I have a problem with the Java version because our projects now use OpenJDK 7 or 17, but the scan still requires JDK 1.8. It is a problem for me, and I don't know how to change it.
For how long have I used the solution?
I have been using the solution for a couple of months.
What do I think about the stability of the solution?
The tool is stable. I have no problem with it. I rate the stability a nine out of ten.
What do I think about the scalability of the solution?
My team has started using it recently. I rate the tool’s scalability a nine out of ten. We don't have any issues whatsoever.
What other advice do I have?
My organization has been using the solution for at least four years. I don’t deal with technical support directly. I would recommend the solution to others. We are dealing with some issues with the report.
The reports might be meaningful, but they sometimes do not match the situation. We cannot really deal with them. We don't know if they are false positives or if they're simply not relevant because they concern vulnerabilities in the development cycle and not in the production operations. It is sort of a mystery. Overall, I rate the tool an eight out of ten.
Fortify scans the code and smells out the vulnerabilities which can't be detected via human eyes
What do you like best about the product?
It scans the code and provides a deep level of vulnerability analysis.
It helps to detect security flaws.
Though it's a static scan but does it's job well.
It helps to detect security flaws.
Though it's a static scan but does it's job well.
What do you dislike about the product?
It's a static scanner which limits it from analysing dynamic scenario.
Sometime it gives false positive report as well which should be ignored by the software.
Sometime it gives false positive report as well which should be ignored by the software.
What problems is the product solving and how is that benefiting you?
It helps to detect code smells and detect vulnerabilities which helps developer to prevent the application from security threats.
Seamless integration with various platforms and products, providing a centralized and comprehensive security analysis solutionand
How has it helped my organization?
We used Fortify for static code analysis, dynamic security testing, and both white box and black box testing. We applied these scanning methods to our business-critical applications such as Temenos (T-24), which was our core banking application.
Additionally, other business-critical applications like Murex and various applications in trade finance or treasury security services also rely on Fortify.
What is most valuable?
Our CSD team used multiple tools for different scenarios. When dealing with sophisticated threats or vulnerabilities, manual analysis was necessary alongside Fortify's machine-based analysis. So, in handling complicated vulnerabilities, we couldn't rely on just one tool. Multiple tools were required. One such tool was OS Zap Proxy. We integrated Zap Proxy with Fortify, and this integration proved quite useful. Instead of relying solely on Fortify's dashboard, we integrated it with other tools, which made more sense. The security analysts, up to the level of the CSO, wouldn't rely only on a single dashboard. They used multiple tools to detect and work on vulnerabilities across various platforms and products. Fortify seamlessly integrates all these aspects.
What needs improvement?
Temenos's (T-24) info basic is a separate programming interface, and such proprietary platforms and programming interfaces were not easily supported by the out-of-the-box versions of Fortify. Although Fortify already supports around 25 programming languages, during our evaluation, we found it lacking in terms of support.
So Fortify on Demand doesn't support all programming languages. Additionally, automating everything from the pipeline, which means the build will stop if any single vulnerability is found by their particular tool during the scan.
For how long have I used the solution?
Fortify has been with our bank since its inception in 2008.
What do I think about the stability of the solution?
Fortify is very reliable and doesn't experience frequent crashes. It provides a stable and dependable tool for our needs.
What do I think about the scalability of the solution?
It is a quite scalable product. We can start small with single instances and gradually scale up with multiple instances. This scalability aspect is similar to SonarQube as well.
When the scan load increases, we reach a threshold where we may need to purchase additional resources or adjust our pricing brackets. For instance, if I exceed one million lines of code, there might be an extra cost or a change in the pricing bracket.
However, the cost we see initially is different and covers up to one million lines of code. Overall, it's quite manageable to handle the loads we encounter.
How are customer service and support?
Whenever required, we have reached out to the technical support team. Our architecture team thoroughly evaluated Fortify along with our stakeholders. We always prioritize leveraging our existing applications from an inventory of over 340 applications, rather than opting for new ones.
When we onboarded Fortify in 2008, we had other choices for tools and products as well, but we didn't choose them. This decision was made by the cybersecurity defense team, who are the primary users of the product.
They were satisfied with Fortify, and we didn't require extensive support. However, whenever needed, we can rely on the support included with the license.
How was the initial setup?
I am the architecture manager, and my team evaluated and onboarded Fortify based on reviews and evaluations from GQ, Peerspot, Gartner, and even Forrester.
During the setup process, we had concerns regarding the cost. From the CSD perspective, Fortify was not very cost-friendly. The CSD has a separate budget and reports directly to the CEO and CIO. We had to consider our budget limitations because we have been leveraging Fortify since the bank's inception in 2008. Although we have utilized it extensively, the cost appeared higher compared to SonarQube. Hence, we decided to go with SonarQube. However, I must say that Fortify offered a lot of value.
It was quite manageable to maintain. We have a dedicated team that supports Fortify in production. So, it was quite manageable.
What about the implementation team?
We have a support team consisting of around five or six engineers, specifically CICD engineers from the platform support team. They handle the deployment and maintenance tasks.
For version upgrades, the team takes care of it as and when needed. Additionally, if there are any junior members required, they assist in the maintenance process. The primary user of Fortify is the CSD team.
What's my experience with pricing, setup cost, and licensing?
We were on a subscription-based model. The subscription was expiring in December 2022, and we have decided not to renew it for this year.
Which other solutions did I evaluate?
We are already decommissioning Fortify and have already implemented SonarQube. We are currently using SonarQube Enterprise.
Fortify on Demand was utilized for a considerable period. However, we have now transitioned away from Fortify on Demand. It was primarily used by our CSD team, the cybersecurity defense team at the bank.
Initially, we performed penetration testing and vulnerability assessments within the Fortify platform. However, we have since implemented a DevSecOps pipeline in partnership with Red Hat. Currently, all testing, including penetration testing and vulnerability assessments, is automated within the pipeline. The pipeline runs on Tecton, enabled on the OpenShift site.
Therefore, any tool we use, be it Fortify or SonarQube, must be integrated into that pipeline. This approach has addressed most of the pain points we faced previously. Consequently, we are satisfied with SonarQube's performance now.
Fortify on Demand only offers static analysis and lacks dynamic security testing capabilities. However, if it's integrated into the pipeline, we can incorporate another tool for dynamic security testing. This was not possible with Fortify alone.
Additionally, Fortify has limited programming language support compared to SonarQube. The recent global launch of SonarQube in the GA version expanded its support for various programming platforms, such as CSM and .NET on the Java side, among others.
In our bank, we use T24 as our core banking system, which relies on a proprietary programming language called Infobasic. SonarQube also supports this language. When we place the code into the pipeline and perform builds, including the repository, we scan the entire codebase, including Infobasic code for the banking application. In summary, SonarQube offers broader programming language support. Previously, we only scanned other business-critical applications, but now we can scan our most critical banking application, T24, using SonarQube.
What other advice do I have?
Fortify has excellent support for various programming languages. Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases. This advantage may not be present in SonarQube.
Additionally, if a feature is not offered out of the box, Fortify allows customization, providing flexibility. Apart from dynamic security testing, Fortify is reliable for generating and distributing v-scan reports to multiple stakeholders, making it less of a hassle for the CAC team as most tasks are automated.
I would rate Fortify on Demand as an eight.
Fortify, one stop shop for Application Security Testing
What do you like best about the product?
Fortify provides excellent drill-down capabilities for analyzing vulnerabilities and recommended steps for fixing or remediation.
What do you dislike about the product?
It would be nice to see more Dashboards and Metrics out of the box.
What problems is the product solving and how is that benefiting you?
It provides a powerful platform for validating all of our Applications and provides comprehensive recommendations for addressing any identified vulnerabilites.
Recommendations to others considering the product:
When starting out I strongly recommend that you leverage the expertise and experience of the Fortify on Demand team. They have a lot of resources around best practices, cases studies, scaling up your program, creating roadmaps, etc.
FoD is an excellent way to find vulnerabilities in Apps
What do you like best about the product?
How the vulnerabilities are presented. There's always detailed information to determine if the vulnerability is true false or false positive, etc.
What do you dislike about the product?
False positives and no auto report generator after a dynamic scan.
What problems is the product solving and how is that benefiting you?
Securing applications written in many programming languages.
Real-time control of the security of the company's extranet
What do you like best about the product?
For years I have been working with this company and the truth is that except for some setbacks of lost files, the overall assessment is positive. All the tools available to the company and the possible threats are controlled in real time.What I like most about this product are the neutralization of current threats and the actaulizations that occur quickly and efficiently. The speed of the resolution of them from my point of view is one of the best options available in the market today.
What do you dislike about the product?
As a negative point I would say that the documentation of the guides that are included as the notes guides are quite complex and difficult to understand. Anyway, the support team solves doubts quickly
What problems is the product solving and how is that benefiting you?
One of the main solutions that this tool generates in our company is the amount of time and money that saves us and the security we have when working every day.
Great Saas with the flexibility to growth
What do you like best about the product?
The ability to scale and growth from a on site centralized location, to a more of SaaS cloud based. The ability to have a centralize location for all security monitoring and testing within one system and application. While also having the ability to develop any new processes.
The application is very flexible in regards to setting up shop. Meaning it gives an entity the flexibility to develop according to their respective budget, company direction in regards to Portal Web Based, in house hosting, or a matrix or both.
The application is very flexible in regards to setting up shop. Meaning it gives an entity the flexibility to develop according to their respective budget, company direction in regards to Portal Web Based, in house hosting, or a matrix or both.
What do you dislike about the product?
If the application is set as a self-service tool, SaaS., it takes away some of the leverage of in-house fixes. Yes the cost is much more attractive to a smaller organization. However, for a larger entity. The upfront cost of setting the infrastructure for the application to be in house, would out weight some of the troubles of migrating later in time.
What problems is the product solving and how is that benefiting you?
continuous process improvement within the security layer of the enterprise. The ability to test and obtain real time information on issues, while gaining recommendations.
Recommendations to others considering the product:
Truly test and each case scenario for implementation. Meaning just because on option is cheaper up-front, it does not necessarily will be the best solution for the next 3, 5, 10 years. Think of all the possible outcomes and what the company needs not just today but years down the road, to avoid possible migrations and added cost due to poor internal planning.
Great security testing and static code analysis tool helped in finding security vulnerabilities
What do you like best about the product?
capabilities like Dynamic Application Security Testing Software along with integration with CI orchestration tools and adding its metrics as a quality gate make it a real deal-breaker
What do you dislike about the product?
Would like to have options to use a configurable backend and better RestAPI's for reporting and building a custom integration. Also, integration options with current CI and ALM tools should be improved.
What problems is the product solving and how is that benefiting you?
Helped us to automate Application Security and vulnerability testing (DAST scanning) for our critical customer-facing web applications and integrate it as part of our CICD workflow
Recommendations to others considering the product:
Need to focus on building RestAPI's for reporting and custom integration
Please with Microfocus for over a decade
What do you like best about the product?
Automation has been extremely easy to learn for our offshore vendor partners and our onsite employee leads. Script re-use has increased as well.
What do you dislike about the product?
steep learning curve but powerful set of tools.
The execution is very slow.
The execution is very slow.
What problems is the product solving and how is that benefiting you?
The tool is effective in object identification of a variety of applications but is slow overall.Great products and saas service. Excellent communications and followup from HPE account manager. We were able to chart the course to maturity as an organization by complementing our vision with their products.
Recommendations to others considering the product:
Its great and meets all of our needs. PE technical and core teams including the sales teams have been very prompt at addressing our needs. We were able to chart the course to maturity as an organization by complementing our vision with their products.
Great products and saas service. Excellent communications and followup from HPE account manager
The tool is effective in object identification of a variety of applications but is slow overall.
Great products and saas service. Excellent communications and followup from HPE account manager
The tool is effective in object identification of a variety of applications but is slow overall.
showing 11 - 20