Supports secure development pipelines and improves issue detection but limits internal visibility and needs broader dashboard integration
What is our primary use case?
I have been working with AWS cloud for the past six to seven years, and in my current role, I am working on AWS cloud.
Fortify was used for scanning applications to identify dynamic security vulnerabilities. Another solution from Fortify named Fortify Source Code Analyzer, basically SCA, scans lines of code for different technologies, such as ASP.NET, VB.NET, and Java-based applications. It scans different lines of code for an application and flags vulnerabilities, and on the basis of that vulnerability, a security professional has to identify false positives and then report it to the internal application team.
When security issues are identified in the early stage of the software development life cycle, it really helps because if threats are identified early, the product being developed by the application development team has fewer security issues. There is no product that doesn't have any issues. Obviously, the team tries to build a solution that has zero issues, but that is hypothetical. When threats are identified in the early software development life cycle, it gives confidence among the team and provides a fair idea that the application being developed will be a viable solution for the customer.
Whenever any security vulnerability is identified by Fortify or OpenText, it gives information about whether that particular security issue is non-compliant related to PCI, ISO 27001, or SOC 2. It provides a fair understanding that this security vulnerability should be prioritized because if you don't fix this vulnerability, your application will be non-compliant and your compliance goal will ultimately fail. So it helps a lot.
What is most valuable?
Fortify on Demand is a good service. Since it is fully being managed by OpenText, after Micro Focus acquired Fortify, all services are managed by the Fortify team when a customer is using Fortify on Demand. When you are seeing the application and the vulnerabilities which have been identified by their tool, you can see the issues. However, the visibility of the actual work being done is by the Fortify team. If you want to fully outsource your services, then it's a very good solution.
The best feature is that it supports many language frameworks. VB.NET was not available previously, but later they onboarded VB.NET as well, which is a legacy-based application, but some organizations still use VB.NET, so they have onboarded it, which is a good thing. Another aspect I appreciated about Fortify is that it gives a good understanding of the issues. The false positive rate is less, and they give valid issues. The invalid issues identified by Fortify are fewer. That is a good aspect. Additionally, you can integrate Fortify in CICD pipeline, so you get real-time updates about the security issues in your pipeline.
What needs improvement?
If you have an internal team and you want your internal team to validate false positives, basically to determine whether it's a valid issue or an invalid issue, then I wouldn't recommend it much. That was the only reason we migrated from Fortify on Demand to another solution.
Fortify has another tool which is Fortify WebInspect. On Demand is the outsourcing solution, and WebInspect you can use with your in-house team, which is basically the product developed by the Fortify team. For automated scanning, Fortify helps a lot.
Regarding the visibility for the internal team, everyone is moving toward the DevSecOps side, and Fortify team has made good progress that you can integrate into your CICD pipeline. One thing I would highlight is if Fortify can focus more on the centralized dashboard of the tools because nowadays, tools such as SentinelOne also exist for identifying security issues, but they have a centralized dashboard that merges their cloud solution and application security side solution together. If you have one tool that works for different solutions, it helps a lot.
They are doing good, but they should invest more on the AI side as well because AI security is evolving these days. On the cloud side, they have already made good progress, but I believe they should explore the new area related to AI security as well.
For how long have I used the solution?
I have been using Fortify on Demand, Veracode, Checkmarx, and SonarQube for close to ten years. If you are asking particularly about Fortify, I will say seven years.
What do I think about the stability of the solution?
I have not experienced any issue with stability, reliability, crashes, or downtimes. The support was very good, and since I had direct interaction with the Fortify team, I didn't raise any escalation because the support was very good in my experience.
What do I think about the scalability of the solution?
It was very good and scalable. The only thing I mentioned before was that they provide limited understanding of what tools they're working on. If a customer wants to know the tools and the technology used for their application to scan their application, they provide less information on that.
How are customer service and support?
My experience with the technical support customer service team of Fortify was pretty good; I would rate it four out of five.
I had direct contact with Fortify team and the sales director. I had direct interaction with them, which facilitated how we onboarded Fortify.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We switched to Checkmarx.
When you talk about the key differences between Fortify and Checkmarx, we migrated from Fortify to Checkmarx because at that time, Fortify was not supporting VB.NET application, and our main application was using VB.NET. We raised the case with Fortify team about any plan in their future release to onboard VB.NET, but they didn't give us a good answer because they were saying they would try to onboard VB.NET into their platform in a year. A customer won't wait for one year to assess their application.
How was the initial setup?
When you talk about static application source code testing, we had to involve the Fortify team to create an LDAP role for us. Regarding Fortify on Demand, it was pretty much straightforward because we just needed to configure our application in their platform. We had to enter the information for our application, and the rest was done by the Fortify team. Fortify on Demand was very simple. Regarding the SAST part, I won't say it was hard, but it was a little bit complicated, and when we raised cases with their technical support team, they resolved our queries and we onboarded the tool into our environment.
What about the implementation team?
It depends upon your license which you have used. We were assessing 180 applications, and our license cost was $200,000.
It depends upon if you get a good offer from Fortify team. Regarding the cost-effective part, it is a bit expensive to be honest because some good organizations can obviously afford it, but if you talk about small organizations, I'm afraid they won't be going ahead with Fortify because it's an expensive solution.
Which other solutions did I evaluate?
When you talk about the key differences between Fortify and Checkmarx, we migrated from Fortify to Checkmarx because at that time, Fortify was not supporting VB.NET application, and our main application was using VB.NET. We raised the case with Fortify team about any plan in their future release to onboard VB.NET, but they didn't give us a good answer because they were saying they would try to onboard VB.NET into their platform in a year. A customer won't wait for one year to assess their application.
The pros of Fortify include that you get a good understanding of the issues identified by the application. They continuously send notifications that the scan is being paused and the customer has to initiate the scan because the application scan has failed for some reason. The timely notification and visibility of issues identified is good, and the false positive aspect is also good.
Coming to Checkmarx, when we onboarded it, our primary reason was the VB.NET issue, and Checkmarx also has very good coverage on Java-based applications. The majority of our applications were on Java, and Checkmarx did a great job on the coverage of assessing our applications. Regarding the accuracy of issues, I find it almost the same for Fortify and Checkmarx. I didn't find much difference on the false positive side either.
What other advice do I have?
If you want to onboard a solution for your application security side, I will definitely recommend Fortify because for your application, when you get a fair understanding of the security issues in the early stage of the software development life cycle, it's a very good thing.
I have worked on Fortify on Demand. I have used it six months ago.
Our applications were hosted on AWS cloud, and Fortify identified security vulnerabilities on our cloud platform. Our application which was hosted in AWS cloud showed that they provide good visibility. However, every tool has some pros and cons. If you ask me that if I want to recommend Fortify on Demand, it's obviously a good service which can be used by any organization when they are building a team. But if you have an in-house team which is working on many solutions, then it won't fit into their umbrella.
Fortify on Demand was the on-demand service provided by Fortify that was assessing all our applications. When applications hosted on AWS cloud were being assessed, Fortify was identifying issues for the application which was hosted on AWS cloud.
My experience with the technical support customer service team of Fortify was pretty good; I would rate it four out of five. Overall, I would rate this review a seven.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Micro Focus Application Defender is a good program, just not the bes for us
What do you like best about the product?
What I like best about Micro Focus Application Defender is the elimination of current threats very quickly, thereby saving us lots of time and money
What do you dislike about the product?
What I dislike about Micro Focus Application Defender is that it can be very confusing to use and some of our employees don't have the patience it requires
What problems is the product solving and how is that benefiting you?
We are solving the problems of threats thru the internet. With many temporary satellite offices, this is a beneficial software.
Recommendations to others considering the product:
Keep up the good work, just try to make it simpler to use for everyone.
Meets demands
What do you like best about the product?
Client portal is real helpful. Projects status in real time creates a streamlined process internally and externally.
What do you dislike about the product?
Currently we have not delve very far into the program to have dislikes.
What problems is the product solving and how is that benefiting you?
Timeliness on project completions
Recommendations to others considering the product:
None right now
Powerful but slow
What do you like best about the product?
HPE Fortify's scans are the best in the industry. There isn't a competitor that can match them in their feature suite and the depth of their product. The workflows are designed well and with the UI upgrade, it actually looks decent.
What do you dislike about the product?
Their expertise comes at a cost. Literally, they are expensive. It also requires a special setup to get the application installed and running correctly. In addition, the upgrade process is not clean and can break existing profiles. Usability suffers a bit from the newer UI because trying to get audits done, now requires navigating through more screens.
What problems is the product solving and how is that benefiting you?
This solves the problem of vulnerable software code. The automated process pinpoints problem areas for the organization to address.
