We performed a comparison between MicroFocus Fortify on Demand and Veracode based on our users’ reviews in four categories. After reading the collected data, you can find our conclusion below.
Comparison Results: Veracode nudges ahead of Microfocus Fortify on Demand in this comparison. Veracode users feel the solution enables them to analyze every security flaw, discrepancy, and vulnerability, and feel the reporting is very concise. Microfocus can be very taxing on resources and can potentially slow processes down considerably.
"The solution is very fast."
"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
"Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
"The vulnerability detection and scanning are awesome features."
"Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."
"Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning."
"The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them."
"The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
"We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes."
"We use Veracode static analysis during development to eliminate vulnerability issues"
"We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."
"The capability to identify vulnerable code is the most valuable feature of Veracode."
"When we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are."
"The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws."
"New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."
"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."
"We have some stability issues, but they are minimal."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."
"With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."
"Fortify on Demand could be improved with support in Russia."
"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."
"We have approximately 900 people using the solution. The solution is scalable, but there is a high cost attached to it."
"The scanning could be a little faster. The process around three or four minutes, but it would help if it could be further reduced."
"An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines."
"Mitigation review isn't always super easy."
"The product has issues with scanning."
"The interface is basic and has room for improvement."
"The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."
"Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues."
Fortify on Demand is ranked 10th in Application Security Tools with 57 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Fortify on Demand is rated 8.0, while Veracode is rated 8.2. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Fortify on Demand is most compared with SonarQube, Checkmarx One, Coverity, Fortify WebInspect and Snyk, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, Fortify Static Code Analyzer and OWASP Zap. See our Fortify on Demand vs. Veracode report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.