We performed a comparison between Fortify on Demand and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."It has saved us a lot of time as we focus primarily on programming rather than tool operational work."
"Speed and efficiency are great features."
"Fortify on Demand is easy to use and the reporting is good."
"The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security."
"The vulnerability detection and scanning are awesome features."
"Provides good depth of scanning and we get good results."
"t's a cloud-based solution, so there was no installation involved."
"The solution is very fast."
"The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports."
"Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines."
"The scanning capability is its most valuable feature, discovering vulnerable open source libraries."
"There is a feature called Continuous Monitoring. As time goes on we'll be able to know whether a platform is still secure or not because of this feature."
"Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well."
"The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
"The most valuable function of Sonatype Lifecycle is its code analysis capability, especially within the specific sub-product focusing on static analysis."
"You can really see what's happening after you've developed something."
"The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."
"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."
"We have some stability issues, but they are minimal."
"There is room for improvement in the integration process."
"I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."
"The reporting capability is good but I wish it was better. I sent the request to support and they raised it as an enhancement within the system. An example is filtering by version. If I have a framework that is used in all applications, but version 1 is used in 50 percent of them and version 2 in 25 percent, they will show as different libraries with different usage. But in reality, they're all using one framework."
"It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
"In terms of features, the reports natively come in as PDF or JSON. They should start thinking of another way to filter their reports. The reporting tool used by most enterprises, like Splunk and Elasticsearch, do not work as well with JSON."
"The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So, the GUI could use some improvements potentially."
"In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."
"We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing."
"Fortify's software security center needs a design refresh."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
Fortify on Demand is ranked 10th in Application Security Tools with 56 reviews while Sonatype Lifecycle is ranked 6th in Application Security Tools with 42 reviews. Fortify on Demand is rated 8.0, while Sonatype Lifecycle is rated 8.4. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Fortify on Demand is most compared with SonarQube, Veracode, Checkmarx One, Coverity and Mend.io, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Debricked Security. See our Fortify on Demand vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.