We performed a comparison between Fortify Application Defender and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Its ability to find security defects is valuable."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"The product saves us cost and time."
"The solution helped us to improve the code quality of our organization."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"The fact that the solution does security scanning is valuable."
"The solution is stable."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"The overall quality of the indicator is good."
"We consider it a handy tool that helps to resolve our issues immediately."
"We have worked with the support from SonarQube and we have had good experiences."
"SonarQube is good for checking and maintaining code quality."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"I encountered many false positives for Python applications."
"The licensing can be a little complex."
"The solution is quite expensive."
"The workbench is a little bit complex when you first start using it."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"The false positive rate should be lower."
"The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."
"SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."
"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
"I would like to see more options for security, beyond the basics like SQL injection."
Fortify Application Defender is ranked 30th in Application Security Tools with 11 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Fortify Application Defender is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Fortify Application Defender writes "Useful for fast code review in devOps pipelines ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Fortify Application Defender is most compared with Checkmarx One, Coverity, CAST Application Intelligence Platform, Qualys Web Application Scanning and Fortify on Demand, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Fortify Application Defender vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.