We performed a comparison between Fortify Application Defender, Fortify on Demand, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"The most valuable feature is that it analyzes data in real-time."
"The product saves us cost and time."
"Its ability to find security defects is valuable."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"It is an extremely robust, scalable, and stable solution."
"The scanning capabilities, particularly for our repositories, have been invaluable."
"The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them."
"Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."
"t's a cloud-based solution, so there was no installation involved."
"The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product)."
"It helps deploy and track changes easily as per time-to-time market upgrades."
"The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
"I can have quick results by just uploading compiled components."
"The most valuable feature is the SAST capability and its integration into the Veracode pipelines."
"Developer Sandboxes help move scanning earlier within the SDLC."
"The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"The integration with DevOps pipelines is seamless."
"Our development team use this solution for static code analysis and pen testing."
"Stable and scalable, with good reporting features. Helps in detecting and managing vulnerabilities and risks."
"The solution is quite expensive."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"Support for older compilers/IDEs is lacking."
"Fortify Application Defender gives a lot of false positives."
"The workbench is a little bit complex when you first start using it."
"I encountered many false positives for Python applications."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"The false positive rate should be lower."
"The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"There were some regulated compliances, which were not there."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."
"The biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility."
"There are many false positives identified by the solution."
"They have very good support, but there is always room for improvement."
"It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."
"It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects."
"To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources."
"The scanning takes a lot of time to complete."
"The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it."
"I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you."
"The solution does not support Dynamic Application Security Testing."
"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
