We performed a comparison between Fortify Application Defender, SonarQube, and Trustwave App Scanner [EOL] based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The product saves us cost and time."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The most valuable feature is that it analyzes data in real-time."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"The solution helped us to improve the code quality of our organization."
"There's plenty of documentation available to users."
"It's enabled us to improve software quality and help us to disseminate best practices."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"The product itself has a friendly UI."
"The software quality gate streamlines the product's quality."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"The stability is great. We haven't had any issues at all with it."
"The licensing can be a little complex."
"The solution is quite expensive."
"Fortify Application Defender gives a lot of false positives."
"Support for older compilers/IDEs is lacking."
"I encountered many false positives for Python applications."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"SonarQube could improve its static application security testing as per the industry standard."
"I have found this solution creates more noise than competitors."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"I would like to see a little more flexibility with regards to setting up profiles for vulnerabilities."
Earn 20 points
