Fortify Application Defender Review

Straightforward to deploy and integrates well with WebInspect to secure against application-specific threats


What is our primary use case?

I do not use this product personally. Rather, I implement it for other people.

The general use case is application-specific threat blocking. Most of our customers use it as an augment to their WAF.

How has it helped my organization?

When our customers turn on the app defender, they can see the things that it's blocking that are getting by their WAF. This is the reason that most people implement it.

What is most valuable?

The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology. The rules that are created are very specific to the application that it's defending. In a typical WAF, out of the box, it comes with a set of standard rules that work reasonably well. However, if you want rules that are specific to vulnerabilities that you know are in the application, the application defender is superior at defending against these. 

What needs improvement?

The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java. They need better support for applications written in Python or more advanced web service-type implementations. Better support for other architectures is critical.

Technical support needs to be improved.

It would be helpful to include agent deployment as part of the Azure DevOps marketplace. This would make it really easy for customers to get this plugin and install it within their application centers.

For how long have I used the solution?

I have been dealing with Fortify Application Defender for about seven years.

What do I think about the stability of the solution?

I have not seen too many issues that would impact stability. It is very much a "deploy it and forget it" type solution.

How are customer service and technical support?

Technical support is an area that can be improved and I think that it's been a known issue since the Fortify team was acquired by HP, many years ago. It's still a problem now, even though they are now part of the Micro Focus team. I recently communicated with one of the senior managers and they are aware of the issues, and they are working on them, but I'd say that it's still an area that needs improvement.

How was the initial setup?

The initial setup is fairly straightforward. It does require the deployment of an agent, but this is not unlike every other platform that is application-specific.

The deployment requires collaboration between the security team, who's typically running the application security program, and the operations team, who's responsible for the deployment and management of the hardware that the applications run on. These two teams really have to be engaged from an implementation standpoint to make sure that the plan fits and has input from both perspectives.

What about the implementation team?

We deploy this product for our clients.

In the SaaS platform, the Fortify teams are responsible for maintenance. The agents that are deployed within the customer's environment simply ping back to the console for updates, which is an automated tasks. The number of people and the time it takes to perform updates is minimal.

What's my experience with pricing, setup cost, and licensing?

The base licensing costs for the SaaS platform is about $900 USD per application, per year. Some larger companies have different pricing based on scale and the size of their implementation.

I believe they have a trial period, where they allow you to use it for free.

What other advice do I have?

My advice for anybody who is considering Fortify Application Defender is to try it before you buy it. It is one of those things that once you see it in action, it is pretty impressive. Considering there is a free trial available, I think that more people should try it.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
**Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
More Fortify Application Defender reviews from users
...who compared it with SonarQube
Find out what your peers are saying about Micro Focus, SonarSource, Synopsys and others in Application Security. Updated: July 2021.
522,281 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest