What is our primary use case?
I work for a company that implements these solutions for customers. So, we've got it everywhere. I've done implementations that are very simple and are developer workstation-based or security analyst desktop-based. We also have implementations all the way up through their big kahuna, which is decentralized and automated scanning.
What is most valuable?
Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.
What needs improvement?
I know the areas that they are trying to improve on. They've been getting feedback for several years. There are two main points. The first thing is keeping current with static code languages. I know it is difficult because code languages pop up all the time or there are new variants, but it is something that Fortify needs to put a better focus on. They need to keep current with their language support.
The second thing is a philosophical issue, and I don't know if they'll ever change it. They've done a decent job of putting tools in place to mitigate things, but static code analysis is inherently noisy. If you just take a tool out of the box and run a scan, you're going to get a lot of results back, and not all of those results are interesting or important, which is different for every organization. Currently, we get four to five errors on the side of tagging, and it notifies you of every tiny inconsistency. If the tool sees something that it doesn't know, it flags, which becomes work that has to be done afterward. Clients don't typically like it. There has got to be a way of prioritizing. There are a ton of filter options within Fortify, but the problem is that you've got to go through the crazy noisy scan once before you know which filters you need to put in place to get to the interesting stuff.
I keep hearing from their product team that they're working on a way to do container or docker scanning. That's a huge market mover. A lot of people are interested in that right now, and it is relevant. That is definitely something that I'd love to see in the next version or two.
For how long have I used the solution?
I have been using this solution for ten years.
What do I think about the stability of the solution?
It is fairly stable. I haven't experienced any real catastrophic or fundamental flaws with it since version 19.10. This was the last one that had a real major flaw that needed hotfixes quickly.
What do I think about the scalability of the solution?
It is super scalable. That's definitely a bright spot.
With a solution like this, the number of users varies so much. We typically try to build a program with a client where there is a small team operating the tool. They typically just automate it and plug it into their DevOps pipeline, but the entire development organization consumes the results and does the work. There is the infrastructure management side to keep the solution updated and make sure the infrastructure is running, and then there are security analysts who are tweaking the filters, writing custom rules, and doing this kind of stuff to further advance the program using the tool.
Which solution did I use previously and why did I switch?
I started working with Fortify in 2011. In the last couple of years, we've branched out and started exploring other solutions, mostly because of our customers' requests. However, we're still not seeing the same level of advancement and ability with some of the other solutions.
We've gone down the route of evaluating Checkmarx and implementing Checkmarx with a few of our clients. It went okay, but it is not stellar. We're right in the midst of evaluating and onboarding the Synopsys toolset. I will have more input on that in about a month or so.
How was the initial setup?
It can be very simple. It could be simple as a desktop installation or just a VM install. It could also be complicated if you're going for their full distributed scanning model, which is their scan central.
What's my experience with pricing, setup cost, and licensing?
It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization.
It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform.
What other advice do I have?
I would advise others to definitely do their homework in planning. It is not something where you just open the box and go. There needs to be some foresight, some planning, and a lot of input from various stakeholders. You got to talk to your infrastructure team and make sure that you have suitable hardware for this in order for it to perform at its peak.
I would rate Fortify Static Code Analyzer an eight out of ten.
Which version of this solution are you currently using?