What is our primary use case?
We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.
In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.
The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far.
Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.
How has it helped my organization?
Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation. Without it, we would have to spend much more time finding hidden weaknesses in our code.
What is most valuable?
One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.
Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.
What needs improvement?
During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.
Similarly, I would love to see some kind of tracing solution for use in stress testing. So when we stress the application on a certain page or on a certain platform, we would be able to see a complete stress test report which could quickly tell us about weak points or failures in the application.
Further potential for improvement is that, when we deploy our Java WAR files for review in the QA area, we want to be able to create a report in Fortify on Demand right from within this deployment stage. So it might inspect or check the solution's Java WAR package directly and come up with a report in this crucial phase of QA.
For how long have I used the solution?
I have been using Fortify on Demand for about a month or so.
What do I think about the stability of the solution?
Overall, we have not had any issues with stability, although we have not used it for very long.
What do I think about the scalability of the solution?
We have had no problems with scalability in our current use case, which is only one client at the moment. As a cloud service, it has satisfied our requirements well and we haven't had any situations where scalability is an issue.
How are customer service and technical support?
When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually. I think that they could work on reacting faster to support questions.
Which solution did I use previously and why did I switch?
We have also tried SonarQube, but Fortify on Demand appealed to us more due to their source code review with emphasis on open source vulnerabilities. Fortify seems stronger in that aspect and we like to use many open source libraries in our work.
How was the initial setup?
The setup is easy and it only takes about 30 minutes to perform a basic code review in Java when dealing with WAR files.
It can get more complicated when you want to fine-tune the reporting interface to give only the details that you want to see. This is because the initial configuration depends on other variables like the scope of the review, the client's preferences, the technician's preferences, and other factors.
When it comes to launching Fortify on Demand and connecting it to our codebase, it's quite easy. Getting quick reviews done on WAR files is a relatively simple procedure.
What about the implementation team?
Our company implements Fortify on Demand ourselves on behalf of our client. When the client requests any changes, we then implement it for them.
What's my experience with pricing, setup cost, and licensing?
We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.
In our case, we are constrained by the client's budget, but others might find that the price is not too bad. It all depends on the budget.
What other advice do I have?
For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including:
- Very useful source code review and vulnerability detection.
- Clear and easy-to-read test results and reports.
- Good integration with other platforms during development.
I would rate Fortify on Demand a nine out of ten.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?