What is our primary use case?
We use it for externally exposed applications that we want to scan before releasing them to production. As you can imagine, it's important to make sure they're secure and that we will not be exposed. For internal apps, we use other static code scanning, primarily SonarQube. But Fortify on Demand is for externally exposed applications.
How has it helped my organization?
Because of the kind of products we deal with, and the kind of customers we have, we have really specific security requirements and practices we need to follow, specifically applying to our SDLC. Our SDLC dictates that we have security scanning, and that improves our code quality. Thankfully, we have never had any kind of serious security flaw or any kind of deviation of the process. We can certainly account for that because of the security tools and analysis that we have prior to moving code to production.
What is most valuable?
One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed. I think that's really useful.
What needs improvement?
It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers. That's one of the reasons we don't use it throughout the company and for all our applications, only for the ones we judge to be most important.
Also, if you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time.
And it's too expensive to afford to run it for every application all the time. That's certainly something that requires improvement.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
I haven't really encountered any issues with stability.
What do I think about the scalability of the solution?
No issues with scalability. It has been able to handle all our workload so far.
How are customer service and technical support?
Our experience with tech support has been good. We haven't needed support that much but whatever we needed we were able to find on their website. There were a couple of things regarding the licensing and payment that we had to get some help with. But it was quick and easy.
Which solution did I use previously and why did I switch?
We didn't have a previous solution. We researched a couple of the tools, but we ended up using Fortify because of the comprehensive scans they have, and mainly because they are focused on the kind of apps that we have and the kind of requirements we have. They are able to cover most of the standards and practices that we need to adhere to.
How was the initial setup?
The initial setup was straightforward. We had onsite training from HPE to help set up the local environment and first scans, and that was helpful.
What's my experience with pricing, setup cost, and licensing?
The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps. That subscription model is probably something that needs improvement.
Which other solutions did I evaluate?
We looked at CheckMarkx and SonarQube Enterprise. As I said, we are currently using SonarQube for other apps, but we use the open-source version. We tried to use the Enterprise version but it didn't cover all the aspects that we needed it to cover.
What other advice do I have?
Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at.
I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the local scan won't be as fast as the static code scan.