What is our primary use case?
We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.
Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system.
What is most valuable?
Fortify on Demand is easy to use and the reporting is good.
As for the static code analysis functionality, it is doing the job that it is supposed to do.
What needs improvement?
This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.
The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.
This solution would benefit from having more customization available for the reports.
For how long have I used the solution?
We have been evaluating Fortify on Demand for close to a year.
What do I think about the stability of the solution?
Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.
What do I think about the scalability of the solution?
In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.
How are customer service and technical support?
I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.
Which solution did I use previously and why did I switch?
We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.
How was the initial setup?
My understanding is the this is not a difficult solution to manage and maintain.
What about the implementation team?
Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.
Which other solutions did I evaluate?
We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.
What other advice do I have?
Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.
Overall, it is a very good tool and it works well for what it is designed for.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?