What is our primary use case?
I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.
I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.
The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.
When you take all of these things together, it is Security by design.
What is most valuable?
The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.
What needs improvement?
This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.
For how long have I used the solution?
We have been using Micro Focus Fortify on Demand over the past four years.
What do I think about the stability of the solution?
This is a very stable solution. Once it is deployed there are not a lot of challenges.
What do I think about the scalability of the solution?
This platform is very much scalable in terms of integrating with other solutions.
We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.
How are customer service and technical support?
I have not been in touch with technical support from the vendor.
Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.
Which solution did I use previously and why did I switch?
We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.
Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.
How was the initial setup?
The initial setup was quite simple.
I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.
When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.
The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.
What about the implementation team?
I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.
Which other solutions did I evaluate?
We did not evaluate other vendors beyond the solutions that we are using.
What other advice do I have?
My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.
I would rate this solution an eight out of ten.