We performed a comparison between OWASP Zap and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Micro Focus Fortify on Demand. Although both products have valuable features and ROI, our reviewers found that Micro Focus Fortify on Demand has a more complex installation process and slower support response times.
"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
"This product is top-notch solution and the technology is the best on the market."
"I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
"The static code analyzers are the most valuable features of this solution."
"Being able to reduce risk overall is a very valuable feature for us."
"The solution is user-friendly."
"There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do."
"The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
"Automatic updates and pull request analysis."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The scalability of this product is very good."
"The product discovers more vulnerabilities compared to other tools."
"The solution has tightened our security."
"It updates repositories and libraries quickly."
"Simple to use, good user interface."
"The solution is good at reporting the vulnerabilities of the application."
"I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple."
"Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
"There are lots of limitations with code technology. It cannot scan .net properly either."
"It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."
"If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."
"It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
"We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."
"Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve."
"It doesn't run on absolutely every operating system."
"Lacks resources where users can internally access a learning module from the tool."
"The technical support team must be proactive."
"The forced browse has been incorporated into the program and it is resource-intensive."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
"Too many false positives; test reports could be improved."
"It would be nice to have a solid SQL injection engine built into Zap."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
Fortify on Demand is ranked 9th in Application Security Testing (AST) with 55 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 36 reviews. Fortify on Demand is rated 8.0, while OWASP Zap is rated 7.6. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Fortify on Demand is most compared with SonarQube, Checkmarx, Veracode, Coverity and HCL AppScan, whereas OWASP Zap is most compared with SonarQube, PortSwigger Burp Suite Professional, Acunetix, Qualys Web Application Scanning and HCL AppScan. See our Fortify on Demand vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.