We compared Fortify on Demand and SonarQube based on our user's reviews in several parameters.
In summary, Fortify on Demand is praised for its robust security, comprehensive scanning capabilities, and prompt vulnerability reporting, with positive feedback on customer service and pricing. SonarQube stands out for its support for multiple languages, seamless integration, and comprehensive features, with exceptional customer service and positive feedback on pricing and ROI. Areas for improvement include enhancing performance and usability for Fortify on Demand, while SonarQube could focus on analysis speed, UI navigation, setup instructions, documentation, performance, and integration options.
Features: Fortify on Demand is highly appreciated for its robust security, comprehensive scanning capabilities, user-friendly interface, and timely vulnerability reporting. SonarQube stands out with its support for multiple languages, simplified design, integration with DevOps pipelines, and ability to detect vulnerabilities and code smells. Additionally, SonarQube offers configurability, flexibility, and a user-friendly interface.
Pricing and ROI: Fortify on Demand's users have found the setup costs to be manageable and appreciate the flexible licensing options. On the other hand, SonarQube's pricing is considered reasonable and competitive, and its setup cost is straightforward and easy. SonarQube also offers flexible licensing options to cater to different needs., Fortify on Demand users expressed satisfaction with the platform's effectiveness and value for their investment. SonarQube helped improve code quality, detect vulnerabilities, and ensure code compliance, resulting in cost savings and increased productivity.
Room for Improvement: Fortify on Demand could benefit from enhancements in performance, scanning capabilities, customization options, reporting features, and user interface. SonarQube should focus on improving analysis speed, user interface, setup instructions, documentation, performance, and integration options.
Deployment and customer support: The user reviews for Fortify on Demand and SonarQube show that the duration required to establish a new tech solution can vary between users. While both products have similar timeframes mentioned by users, Fortify on Demand has a wider range of deployment and setup durations compared to SonarQube., Fortify on Demand's customer service is praised for its prompt and helpful assistance. Users appreciate the attentiveness and expertise of the support team. SonarQube also receives praise for its exceptional customer service and support, with users acknowledging the prompt and knowledgeable assistance provided. The support team is commended for their responsiveness and willingness to go above and beyond.
The summary above is based on 51 interviews we conducted recently with Fortify on Demand and SonarQube users. To access the review's full transcripts, download our report.
"It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support."
"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."
"We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
"The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
"It is an extremely robust, scalable, and stable solution."
"The static code analyzers are the most valuable features of this solution."
"Audit workbench: for on-the-fly defect auditing."
"t's a cloud-based solution, so there was no installation involved."
"There are many options and examples available in the tool that help us fix the issues it shows us."
"The most valuable function is its usability."
"If you want to have your code scanned and timed then this is a good tool."
"SonarQube is admin friendly."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"SonarQube is scalable. My company has 50 users."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."
"They have very good support, but there is always room for improvement."
"The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed."
"New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."
"There are many false positives identified by the solution."
"An improvement would be the ability to get vulnerabilities flowing automatically into another system."
"I would like the solution to add AI support."
"It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"SonarQube is not development-centric like Snyk."
"Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
"I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"Ease of use/interface."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"The product provides false reports sometimes."
Fortify on Demand is ranked 11th in Application Security Tools with 56 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Fortify on Demand is rated 8.0, while SonarQube is rated 8.0. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Fortify on Demand is most compared with Checkmarx One, Veracode, Coverity, Fortify WebInspect and Snyk, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and OWASP Zap. See our Fortify on Demand vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
