We performed a comparison between MicroFocus Fortify on Demand and Veracode based on our users’ reviews in four categories. After reading the collected data, you can find our conclusion below.
Comparison Results: Veracode nudges ahead of Microfocus Fortify on Demand in this comparison. Veracode users feel the solution enables them to analyze every security flaw, discrepancy, and vulnerability, and feel the reporting is very concise. Microfocus can be very taxing on resources and can potentially slow processes down considerably.
"The solution is user-friendly."
"The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product)."
"There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do."
"The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security."
"The scanning capabilities, particularly for our repositories, have been invaluable."
"The vulnerability detection and scanning are awesome features."
"Fortify on Demand can be scaled very easily."
"One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
"For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"The source composition analysis had very good reporting."
"The deployment mode is very useful."
"The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with."
"The CI/CD integration is the most valuable feature of Veracode."
"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
"The installation was straightforward."
"I would like the solution to add AI support."
"We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
"The biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility."
"The UI could be better. Fortify should also suggest new packages in the product that can be upgraded. Currently, it shows that, but it's not visible enough. In future versions, I would like more insights about the types of vulnerabilities and the pages associated with the exact CVE."
"There is room for improvement in the integration process."
"We have some stability issues, but they are minimal."
"We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."
"I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."
"Veracode scans provide a higher number of false positives."
"There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it."
"The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
"They should improve on the static scanning time."
"Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern."
"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."
"The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced."
Fortify on Demand is ranked 11th in Application Security Tools with 56 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Fortify on Demand is rated 8.0, while Veracode is rated 8.2. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Fortify on Demand is most compared with SonarQube, Checkmarx One, Coverity, Fortify WebInspect and Snyk, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Fortify on Demand vs. Veracode report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.