Fortify Static Code Analyzer Valuable Features

NS
Vice President, Cybersecurity at a financial services firm with 10,001+ employees

The Software Security Center, which is often overlooked, stands out as the most effective feature. This on-premises portal, included with their primary SaaS offering, streamlines the process of triaging our results. With thousands of daily active users, the Software Security Center serves as a centralized platform, consolidating results from various tools, including Sonatype, WebInspect's DAST results, and Pen Test findings from our internal team. This unified view eliminates the need for developers to log into multiple portals to access code vulnerabilities, open-source issues, web app scans, and Pen Test results. Instead, they can access everything they need from a single, convenient location.

Secure Code Warrior is an invaluable integration and partnership for us. Fortify consistently collaborates with top-tier companies to deliver cutting-edge solutions. For instance, if a developer encounters a common code vulnerability, such as a path manipulation vulnerability in their Java website, and is unsure of how to resolve it, Fortify provides some guidance and standard response protocols. However, for more in-depth information and assistance, they direct us to Secure Code Warrior. Upon providing information on the vulnerability type and language, Secure Code Warrior offers tailored training courses, such as how to fix path manipulations in Java-based applications. This remediation technique, which is unmatched by any other provider, has proven to be incredibly effective.

View full review »
JB
Adjunct at University of Maryland

As a security analyst, I like the management view. From there, you can review the code and review findings in order to approve, deny, or recommend. Their Software Security Center, which acts as a portal, is quite useful. It's a good overview. You can really see what's happening after you've developed something.

Fortify's AppSec testing is great for application portfolio inventory and project releases. It works both at a portfolio level and also at a project level.

They also give you the capability to click train of all your vulnerabilities that happened within Apache Crossroads support. You give them a history to keep track of them, how they've been developed, how they've been saved, to give you a way of tracking your issues and how they get resolved.

It's pretty easy to find vulnerabilities. Then, you go to the source. It is very good at tracking to see where the data or the issue enters into your source code so you can track it or go back to where it started.

Fortify helps remediate potential vulnerabilities by using more accurate, reliable results. They offer recommended remediation. I can go to the website tools to resolve issues and search for remediations. This helps our developers to build more secure code from the start.

It has reduced vulnerabilities. We've never had issues when we ran our scans. We're notified, and we're able to identify most of our vulnerabilities and fix them before anything goes to production. If you're running this on your CI/CD pipeline, notifications are in real-time.

The level of detail is very informative. It provides you with recommendations on how to fix items. And they provide you with other resources available for how to address the issues. You can also see the root cause.

It works well with cloud-native applications.

Fortify helped us to free up staff time since it helps us resolve issues faster. 

It's helped us save costs as, if we catch a vulnerability faster, it's easier to fix than later. 

Fortify and Sonatype help maintain compliance with the applicable regulations. We mostly use Sonatype for compliance and licenses. By combining both solutions together, it enables you to solve a lot of issues that may occur in the future.

View full review »
Vishal Dhamke - PeerSpot reviewer
Vice President Application Security North America at BNP Paribas

Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines. This allows developers to scan code seamlessly.

View full review »
Buyer's Guide
Fortify Static Code Analyzer
March 2024
Learn what your peers think about Fortify Static Code Analyzer. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
AA
Sr cyber analyst at a energy/utilities company with 10,001+ employees

I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions. I like Fortify Software Security Center. It was not the way we had before. We used to have another tool, and it did not have this feature. I also like the fact that it supports many languages. It supports more than 30 languages. It covers a lot of what we do. Its configuration is a little bit tricky, but after you configure it, it is intuitive.

I also like the integration capability. It can integrate with many IDEs, such as IntelliJ, Eclipse, VS Code, etc. It integrates with all the main ones. It also can integrate with Nexus. It can integrate with Secure Code and Azure DevOps. This is really good to have something that can work with many vendors. It gives you versatility and flexibility.

We have integrated it with Azure DevOps for the pipeline, and we have integrated it with Secure Code. It is not a major integration. We have a plan to integrate it with Sonatype. I like to have everything in one place. All the integrations happen in the IDEs. We have people using Eclipse, IntelliJ, Visual Studio, VS Code, etc. We have integrated it with all the IDEs that we have here. The integration with IDEs was straightforward. You just install the plugin, add it to the IDE, and add your configuration. For Azure DevOps, we needed to add the binary, and it took a day or two because people were not familiar with it. For Secure Code, it was straightforward again. It is not hard to integrate. Its integration is easy.

View full review »
VF
Software analyst at a financial services firm

The reference provided for each issue is extremely helpful. It allows our team to understand the rationale behind resolving the issue and the specific type of security problem we are facing. This information is crucial for improving our security skills and coding practices. The ability to review and approve each scan before deploying to production is vital. This ensures that our product is free of bugs and complies with our security policies.

View full review »
Maurizio Garofalo - PeerSpot reviewer
Senior manager at a consultancy with 11-50 employees

They are one of the market leaders, according to Gartner's Magic Quadrant. 

We use Fortify to reduce application vulnerabilities significantly. In the test environment, we don't just use software code review. Before the use of Fortify, we would test the applications; however, using Fortify allows us to test internationally and to align with various compliance requirements, for example, European banking requirements. 

It offers efficiency in the deployment of the application. It makes code review much easier pre-deployment. The Fortify FOD Portal is quite useful. It helps centrally manage everything and provides us with a 360-degree view of our AppSec team.

The solution truly supports the development team by giving a clear indication of vulnerabilities and providing suggestions on how to deal with vulnerabilities in a clear manner. There is a lot of useful analysis. It can help us map application libraries.

The software security center, in terms of managing and tracking risks, is good. It's very consistent. In Italy, the culture of risk analysis is very low. However, it provides very clear reporting. It offers great mapping. It maps both the tests and the severity of the vulnerability. It can help support the goals of risk analysis and help prioritize tasks to deal properly with risk. It can support risk analysis effectively.

The testing of the application portfolio is useful. It's also great for regulatory requests, including in the European community. The mapping of the application vulnerabilities provides us a way to respond according to risk. 

It's very simple to use Fortify.

We can fully integrate with GitHub. However, we can also migrate in certain scenarios. We can prepare packages subject to analysis and send them to Fortify. It's not difficult. It's very simple. 

When Fortify is on-premises with GitHub, remediation is easy. They can suggest and resolve issues directly. Fortify can offer guidance to the development team. So it's not only an identification tool, it's also a tool that can provide remediation for potential vulnerabilities. 

Now, in the European Union, it's mandatory to analyze software. Fortify has become a necessary product. We might have started using it before there was a regulatory need. However, we now must have something like Fortify in place. 

It helps us reduce risk exposure on applications through the discoverability of vulnerabilities and weaknesses. It's fully satisfactory. It ensures we are being fully compliant. We chose the solution as it is one of the market leaders, according to Gartner. We can only use the best in the market since it's so integral to our compliance requirements. It ensures we are always compliant with internal and external audits. 

Fortify does provide real-time feedback on security problems. However, we don't use, at the moment, the functionality of real-time vulnerability analysis during the developer's typing of the code. We check the code afterward.

It's helped us free up staff time. We spend less time fixing software deployments. We've reduced the time to market of the implementation phase by 50%. We can test the applications faster, and we can support a number of projects with the same number of people. 

View full review »
Arun Dhwaj - PeerSpot reviewer
Senior Architect at a healthcare company with 10,001+ employees

Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it. 

View full review »
TW
Security DevOps Engineer at a legal firm with 1-10 employees

Automating the Jenkins plugins and the build title is a big plus.

View full review »
RS
Code Reviewer at HQ USMEPCOM

I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released. The GUI is really easy to navigate through and is very user-friendly.

View full review »
DA
Sr DevOps Engineer at incatech

We write software, and therefore, the most valuable aspect for us is basically the code analysis part. It's mostly used for the software that we actually write and we use it to identify whatever it is that we're looking for, whether it's the bugs or the technical data and so forth.

The setup is pretty easy.

The solution is pretty stable.

View full review »
TH
Director of Security at Merito

Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.

View full review »
DJ
Conformity Controller at STET

The solution has been quite stable over the years.

We've found the documentation to be very good.

When there are issues, there is a lot of explanation about what they are and how to solve problems. Communication is very clear. 

View full review »
Buyer's Guide
Fortify Static Code Analyzer
March 2024
Learn what your peers think about Fortify Static Code Analyzer. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.