We just raised a $30M Series A: Read our story

Fortify WebInspect Alternatives and Competitors

Get our free report covering PortSwigger, Micro Focus, OWASP, and other competitors of Fortify WebInspect. Updated: November 2021.
552,407 professionals have used our research since 2012.

Read reviews of Fortify WebInspect alternatives and competitors

BK
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
Real User
Good development platform integration promotes a culture of Security by design

Pros and Cons

  • "The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
  • "This solution would be improved if the code-quality perspective were added to it, on top of the security aspect."

What is our primary use case?

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

What is most valuable?

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

What needs improvement?

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.

For how long have I used the solution?

We have been using Micro Focus Fortify on Demand over the past four years.

What do I think about the stability of the solution?

This is a very stable solution. Once it is deployed there are not a lot of challenges.

What do I think about the scalability of the solution?

This platform is very much scalable in terms of integrating with other solutions.

We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.

How are customer service and technical support?

I have not been in touch with technical support from the vendor.

Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.

Which solution did I use previously and why did I switch?

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

How was the initial setup?

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

What about the implementation team?

I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.

Which other solutions did I evaluate?

We did not evaluate other vendors beyond the solutions that we are using.

What other advice do I have?

My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IB
Security Engineer at Secure Network
Real User
Top 5
Very easy to set up because they give you an installer that does everything

Pros and Cons

  • "Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
  • "I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."

What is our primary use case?

We needed it to scan our internal network and web applications. 

Our security team of five people used it. We scheduled some monthly scans for web applications, which were not being used, to check for vulnerabilities and also vulnerabilities on new features.

How has it helped my organization?

Where I worked was a big group where there were many agencies under it, and we did the security for all other agencies. With Acunetix, we cut the time to make infrastructures and web applications (for our colleagues) more secure.

For one application with two or three critical vulnerabilities and some other vulnerabilities, it took like a week to remediate issues because the scan and findings were really fast. 

What is most valuable?

What I found to be valuable was the fully automated scanner because it is really fast. 

Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden.

Acunetix saves on the cost of time because it is fast.

When Acunetix finds a vulnerability, it also checks for a false positive so it can be a 100 percent sure about the issue that it found. The false positives are really low, maybe one percent.

What needs improvement?

I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection. 

They need more customized scans along with a way to edit their default payloads. While you can select which check to do, you can't add which payload to use.

For how long have I used the solution?

I used Acunetix 20 months ago at the last agency where I worked.

What do I think about the scalability of the solution?

The scalability was okay. We didn't need to do much work to implement it into the network or some web applications, so I think it's really easy to scale. We didn't need to do work on it because the solution is adaptable to every environment.

There were about 20 websites and other web applications.

How are customer service and technical support?

I never needed to talk to the Acunetix technical support.

Which solution did I use previously and why did I switch?

They were previously using Fortify WebInspect, which was good, but very costly.

How was the initial setup?

It was very easy to set up Acunetix, as they give you an installer that does everything. You just need to click: "Install".

It takes a maximum of 10 minutes to deploy, if you want to read everything.

We did other configurations to enable the IP address to talk to all the networks.

We also used Acunetix on a Linux server. The deployment process was the same as Windows. It was just another installer, but for Linux.

What was our ROI?

It saved us many weeks of work.

We didn't sell anything with Acunetix, so it was just an improvement for ourselves.

If someone would have hacked us, they probably would have caused much damage. However, now with Acunetix, they shouldn't be able to cause to damage.

What's my experience with pricing, setup cost, and licensing?

I think all the scanners, except Burp Suite, are a bit costly.

Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future.

Which other solutions did I evaluate?

Acunetix is the fastest scanner available compared to applications like Netsparker and Fortify WebInspect. The longest scan with Acunetix, and it was for a huge web application, took only four hours. Other scanners did the job in six to eight hours. 

While I like Netsparker, it is really slow compared to other scanners.

What other advice do I have?

We found 50 unexpected, high vulnerabilities for three web applications. This made our principal a bit mad.

We found three or four DOM-based XSS vulnerabilities using this solution.

It did not require maintenance on our part. We just needed to give it some credentials.

I would rate it as a nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SH
Owner/ Consultant at a tech services company with 1-10 employees
Consultant
Top 20
Offers many support languages, scans in a decent amount of time and is easy to set up

Pros and Cons

  • "There's extensive functionality with custom rules and a custom knowledge base."
  • "The solution often has a high number of false positives. It's an aspect they really need to improve upon."

What is our primary use case?

We primarily use the solution for static analysis.

What is most valuable?

AppScan is within the top three or four static analyzers. Its features include support for many languages. 

The product has a relatively reasonable scan time.

There's extensive functionality with custom rules and a custom knowledge base.

What needs improvement?

The solution often has a high number of false positives. It's an aspect they really need to improve upon. 

The product has vulnerabilities, or findings, that are almost identical in nature. 

For how long have I used the solution?

I've used the solution for the last 12 months or so. It's been about a year at this point.

What do I think about the stability of the solution?

The stability is okay. it's good. It's not very good or excellent, it's just good. I would describe the stability as a bit better than acceptable.

What do I think about the scalability of the solution?

When I worked on it, it wasn't in the cloud. It didn't offer Federation. Now, it is my understanding that it has those, which would make it very scalable. That said, when I used it, I would not give it a very scalable grade - maybe a two out of ten for scalability if you are using it off of the cloud. That said, that's not the latest version. The latest is likely more scalable, I just don't have experience with it.

How are customer service and technical support?

The technical support is pretty good. They are knowledgeable and responsive. We were satisfied with the level of support we received.

Which solution did I use previously and why did I switch?

I also know a bit about Checkmarx, Fortify, Veracode, and AppScan.

How was the initial setup?

I didn't really do the actual setup once it got moved into the cloud. I don't know how easy the cloud set up was. However, it's my understanding that it is now potentially easier than it was before, which wasn't too bad. 

What's my experience with pricing, setup cost, and licensing?

I don't know the prices currently. I knew the prices when it was still in-house with IBM, however, I don't know what the cost is now.

What other advice do I have?

I worked with the solution at a previous company. Now I am a consultant and I no longer work with the product. I don't have a business relationship with HCL.

I wanted to do a POC with the current state of what was IBM AppScan and now is HCL. I contacted my contacts at IBM and then they started off the conversation and it went smoothly because a number of people from IBM had gone over to HCL when that product was acquired.

Various tools have their strengths, I would advise anyone who is interested in using a similar solution do a proof of concept first with a few options. Try Checkmarx, Fortify, Veracode, and AppScan, and see which one makes the most sense for your company's purposes. Those would be the top four in my opinion right now.

Overall, I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering PortSwigger, Micro Focus, OWASP, and other competitors of Fortify WebInspect. Updated: November 2021.
552,407 professionals have used our research since 2012.