Fortify on Demand Other Solutions Considered

CP
Architecture Manager at Alinma Bank

We are already decommissioning Fortify and have already implemented SonarQube. We are currently using SonarQube Enterprise. 

Fortify on Demand was utilized for a considerable period. However, we have now transitioned away from Fortify on Demand. It was primarily used by our CSD team, the cybersecurity defense team at the bank. 

Initially, we performed penetration testing and vulnerability assessments within the Fortify platform. However, we have since implemented a DevSecOps pipeline in partnership with Red Hat. Currently, all testing, including penetration testing and vulnerability assessments, is automated within the pipeline. The pipeline runs on Tecton, enabled on the OpenShift site. 

Therefore, any tool we use, be it Fortify or SonarQube, must be integrated into that pipeline. This approach has addressed most of the pain points we faced previously. Consequently, we are satisfied with SonarQube's performance now.

Fortify on Demand only offers static analysis and lacks dynamic security testing capabilities. However, if it's integrated into the pipeline, we can incorporate another tool for dynamic security testing. This was not possible with Fortify alone. 

Additionally, Fortify has limited programming language support compared to SonarQube. The recent global launch of SonarQube in the GA version expanded its support for various programming platforms, such as CSM and .NET on the Java side, among others. 

In our bank, we use T24 as our core banking system, which relies on a proprietary programming language called Infobasic. SonarQube also supports this language. When we place the code into the pipeline and perform builds, including the repository, we scan the entire codebase, including Infobasic code for the banking application. In summary, SonarQube offers broader programming language support. Previously, we only scanned other business-critical applications, but now we can scan our most critical banking application, T24, using SonarQube.

View full review »
AM
Test Lead at a financial services firm with 10,001+ employees

We were considering upgrading to the enterprise level, given the need for a robust solution in the banking environment. During this evaluation, we compared Netsparker, Burp Suite, and Fortify. After conducting a proof of concept (POC) that involved testing APIs, websites, and infrastructure arrangements, we presented our analysis to management. Ultimately, Fortify was selected as the preferred choice.

View full review »
FC
Project Manager at Everis

I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

View full review »
Buyer's Guide
Application Security Tools
March 2024
Find out what your peers are saying about OpenText, Sonar, Checkmarx and others in Application Security Tools. Updated: March 2024.
765,234 professionals have used our research since 2012.
JL
Sr. Manager 5G & MEC (Edge) Strategy at Verizon

I searched online and FoD allowed me the best opportunity for success due to my client’s timeline.

View full review »
ShubhamJoshi - PeerSpot reviewer
Senior Software Engineer at a consultancy with 10,001+ employees

We carried out a POC on multiple products and Fortify came out on top.

View full review »
Harkamal-Singh - PeerSpot reviewer
Solution architect at NTT

I have evaluated other solutions, such as Contrast Security.

View full review »
PR
Vice President - Solution Architecture at a financial services firm with 10,001+ employees

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

View full review »
JM
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees

We looked at CheckMarkx and SonarQube Enterprise. As I said, we are currently using SonarQube for other apps, but we use the open-source version. We tried to use the Enterprise version but it didn't cover all the aspects that we needed it to cover.

View full review »
it_user512112 - PeerSpot reviewer
Technical Lead at a tech services company with 10,001+ employees

Before choosing this product, we evaluated Veracode and Checkmarx (among licensed), and FindBugs and Yasca (among free).

View full review »
Omar Abdelhamied Ahmed - PeerSpot reviewer
Financial Analyst at Arab Investment Bank

I'm also evaluating Black Duck and Snyk. I just have a demo – a POC.

View full review »
BK
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees

We did not evaluate other vendors beyond the solutions that we are using.

View full review »
OS
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services

I am already using other software. We wanted to try it and it works like a charm.

View full review »
it_user488208 - PeerSpot reviewer
Specialist Master/Manager at a consultancy with 10,001+ employees

While I did evaluate others, it depends on the budget.

View full review »
it_user441546 - PeerSpot reviewer
Information Security Lead Consultant & Application Security Specialist at a energy/utilities company with 1,001-5,000 employees

We considered SonarQube, MSFox, and CodeInspect.

View full review »
JE
CISO at a retailer with 1,001-5,000 employees

I don't remember if we evaluated anybody else. I think Fortify was recommended through a consultant. Some years ago, there were not so many vendors at a time playing in this arena. There's not so many today for static analysis, but I don't think that we really evaluated any others.

View full review »
it_user692322 - PeerSpot reviewer
Digital Security Integration Lead at a non-tech company with 10,001+ employees

We evaluated IBM and Veracode.

View full review »
NB
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees

Currently, Checkmarx offers us a graphically, revised run.

View full review »
it_user506661 - PeerSpot reviewer
Senior Lead at a computer software company with 1,001-5,000 employees

It’s a tool used at the enterprise level; hence, I did not have a chance to explore other options.

View full review »
it_user625875 - PeerSpot reviewer
Director Consulting at a tech services company with 10,001+ employees

We were using many other tools like TechAbility, IBM AppScan and I think these were the predominant ones.

View full review »
MJ
Co-Founder at TechScalable

We didn't evaluate any other solution. I was trying to find out which solution should I use, and I just saw good reviews of this solution. This was the first solution that we tried out, and we liked it. We started with a trial, and it was doing good. Our necessities were met, so we didn't try to figure out any other competitive tool in the market. 

View full review »
IL
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees

We evaluated Veracode before choosing this solution.

View full review »
it_user362055 - PeerSpot reviewer
Senior Manager at a tech services company with 10,001+ employees

I'm very familiar with IBM and Barracuda and others. I always know HP's competition, but I feel most comfortable with HP.

View full review »
Buyer's Guide
Application Security Tools
March 2024
Find out what your peers are saying about OpenText, Sonar, Checkmarx and others in Application Security Tools. Updated: March 2024.
765,234 professionals have used our research since 2012.