Micro Focus Fortify on Demand Competitors and Alternatives

Get our free report covering SonarSource, Checkmarx, Veracode, and other competitors of Micro Focus Fortify on Demand. Updated: January 2021.
455,164 professionals have used our research since 2012.

Read reviews of Micro Focus Fortify on Demand competitors and alternatives

reviewer1451970
R&D Director at a computer software company with 201-500 employees
Real User
Nov 23, 2020
All-encompassing tool that scans for vulnerabilities and security breaches

What is our primary use case?

We focus on these two use cases: * Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them. * The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using)… more »

Pros and Cons

  • "Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
  • "We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."

What other advice do I have?

The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software. We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections. We are not using it for cloud software. Our solution is only…
SeniorSe98b1
Senior Security Engineer at a insurance company with 10,001+ employees
Real User
Apr 10, 2019
Our apps are more secure because the solution improves our processes and findings

What is our primary use case?

We are doing dynamic code testing with some of our different websites and other applications that we've developed in-house. Right now, we are doing the basic kick-off the target, control, and see what it comes up with in the report. We haven't done any importing yet. We are using the Windows onsite solution.

Pros and Cons

  • "We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why."
  • "We have had issues during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version."

What other advice do I have?

It is a pretty good product. Do a demo and test whatever application that you are using right now. If you have a site where it is more difficult to identify vulnerabilities, or you have issues scanning, use this to check your particular software. If it can handle your more challenging apps, then it will definitely handle the easier, less technical sites. We view it on a very traditional PC. Aesthetically, you can see what you are looking for. Unfortunately, we don't utilize the dashboard as much as we should and take full advantage of it. Right now, we're pretty much in the infancy of building…
reviewer1390020
Engineer at a pharma/biotech company with 201-500 employees
Real User
Aug 1, 2020
Good static code analysis and benchmarking but the library could support more languages

What is our primary use case?

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

Pros and Cons

  • "The most valuable features are the segregation containment and the suspension of product services."
  • "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."

What other advice do I have?

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria. The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license. I would rate this solution a six out of ten.
ManoharRaju
AVP at a tech vendor with 1,001-5,000 employees
Real User
Jan 29, 2020
Good reporting and dashboards, but technical support needs to respond more quickly

What is our primary use case?

We use this solution purely for critical analysis.

Pros and Cons

  • "The reporting is very useful because you can always view an entire list of the issues that you have."
  • "We are having issues with false positives that need to be resolved."

What other advice do I have?

I would rate this solution a seven out of ten.
reviewer1286490
Consultant Cyber Security at a tech services company with 51-200 employees
Consultant
Top 5
Oct 7, 2020
A fast solution that is easy to deploy, configure, and use

Pros and Cons

  • "I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool. It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy."
  • "They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."

What other advice do I have?

I would recommend this solution. I haven't really researched other products, but for me, Netsparker Web Application Security Scanner is a benchmark right now. I would rate Netsparker Web Application Security Scanner an eight out of ten.
Get our free report covering SonarSource, Checkmarx, Veracode, and other competitors of Micro Focus Fortify on Demand. Updated: January 2021.
455,164 professionals have used our research since 2012.