Micro Focus Fortify on Demand Pros and Cons

The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it.

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira.

One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed.

I do not remember any issues with stability.

The licensing was good.

The installation was easy.

Fortify on Demand is easy to use and the reporting is good.

This product is top-notch solution and the technology is the best on the market.

t's a cloud-based solution, so there was no installation involved.

It improves future security scans.

Fortify helps us to stay updated with the newest languages and versions coming out.

The static code analyzers are the most valuable features of this solution.

It has saved us a lot of time as we focus primarily on programming rather than tool operational work.

Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse.

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect.

It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers.

If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time.

There were some regulated compliances, which were not there.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood.

The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to.

The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed.

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment.

It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt.