Micro Focus Fortify on Demand Room for Improvement

CISO at a retailer with 1,001-5,000 employees
Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. And they try to look at it saying, "Okay. From a pure standards perspective, this is a critical vulnerability for you." Which in reality, if you would really try to exploit it, you'd see that we actually did cross a little something around it, and the vulnerability is not there. So they would expect to have a certain type of a formatting requirement around a specific field to avoid being able to put in special characters. They would assume that because we don't have that, it's a vulnerability. But in reality, you actually do have a custom function that has been defined somewhere else in the code and these fields are subject to that function. I don't carry along with that in the same way as the application really does. That's something that we found that needs improvement. We're actually going to transfer from them, and the main reason is that there is nobody home. We could have tickets open with them for months trying to escalate and have them remediate certain false positives as I described. We have had no success bringing this product to a level that we feel there's not too much noise. It gives you specifically what you need. You could take it at face value and run with it. We're going to switch to Checkmarx. We're in the middle of the deployment. View full review »
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry. View full review »
Jonathas De Morais
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees
It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers. That's one of the reasons we don't use it throughout the company and for all our applications, only for the ones we judge to be most important. Also, if you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time. And it's too expensive to afford to run it for every application all the time. That's certainly something that requires improvement. View full review »
Find out what your peers are saying about Micro Focus, SonarQube, Checkmarx and others in Application Security. Updated: February 2020.
397,717 professionals have used our research since 2012.
Director Consulting at a tech services company with 10,001+ employees
Yeah, some of the technologies and framework for libraries were not available at that point of time. For example, if it was in the back end, at that point in time we had to look at other tools. There were some analytical compliances so when we had more tools, it took all the technologies frameworks that Fortify was having. We required this because we were widely working with different clients for the different varieties of technology and domains. There were some regulated compliances, which were not there, but these were the factors because of which we had to use some instances of other tools as well. View full review »
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system. The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement. This solution would benefit from having more customization available for the reports. View full review »
Chief Executive & Certified Security Administrator at Boch
Strictly in terms of this product, I think it is a top-notch solution and I think the technology is still the best on the market. What might be improved is maybe just look at the pricing. It is a bit confusing compared to other products that we also sell. Whatever innovation they can come up with would be an excellent addition if it adds useful functionality. The only thing I can think of that they might add is something like features you can find in Codebashing that they have not yet implemented. I don't know if it has all of those features. If not, it would be useful for something like that to be added. View full review »
Senior Application Security Analyst at a financial services firm with 10,001+ employees
The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed. They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is. View full review »
Nixon B
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues. We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days. View full review »
Ives Laaf
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees
The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports. View full review »
Elina Petrovna
Professor at a government with 51-200 employees
It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt. View full review »
Find out what your peers are saying about Micro Focus, SonarQube, Checkmarx and others in Application Security. Updated: February 2020.
397,717 professionals have used our research since 2012.