Micro Focus Fortify on Demand Room for Improvement

CISO at a retailer with 1,001-5,000 employees
Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. And they try to look at it saying, "Okay. From a pure standards perspective, this is a critical vulnerability for you." Which in reality, if you would really try to exploit it, you'd see that we actually did cross a little something around it, and the vulnerability is not there. So they would expect to have a certain type of a formatting requirement around a specific field to avoid being able to put in special characters. They would assume that because we don't have that, it's a vulnerability. But in reality, you actually do have a custom function that has been defined somewhere else in the code and these fields are subject to that function. I don't carry along with that in the same way as the application really does. That's something that we found that needs improvement. We're actually going to transfer from them, and the main reason is that there is nobody home. We could have tickets open with them for months trying to escalate and have them remediate certain false positives as I described. We have had no success bringing this product to a level that we feel there's not too much noise. It gives you specifically what you need. You could take it at face value and run with it. We're going to switch to Checkmarx. We're in the middle of the deployment. View full review »
Jonathas De Morais
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees
It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers. That's one of the reasons we don't use it throughout the company and for all our applications, only for the ones we judge to be most important. Also, if you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time. And it's too expensive to afford to run it for every application all the time. That's certainly something that requires improvement. View full review »
Director Consulting at a tech services company with 10,001+ employees
Yeah, some of the technologies and framework for libraries were not available at that point of time. For example, if it was in the back end, at that point in time we had to look at other tools. There were some analytical compliances so when we had more tools, it took all the technologies frameworks that Fortify was having. We required this because we were widely working with different clients for the different varieties of technology and domains. There were some regulated compliances, which were not there, but these were the factors because of which we had to use some instances of other tools as well. View full review »
Find out what your peers are saying about Micro Focus, SonarQube, Checkmarx and others in Application Security. Updated: November 2019.
378,570 professionals have used our research since 2012.
Senior Application Security Analyst at a financial services firm with 10,001+ employees
The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed. They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is. View full review »
Murat Kaya
Application Security Specialist at a tech services company with 5,001-10,000 employees
Though it is generally close to perfection, the biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility. Since there are different templates on TFS in particular (CMMI, Agile etc.), the configuration for different templates can also be customized with the flexibility to be provided here. View full review »
Nixon B
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues. We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days. View full review »
Ives Laaf
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees
The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports. View full review »
Elina Petrovna
Professor at a government with 51-200 employees
It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt. View full review »
Find out what your peers are saying about Micro Focus, SonarQube, Checkmarx and others in Application Security. Updated: November 2019.
378,570 professionals have used our research since 2012.
Sign Up with Email