Micro Focus Fortify on Demand Overview

Micro Focus Fortify on Demand is the #4 ranked solution in our list of AST tools. It is most often compared to SonarQube: Micro Focus Fortify on Demand vs SonarQube

What is Micro Focus Fortify on Demand?

Micro Focus Fortify on Demand’s application security-as-a-service is the easy and flexible way to identify vulnerabilities in your applications without additional investment in software or personnel. Allow our global team to work for you, providing support and technical expertise 24/7.

Micro Focus Fortify on Demand is also known as Fortify on Demand.

Micro Focus Fortify on Demand Buyer's Guide

Download the Micro Focus Fortify on Demand Buyer's Guide including reviews and more. Updated: May 2021

Micro Focus Fortify on Demand Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Micro Focus Fortify on Demand Video

Filter Archived Reviews (More than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees
Real User
Has improved our security through static code analysis

What is our primary use case?

Our primary use case for this solution is static code analysis.

How has it helped my organization?

This solution has helped us to improve our security processes.

What is most valuable?

The static code analyzers are the most valuable features of this solution.

What needs improvement?

The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports.

For how long have I used the solution?

Four months.

What do I think about the stability of the solution?

The solution is working, so I would say that its stability is fine.

What do I think about the scalability of the solution?

We have approximately twenty users…
JE
CISO at a retailer with 1,001-5,000 employees
Real User
Top 5Leaderboard
Detects vulnerabilities and provides useful suggestions, but doesn't understand complex websites

What is our primary use case?

We use Fortify on Demand to test our e-commerce website. We do static codes testing before it goes live.

Pros and Cons

  • "The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
  • "Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."

What other advice do I have?

I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So…
Learn what your peers think about Micro Focus Fortify on Demand. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
509,570 professionals have used our research since 2012.
Director Consulting at a tech services company with 10,001+ employees
Consultant
It is very configurable. The installation was also very easy.

What is our primary use case?

My primary use case is to help the teams in development. It helps us scan.

Pros and Cons

  • "I do not remember any issues with stability."
  • "The licensing was good."
  • "The installation was easy."
  • "There were some regulated compliances, which were not there."

What other advice do I have?

Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.
Senior Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
Helps us to stay updated with the newest languages and versions coming out

What is our primary use case?

We previously used it for static and dynamic scans, but now we use it only for dynamic scans. We have close to 85 products in-house, so we run a lot of scans.

Pros and Cons

  • "It improves future security scans."
  • "Fortify helps us to stay updated with the newest languages and versions coming out."
  • "Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
  • "We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."
Enterprise Systems Analyst at a manufacturing company with 10,001+ employees
Real User
Scans run in the background and security analysts are available if an issue comes up

What is our primary use case?

We use it for externally exposed applications that we want to scan before releasing them to production. As you can imagine, it's important to make sure they're secure and that we will not be exposed. For internal apps, we use other static code scanning, primarily SonarQube. But Fortify on Demand is for externally exposed applications.

Pros and Cons

  • "One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed."
  • "It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
  • "If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."

What other advice do I have?

Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at. I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the…
Professor at BitBrainery University
Real User
Saved us a lot of time as we focus primarily on programming rather than tool operational work

What is our primary use case?

I analyzed more than 20 applications implemented in BIT Brainery University. The static analysis has to be done every release before putting it in production.

How has it helped my organization?

Even though it was our final choice, it has saved us a lot of time as we focus primarily on programming rather than tool operational work. We did not need third-party consultants.

What is most valuable?

We shared the easy to use dashboard with our programmers and involved outsourcers for a quick issues fix. 

What needs improvement?

It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt.

For how long have I used the solution?

Application Security Specialist at a tech services company with 5,001-10,000 employees
Real User
Top 20
Allows for more efficient and custom integration by allowing customized enhancements through the API support

What is our primary use case?

When choosing a software security product, we expect the product not only has the ability to find exploits, but also has educational and instructional capabilities related to exploits. This makes both the security auditor's job easier and helps the software developer to improve himself and write safer code. Here we have seen that the Micro Focus family has exactly what we want. For this reason, we chose Micro Focus software security products. In addition, the quality of the support and updating services ensures that we gain confidence in their products.

Pros and Cons

  • "The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product)."
  • "Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA."
  • "The biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility."
Sr. Manager 5G & MEC Strategy at Verizon
Real User
Top 10
We can load the details and within a few days, receive the results of intrusion attacks, although it needs to have better packaged reporting capabilities.

Pros and Cons

  • "I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification"
  • "With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."
Digital Security Integration Lead at a non-tech company with 10,001+ employees
Vendor
The quality of application security testing reduces risk and gives very few false positives.

Pros and Cons

  • "The quality of application security testing reduces risk and gives very few false positives."
  • "New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."

What other advice do I have?

Go with the SaaS product.
Senior Lead at a computer software company with 1,001-5,000 employees
Real User
Helps us identify security vulnerability earlier in the development.

Pros and Cons

  • "We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
  • "The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."
Technical Lead at a tech services company with 10,001+ employees
Real User
Our client uses the audit workbench for on-the-fly defect auditing. .NET code scanning is still dependent on building the code base before running any scan.

Pros and Cons

  • "Audit workbench: for on-the-fly defect auditing."
  • ".NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio."

What other advice do I have?

If you are already using HPE tools and services such as ALM, then Fortify is a good option, as it provides out-of-the-box support for these. Scanning capability-wise, the tool is decent enough, and is also easy to use. However, it generates a large number of false positives after a scan, which can be tedious to verify manually.
System Engineer at a tech services company with 501-1,000 employees
Consultant
Both editions of the product have their advantages, and they complement each other.

What other advice do I have?

HP Fortify is perfect for any company that creates their own applications or uses vendor-developed ones; it’s great for QA and development phases. HP Fortify is easy to use and offers lots of integration options; those options allow us to have more diverse implementations that fit the requirements.
Specialist Master/Manager at a consultancy with 10,001+ employees
Consultant
We use it to evaluate code from a security perspective as opposed to a developer’s perspective.

What other advice do I have?

It is a good product to choose for SCA and cloud deployment. If you choose SSC, don’t always look at the price, as the other products might not conduct the same analysis as HP Fortify does. Not all products are created equal.
Development and Database Manager at a financial services firm with 501-1,000 employees
Vendor
It works to identify security flaws that any of our applications might have.

What other advice do I have?

If you haven’t run any formal scan be prepared for it to come back and be a bit scary.
Information Security Lead Consultant & Application Security Specialist at a energy/utilities company with 1,001-5,000 employees
Vendor
It's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

What other advice do I have?

Fully utilize this product and its feature as it covers almost everything required for software security assurance.
Director of Information Technology at a tech consulting company with 501-1,000 employees
Consultant
It enforces source-code scanning and finding vulnerabilities in source code. It would be nice if it could manage the false positives better.

What other advice do I have?

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.
Senior Manager at a tech services company with 10,001+ employees
Real User
It addresses the source code scanning and dynamic scanning in a known, correlated way.

What other advice do I have?

My advice would be to look not only at the software, but also at the processor and the people who will be using the software. You should buy not just the software, but also the services to train people to use it.
Solution Security Architect with 1,001-5,000 employees
Vendor
It has added a very quick turnaround for security code reviews, allowing us to integrate this function into the overall development and testing lifecycle.

What other advice do I have?

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Top 5Leaderboard
It provides an independent review of third-party applications, allowing organizations to test software before purchasing. But try the free version first as there's no "right" way to measure ROI.

What other advice do I have?

Trust me, you want to be able to do automated and manual testing on a web application that is live.
Buyer's Guide
Download our free Micro Focus Fortify on Demand Report and get advice and tips from experienced pros sharing their opinions.