We just raised a $30M Series A: Read our story

What alternatives are there for Fortify WebInspect and Fortify SCA?


Dear All, 

Can you suggest 2 or 3 products that could compete with:

1. Fortify WebInspect 

2. Fortify Static Code Analyzer

I need suggestions for similar products so I could compare for my consultant project. 
Thanks in advance for the advice.


ITCS user
47 Answers

author avatar
Community Manager

According to the IT Central Station community, the most popular alternatives to Fortify WebInspect are Micro Focus Fortify on Demand, OWASP Zap, PortSwigger Burp, and HCL AppScan. Hope that's helpful!

author avatarRendra Kurniawan, SFC.,CMPM
Real User

@Russell Rothstein Thank You russel

author avatar
Top 5LeaderboardReal User

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.

author avatar
Top 5User


You need to ask yourself a few questions: 
1. Do I know is the technology stack (languages) that needs to be supported? 
2. Do I have access to the Source Code, just Binaries OR Both? 
3. Do I need to support SCA(FOSS) 
4. Do I need a unified Dashboard for reporting for SAST, DAST & SCA? 
5. What is the size of the experienced team I have to support this? 

For a DAST solution: 
1. What is the size of the experienced team I have to support this? 
2. Do I want the DAST to integrate with other tools (BurpSuite, MetaSploit, WAF, etc) 
3. Do I want the DAST to automate from a Postman Script, Jenkins Build Server, JIRA, ServiceNow, etc. 
4. Do I need a unified Dashboard for reporting for SAST, DAST & SCA? 

Instead of asking who can compete with Fortify, it might be better to ask who can compliment Fortify OR what did I dislike most about Fortify. Then find some others who will give you a fair and unbiased opinion. 

When you look at the top 4 players in the market being Fortify, VeraCode, Checkmarx, Synopsys.... what do you see? Then ask why? (Hint...all top leadership and top sales begin at Fortify) 

Hope this helps.

author avatar
Top 20Vendor

Fortify Static Code Analyzer is actually NOT an SCA (Software Composition Analysis) tool! It competes more with Checkmarx and Veracode

author avatarRendra Kurniawan, SFC.,CMPM
Real User

@Oscar Van Der Meer Thank You Oscar for your information

author avatarThomas Ryan
Top 5User

@Oscar Van Der Meer Fortify SCA (Static Code Analyzer) was around way before SCA (Software Composition Analysis). There are various integrations with Software Composition Analysis (SonaType, BlackDuck, Snyk, WhiteSource, and OWASP Dependency Checker & Track. The reason behind it is to allow customers the flexibility to  integrate with the tool the line of business chooses within the corporation. 

Find out what your peers are saying about Micro Focus, GitLab, ShiftLeft and others in Software Composition Analysis (SCA). Updated: November 2021.
555,139 professionals have used our research since 2012.