Fortify Application Defender Reviews

We use this solution for inspecting our security, such as checking to see if our developers are securing their code properly. For example, we have to ensure that they are not inadvertently exposing any IP addresses or passwords. We have to be cautious because most of our applications are related to banking and the financial domain.

Fortify Application Defender accomplishes this by performing source code analysis, and it scans using agents. The source code check involves static code analysis to see if things like passwords are exposed.

The most valuable feature is that it analyzes data in real-time.

The Audit Workbench allows us to analyze and see if things are okay on our end, giving us the option to manipulate the rules if needed.

The intelligence behind the static code analysis is really amazing. When we used to do code reviews we did not get that level of depth, in terms of identifying security concerns.

The user interface is really simple to use.

There are a couple of vulnerabilities not covered by the solution and we are working on how we can improve on these things. An example of this is when we have a static value that is stored in a database. We need to use a workaround when a value is not exposed directly to the code base, where we check that code dynamically.

The workbench is a little bit complex when you first start using it.

I have been using Fortify Application Defender for around three months.

We are satisfied with the stability.

This is a scalable solution. To this point, we have had no trouble with scalability.

Technical support from Micro Focus is good.

I have been using SonarQube for about a year and a half.

The initial setup is straightforward but the length of time required for deployment depends on the environment. In our development environment, we can deploy this solution in five minutes. However, in our pre-production and production environments, it takes more time because the platform needs to be more mature.

We had our in-house team implement this solution.

This is a great tool and the kind of support it provides is very helpful. It is easy to adopt for any technology and integrates well with any kind of small platform.

I would rate this solution a nine out of ten.

We use the solution for static code analysis. We do static code analysis on our application project code and we use the solution to check the product quality.

The solution helped us to improve the code quality of our organization.

The solution is quite expensive.

There could be little improvements made in the solution's performance, reporting, management, interface, dashboard, etc. 

Their level of support could also be better.  They should be more qualified and quicker to respond, for example. 

It would be beneficial if the dashboard integrated with JIRA.

The solution is very stable. We find it pretty robust.

We used it for more than 70-80 products for doing standard code analysis and the scalability was pretty good. We didn't see any performance issues.

Technical support is pretty helpful.

The initial setup is pretty straightforward. You need less than three people to maintain the solution after implementation.

We've been using the private cloud deployment model.

If you need a huge impact, a business impact, then I think I would recommend HP Fortify. However, if a user is looking for a small scale application with less business impact, I would go with a free solution.

I would rate the solution ten out of ten. Aside from the cost, the application is pretty good.

Used for multiple environments, compilers, and operating systems, including Altera, Xilinx, Linux, Windows, and cross-compiler environments.

It is a good product when support for environments is included. It finds several items and is also good at not reporting false positives.

Its ability to find security defects is valuable. The elimination of security defects is my top priority. Of secondary importance is finding coding defects.

Support for older compilers/IDEs is lacking. Many developers are still using environments that are known for having security issues. For example, Visual Studio 2005, 2008, and older, gcc 1.x, etc. are still being used. However, we cannot analyze a project using these older compilers because they are no longer supported by Fortify. If I can't find security issues injected by the development environment because I'm forced to use a newer compiler, then I cannot make recommendations to use an updated compiler. This is a particularly thorny issue wherein development environments of mission critical systems do not change and yet we need to recommend usage of newer development environments.