Fortify Application Defender Reviews

I work for a local distributor for Micro Focus. We provide customers with a proof of values and we're showing them in deep dive into the main benefits of this highly technical product while trying to patch together different technologies, starting with the developing phase. 

We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment.

The licensing can be a little complex.

I have been using this solution for more than 10 years.

It is very stable.

This product is scalable. You are able to add licenses depending on your department, how many developers you have, the number of the projects, etc.

There are a few hundred users in my area and we require two people for maintenance. 

We handle first level support for our customers, the vendor will handle anything harder. Their support gas been great throughout the years. They are always willing to solve any issue from the commercial technical point of view.

The initial setup can vary depending on the client's use case. We have a professional service department that handles the POD. This includes installation, configuration, training, deployment, knowledge transfer and support after that if needed. 

Our end users ROI should be okay for a minimum of three to five years. Even though they are not able to turn revenue with this product, they are able to Become more aware of a lot of threats and cyber security risks which allows them to reallocate some of their budget to affected areas if needed.

The licensing is very complex, it's project based and can range from $10,000 to $200,000+ depending on the project type and size. 

It has been in the Gartner's Magic Quadrant for many years. It's a very solid technology that is nice to use on the developing site and it is secure and stable.

I would rate this product a ten out of ten.

We use the solution for static code analysis. We do static code analysis on our application project code and we use the solution to check the product quality.

The solution helped us to improve the code quality of our organization.

The solution is quite expensive.

There could be little improvements made in the solution's performance, reporting, management, interface, dashboard, etc. 

Their level of support could also be better.  They should be more qualified and quicker to respond, for example. 

It would be beneficial if the dashboard integrated with JIRA.

The solution is very stable. We find it pretty robust.

We used it for more than 70-80 products for doing standard code analysis and the scalability was pretty good. We didn't see any performance issues.

Technical support is pretty helpful.

The initial setup is pretty straightforward. You need less than three people to maintain the solution after implementation.

We've been using the private cloud deployment model.

If you need a huge impact, a business impact, then I think I would recommend HP Fortify. However, if a user is looking for a small scale application with less business impact, I would go with a free solution.

I would rate the solution ten out of ten. Aside from the cost, the application is pretty good.

Used for multiple environments, compilers, and operating systems, including Altera, Xilinx, Linux, Windows, and cross-compiler environments.

It is a good product when support for environments is included. It finds several items and is also good at not reporting false positives.

Its ability to find security defects is valuable. The elimination of security defects is my top priority. Of secondary importance is finding coding defects.

Support for older compilers/IDEs is lacking. Many developers are still using environments that are known for having security issues. For example, Visual Studio 2005, 2008, and older, gcc 1.x, etc. are still being used. However, we cannot analyze a project using these older compilers because they are no longer supported by Fortify. If I can't find security issues injected by the development environment because I'm forced to use a newer compiler, then I cannot make recommendations to use an updated compiler. This is a particularly thorny issue wherein development environments of mission critical systems do not change and yet we need to recommend usage of newer development environments.