Fortify Application Defender Reviews

We use the solution for fast code review. It is integrated into our DevOps pipeline. 

I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy. 

The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time.

I have been working with the product for three months. 

I rate the tool's stability an eight out of ten. 

I rate the tool's scalability a seven out of ten. However, I'm concerned about how it handles an increasing number of lines of code. As the complexity grows, so does the time it takes for the tool to review everything. I want more clarity on how Fortify Application Defender handles multiple threats.

We have numerous endpoints, but the tool runs in our pipeline, meaning it operates in the cloud. All our code is configured there, and the tool runs integration testing, unit testing, user testing, and final production code tests.

It's a day-to-day experience. It's utilized almost every day as part of our pipeline runs. Each team responsible for integration testing, human testing, user access testing, and preproduction testing runs it whenever they take a build. 

I used Checkmarx before Fortify Application Defender. Checkmarkx's pricing model, licensing, and renewal were confusing. Hence, we switched to Fortify Application Defender. Its implementation, support, and cost influenced our decision. 

I rate the tool's deployment a six out of ten. The initial setup was more complex because it lacked a standard integration method. The tool's initial setup took one week, and the pipeline setup took another week. I deployed two people from my DevOps team for the setup. However, there's no need for any additional personnel for maintenance. It runs in the pipeline without requiring any ongoing maintenance unless there are changes to the rules. 

I rate the solution's pricing a five out of ten. It comes as an annual cloud subscription. The tool's pricing is around 50 lakhs. 

I rate the overall solution a seven out of ten. If cost is a factor, I'd recommend considering this solution. However, for extreme quality, Checkmarx might be a preferable choice.

I use Fortify to analyze projects in .NET languages.

The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities.

Fortify Application Defender is a good tool for overall application security. However, in my specific case, another tool was more suitable. Regarding the vulnerability scanner feature, it aids in security assessments by conducting static analysis on my code application.

It is easy to use and configure Fortify Application Defender. I configured it directly with my code repository, which I use GitLab for. Establishing the connection was straightforward. Additionally, configuring it in the CI/CD pipeline was very easy. I would recommend using it in this scenario for CI/CD.

The solution is very fast for scanning and analyzing, particularly for static analysis and SCA analysis scans.

I encountered many false positives for Python applications. 

My company has two users for the product. 

We rely on partners for support. Its documentation is good and complete, which has helped me. 

I have used Checkmarx before Fortify Application Defender. It shows fewer false positives. 

The tool's deployment is easy and takes four hours to deploy. 

I rate the overall product a nine out of ten. However, I wouldn't recommend it to others. 

We use the solution to prevent cyberattacks.

Based on the alerts created by the solution during development, we modify the software we are developing.

The product finds mistakes automatically. It warns us about the vulnerabilities in the software. The product saves us cost and time.

The product does not work well with Java coding. The false positive rate should be lower. The product should introduce more licensing models and reduce the licensing cost.

I have been using the solution for two to three years.

I rate the product’s stability a nine out of ten.

The solution has low scalability. I rate the scalability a three out of ten. Ten designers in our organization are using the solution.

We had some license authentication issues and contacted the support team to resolve them.

Positive

The initial setup is easy. I rate the ease of setup a six or seven out of ten.

We deployed the solution in-house. We need one security personnel to maintain the solution.

The product’s price is much higher than other tools. I rate the pricing a seven out of ten.

We are not 100% satisfied with the product, but we did not face any serious issues yet. So we are planning to continue using the product. Overall, I rate the product a six out of ten.

I primarily use Fortify Application Defender to assess whether our products can defend against applications.

Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications.

Fortify Application Defender gives a lot of false positives and would be improved by using rule-based scanning to reduce this.

I've been using Fortify Application Defender for over ten years.

Fortify Application Defender is very stable - I would rate it ten out of ten.

Fortify Application Defender is scalable so long as you have the right infrastructure. I'd rate its scalability eight out of ten.

Fortify Application Defender's technical support isn't great - the team aren't very knowledgeable, they take a long time to resolve problems, and the communication between team members isn't good, which leads to delays.

Neutral

We previously used HCL AppScan but switched after being given a discount on Fortify Application Defender.

The initial setup is easy - I would rate it eight out of ten. Deployment takes a few days.

We have not seen any ROI from Fortify Application Defender.

Fortify Application Defender is very expensive.

I would not recommend Fortify Application Defender to other users due to its price and lack of support. I would give Fortify Application Defender a rating of six out of ten.

The most valuable features of Fortify Application Defender are the code packages that are default.

Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy.

I have been using Fortify Application Defender for approximately four years.

Fortify Application Defender is a stable solution.

The scalability of Fortify Application Defender is good.

I have not used technical support but I have some good feedback.

I have not used another similar solution to Fortify Application Defender.

Fortify Application Defender has a few drawbacks, it has its own pros and cons, but it's a good tool to use in any industry.

I would recommend this solution to others.

I rate Fortify Application Defender a seven out of ten.

We use Fortify Application Defender for scanning our whole repository source code for security. We have more than 4,000 repositories in our company.

The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions.

The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours.

In an upcoming release, they could improve how they apply the automation.

I have been using Fortify Application Defender for approximately 10 years.

The solution is stable.

The solution does not scale well because there are limitations. For example, the licensing is attached to the programmer, and it is very difficult to do it automatically queries.

The initial installation of Fortify Application Defender is more complex than the SonarQube, but it is not too difficult to do from scratch. Last year we did the installation in a new environment from scratch and we did not have problem.

The price of this solution could be less expensive.

I have evaluated SonarQube.

I recommend this solution to others. However, most companies will choose SonarQube.

I rate Fortify Application Defender a seven out of ten.

I do not use this product personally. Rather, I implement it for other people.

The general use case is application-specific threat blocking. Most of our customers use it as an augment to their WAF.

When our customers turn on the app defender, they can see the things that it's blocking that are getting by their WAF. This is the reason that most people implement it.

The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology. The rules that are created are very specific to the application that it's defending. In a typical WAF, out of the box, it comes with a set of standard rules that work reasonably well. However, if you want rules that are specific to vulnerabilities that you know are in the application, the application defender is superior at defending against these. 

The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java. They need better support for applications written in Python or more advanced web service-type implementations. Better support for other architectures is critical.

Technical support needs to be improved.

It would be helpful to include agent deployment as part of the Azure DevOps marketplace. This would make it really easy for customers to get this plugin and install it within their application centers.

I have been dealing with Fortify Application Defender for about seven years.

I have not seen too many issues that would impact stability. It is very much a "deploy it and forget it" type solution.

Technical support is an area that can be improved and I think that it's been a known issue since the Fortify team was acquired by HP, many years ago. It's still a problem now, even though they are now part of the Micro Focus team. I recently communicated with one of the senior managers and they are aware of the issues, and they are working on them, but I'd say that it's still an area that needs improvement.

The initial setup is fairly straightforward. It does require the deployment of an agent, but this is not unlike every other platform that is application-specific.

The deployment requires collaboration between the security team, who's typically running the application security program, and the operations team, who's responsible for the deployment and management of the hardware that the applications run on. These two teams really have to be engaged from an implementation standpoint to make sure that the plan fits and has input from both perspectives.

We deploy this product for our clients.

In the SaaS platform, the Fortify teams are responsible for maintenance. The agents that are deployed within the customer's environment simply ping back to the console for updates, which is an automated tasks. The number of people and the time it takes to perform updates is minimal.

The base licensing costs for the SaaS platform is about $900 USD per application, per year. Some larger companies have different pricing based on scale and the size of their implementation.

I believe they have a trial period, where they allow you to use it for free.

My advice for anybody who is considering Fortify Application Defender is to try it before you buy it. It is one of those things that once you see it in action, it is pretty impressive. Considering there is a free trial available, I think that more people should try it.

I would rate this solution an eight out of ten.

I work for a local distributor for Micro Focus. We provide customers with a proof of values and we're showing them in deep dive into the main benefits of this highly technical product while trying to patch together different technologies, starting with the developing phase. 

We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment.

The licensing can be a little complex.

I have been using this solution for more than 10 years.

It is very stable.

This product is scalable. You are able to add licenses depending on your department, how many developers you have, the number of the projects, etc.

There are a few hundred users in my area and we require two people for maintenance. 

We handle first level support for our customers, the vendor will handle anything harder. Their support gas been great throughout the years. They are always willing to solve any issue from the commercial technical point of view.

The initial setup can vary depending on the client's use case. We have a professional service department that handles the POD. This includes installation, configuration, training, deployment, knowledge transfer and support after that if needed. 

Our end users ROI should be okay for a minimum of three to five years. Even though they are not able to turn revenue with this product, they are able to Become more aware of a lot of threats and cyber security risks which allows them to reallocate some of their budget to affected areas if needed.

The licensing is very complex, it's project based and can range from $10,000 to $200,000+ depending on the project type and size. 

It has been in the Gartner's Magic Quadrant for many years. It's a very solid technology that is nice to use on the developing site and it is secure and stable.

I would rate this product a ten out of ten.

We use this solution for inspecting our security, such as checking to see if our developers are securing their code properly. For example, we have to ensure that they are not inadvertently exposing any IP addresses or passwords. We have to be cautious because most of our applications are related to banking and the financial domain.

Fortify Application Defender accomplishes this by performing source code analysis, and it scans using agents. The source code check involves static code analysis to see if things like passwords are exposed.

The most valuable feature is that it analyzes data in real-time.

The Audit Workbench allows us to analyze and see if things are okay on our end, giving us the option to manipulate the rules if needed.

The intelligence behind the static code analysis is really amazing. When we used to do code reviews we did not get that level of depth, in terms of identifying security concerns.

The user interface is really simple to use.

There are a couple of vulnerabilities not covered by the solution and we are working on how we can improve on these things. An example of this is when we have a static value that is stored in a database. We need to use a workaround when a value is not exposed directly to the code base, where we check that code dynamically.

The workbench is a little bit complex when you first start using it.

I have been using Fortify Application Defender for around three months.

We are satisfied with the stability.

This is a scalable solution. To this point, we have had no trouble with scalability.

Technical support from Micro Focus is good.

I have been using SonarQube for about a year and a half.

The initial setup is straightforward but the length of time required for deployment depends on the environment. In our development environment, we can deploy this solution in five minutes. However, in our pre-production and production environments, it takes more time because the platform needs to be more mature.

We had our in-house team implement this solution.

This is a great tool and the kind of support it provides is very helpful. It is easy to adopt for any technology and integrates well with any kind of small platform.

I would rate this solution a nine out of ten.

We use the solution for static code analysis. We do static code analysis on our application project code and we use the solution to check the product quality.

The solution helped us to improve the code quality of our organization.

The solution is quite expensive.

There could be little improvements made in the solution's performance, reporting, management, interface, dashboard, etc. 

Their level of support could also be better.  They should be more qualified and quicker to respond, for example. 

It would be beneficial if the dashboard integrated with JIRA.

The solution is very stable. We find it pretty robust.

We used it for more than 70-80 products for doing standard code analysis and the scalability was pretty good. We didn't see any performance issues.

Technical support is pretty helpful.

The initial setup is pretty straightforward. You need less than three people to maintain the solution after implementation.

We've been using the private cloud deployment model.

If you need a huge impact, a business impact, then I think I would recommend HP Fortify. However, if a user is looking for a small scale application with less business impact, I would go with a free solution.

I would rate the solution ten out of ten. Aside from the cost, the application is pretty good.