OpenText Core Application Security Reviews

Micro Focus Fortify on Demand can be deployed on-premise or in the cloud.

We are mainly using Micro Focus Fortify on Demand for security.

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive.

I have been using Micro Focus Fortify on Demand for approximately five years.

The stability of Micro Focus Fortify on Demand is good. I did not face any problems. If we had 100 products then we would have many teams using it.

We have some expansion plans and once that falls in place may increase the number of users using Micro Focus Fortify on Demand.

Micro Focus Fortify on Demand is scalable. Our product team was using the solution but not all of them

We did not need to contact support because we did not have any problems.

We have used many different solutions five years ago.

Micro Focus Fortify on Demand was implemented and managed by our IT team.

Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based.

I would recommend the solution to others.

I rate Micro Focus Fortify on Demand a nine out of ten.

We use it as the source for code review for static code analysis.

The user interface is good.

There are lots of limitations with code technology. It cannot scan .net properly either.

I've been using it for the last five to six years.

The initial setup of this solution on-premises is easy; however, we have had difficulties installing it online in our clients' environments.

We used both in-house and vendor teams for deployment.

On a scale from one to ten, I would rate Micro Focus Fortify on Demand at five because we get better scan results from other tools.

The SAST feature is the most valuable.

I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple.

I have been using this solution for three months. I am a DevOps engineer in customer service.

It's stable right now.

We have only installed the solution on one server.

The implementation process was complex. The documentation was not clear to me.

I'm also evaluating Black Duck and Snyk. I just have a demo – a POC.

I would rate this solution 7 out of 10.

I recommend Fortify, but I need more documentation, especially in integration with CI tools like GitLab and Jenkins. The reporting from Fortify to Jenkins or for GitLab needs to be clarified in documentation.

Micro Focus Fortify on Demand is used for detecting vulnerabilities in code, looking at libraries, and finding where there are vulnerabilities within unpatched code.

The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution.

The allocations to different members of a team are good. If you find a problem, you can delegate the task to patch the particular code.

Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly.

I have been using Micro Focus Fortify on Demand for approximately two years.

I have found Micro Focus Fortify on Demand stable.

Micro Focus Fortify on Demand is a scalable solution.

We have several customers using this solution. There are approximately 1,000 developers using the solution.

The support from Micro Focus Fortify on Demand is great. They have been very good to answer our questions. They have their own Fortify on Demand team and they will help you resolve your problems.

The initial setup is straightforward. 

The installation can take a couple of hours depending on what the deployment is, such as, on cloud or on-premise. Additionally, the size of the code that will be put on the system can impact the time, but it does not take long. 

We did the implementation ourselves. I was able to use YouTube to help me with the process, there's quite a lot of information on there with Micro Focus going through tutorials on how to use the solution. 

The pricing model it's based on how many applications you wish to scan.

I have evaluated other solutions, such as Contrast Security.

I would recommend Micro Focus Fortify on Demand to others.

I rate Micro Focus Fortify on Demand a seven out of ten.

The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.

We are using it for application security testing. We have microservices and applications within the organization, and the testing is being done on a continuous basis right through the development cycle or the development chain.

We are using its latest version. It is deployed on the cloud and on-premises.

It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

It is an extremely robust, scalable, and stable solution.

It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.

It doesn't do software composition analysis. We've asked their product management team to look into that as well.

We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.

I have been using this solution for four years.

It is very stable. 

It is very scalable.

Their tech support is absolutely outstanding. Their tech support is the most responsive tech support I've ever seen.

It is very straightforward to set up. You can set it up in minutes.

If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available.

I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.

We have an application sending service that we are providing to our customers and we are using Micro Focus Fortify on Demand to ensure our applications are secure. 

The most valuable features are the server, scanning, and it has helped identify issues with the security analysis.

We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve.

We are receiving false positives. We then have to repeat the scan even though it is a false positive and tell it to ignore some of those issues. Some of the false positives could be a design issue which we will know, but they keep coming up on the report.

I have found the processes a bit cumbersome for the developers.

I have been using this solution for approximately eight years.

I did not have any problems with the stability of this solution.

The scalability is good.

We did have some issues but we did not contact the technical support of Micro Focus.

The initial setup was a medium effort, not too complex. However, the bulk scan uploads took time. Overall it took an average amount of time and it was easy to integrate and work with.

The solution is a little expensive.

I rate Micro Focus Fortify on Demand a six out of ten.

Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

I have been using this solution for seven or eight months.

I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

I would rate Micro Focus Fortify on Demand a seven out of ten.

We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.

In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.

The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far. 

Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.

Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation. Without it, we would have to spend much more time finding hidden weaknesses in our code.

One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.

Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.

During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.

Similarly, I would love to see some kind of tracing solution for use in stress testing. So when we stress the application on a certain page or on a certain platform, we would be able to see a complete stress test report which could quickly tell us about weak points or failures in the application. 

Further potential for improvement is that, when we deploy our Java WAR files for review in the QA area, we want to be able to create a report in Fortify on Demand right from within this deployment stage. So it might inspect or check the solution's Java WAR package directly and come up with a report in this crucial phase of QA. 

I have been using Fortify on Demand for about a month or so. 

Overall, we have not had any issues with stability, although we have not used it for very long.

We have had no problems with scalability in our current use case, which is only one client at the moment. As a cloud service, it has satisfied our requirements well and we haven't had any situations where scalability is an issue.

When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually. I think that they could work on reacting faster to support questions.

We have also tried SonarQube, but Fortify on Demand appealed to us more due to their source code review with emphasis on open source vulnerabilities. Fortify seems stronger in that aspect and we like to use many open source libraries in our work. 

The setup is easy and it only takes about 30 minutes to perform a basic code review in Java when dealing with WAR files.

It can get more complicated when you want to fine-tune the reporting interface to give only the details that you want to see. This is because the initial configuration depends on other variables like the scope of the review, the client's preferences, the technician's preferences, and other factors.

When it comes to launching Fortify on Demand and connecting it to our codebase, it's quite easy. Getting quick reviews done on WAR files is a relatively simple procedure.

Our company implements Fortify on Demand ourselves on behalf of our client. When the client requests any changes, we then implement it for them.

We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.

In our case, we are constrained by the client's budget, but others might find that the price is not too bad. It all depends on the budget.

For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including:

• Very useful source code review and vulnerability detection.
  

• Clear and easy-to-read test results and reports.
  

• Good integration with other platforms during development.
  

I would rate Fortify on Demand a nine out of ten.