OpenText Core Application Security Reviews

Our use case of Fortify is for the more than 200 applications that we need to certify as a security team. We certify them for all possible vulnerabilities using Micro Focus to check codes for vulnerabilities and then deploying to a reproduction environment. Once all the vulnerabilities are fixed, we can proceed to production. So we're using it as a kind of DevSecOps model. We are customers of Micro Focus. 

To my mind, the best features of this product are its speed and efficiency. It covers a wide variety of languages and even has an option for checking different Java versions.

Micro Focus is a bit heavy on resources and uses up a lot of my RAM. My machine tends to slow down when I use it. A beneficial additional feature would be scanning executable files. Currently, it scans the uncompiled code only. I'd also like to see support for additional languages and support for scanning libraries whether they're outdated or not. The solution scans for security vulnerabilities but not for outdated versions or policy violations.

I've been using this solution for eight months. 

This is a stable product. 

Scalability is lacking in the sense that I cannot run multiple scans at once. It only accepts one scan at a time. On the other hand, if I want to scan two 3GB programs, it will handle that.

We've only contacted customer support once when we had a problem with an update. They were helpful and resolved the issue. 

The initial setup is moderately complex and takes a couple of hours. We have 20 users who are developers and ops staff. 

We carried out a POC on multiple products and Fortify came out on top.

If you're a beginner, give Fortify a go. If you're a professional, it might be worth looking at other tools because Fortify does have limitations when it comes to scalability and executable codes.

Micro Focus Fortify on Demand is used for detecting vulnerabilities in code, looking at libraries, and finding where there are vulnerabilities within unpatched code.

The most valuable feature of Micro Focus Fortify on Demand is the information it can provide. There is quite a lot of information. It can pinpoint right down to where the problem is, allowing you to know where to fix it. Overall the features are easy to use, you don't have to be a coder. You can be a manager, or in IT operations, et cetera, anyone can use it. It is quite a well-rounded functional solution.

The allocations to different members of a team are good. If you find a problem, you can delegate the task to patch the particular code.

Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly.

I have been using Micro Focus Fortify on Demand for approximately two years.

I have found Micro Focus Fortify on Demand stable.

Micro Focus Fortify on Demand is a scalable solution.

We have several customers using this solution. There are approximately 1,000 developers using the solution.

The support from Micro Focus Fortify on Demand is great. They have been very good to answer our questions. They have their own Fortify on Demand team and they will help you resolve your problems.

The initial setup is straightforward. 

The installation can take a couple of hours depending on what the deployment is, such as, on cloud or on-premise. Additionally, the size of the code that will be put on the system can impact the time, but it does not take long. 

We did the implementation ourselves. I was able to use YouTube to help me with the process, there's quite a lot of information on there with Micro Focus going through tutorials on how to use the solution. 

The pricing model it's based on how many applications you wish to scan.

I have evaluated other solutions, such as Contrast Security.

I would recommend Micro Focus Fortify on Demand to others.

I rate Micro Focus Fortify on Demand a seven out of ten.

The reason why I've rated the solution a seven is because there are other solutions, such as Contrast Security which are further developing in IS, and some better technology with current scalability or in the security software area.

Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

We previously only did the testing and scanning after deploying applications in production, but now we are doing it in development. We are making sure the code is safe to use in all the environments, not only in production. It has been valuable for us.

Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.

When we are exploring some of the endpoints this solution identifies many loopholes that hackers could utilize for an attack. This has been very helpful and surprising how many vulnerabilities there can be.

Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve.

Currently, when we are running a security scan or Azure DevOps pipeline Micro Focus Fortify on Demand will give an overall status. People have to click on the link to read the in-depth results. If there could be some output of the report that can be passed in the pipeline and based on that we can control the next step of the pipeline. For example, if Micro Focus Fortify on Demand is saying the report is critical, do not go any further. If we can have that critical variable as a pipeline output that can be used later it would be really helpful.

I have been using Micro Focus Fortify on Demand for one year.

We have approximately 50 applications that are using this solution and we are expanding our operation to increase usage.

We have developers, DevOps, and engineers using this solution in my organization.

We use SonarQube alongside Micro Focus Fortify on Demand.

The difference between the two is Micro Focus Fortify on Demand handles the security testing and SonarQube does more in-depth level code testing.

The initial setup was simple.

We have an internal DevSecOps team of approximately 15 people that does the implementation of the solution.

Micro Focus Fortify on Demand has saved our company money from the use of automation features. We are able to run the scans automatically from the pipeline saving us a lot of time and communication. Previously it would have taken a few days whereas now it can be completed in 10 minutes.

We make an annual purchase of the licenses we need.

Micro Focus Fortify on Demand is a nice tool for security tests because security is important in today's world. DevOps is not the only solution we have to think of, there is DevSecOps. Fortify is helping us to scan our code at the very beginning of SDLC. I would recommend this solution to any other security tool because when we compared other tools Fortify worked well for us.

I rate Micro Focus Fortify on Demand a seven out of ten.

Micro Focus Fortify on Demand can be deployed on-premise or in the cloud.

We are mainly using Micro Focus Fortify on Demand for security.

While using Micro Focus Fortify on Demand we have been very happy with the results and findings.

Micro Focus Fortify on Demand could improve the reports. They could benefit from being more user-friendly and intuitive.

I have been using Micro Focus Fortify on Demand for approximately five years.

The stability of Micro Focus Fortify on Demand is good. I did not face any problems. If we had 100 products then we would have many teams using it.

We have some expansion plans and once that falls in place may increase the number of users using Micro Focus Fortify on Demand.

Micro Focus Fortify on Demand is scalable. Our product team was using the solution but not all of them

We did not need to contact support because we did not have any problems.

We have used many different solutions five years ago.

Micro Focus Fortify on Demand was implemented and managed by our IT team.

Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based.

I would recommend the solution to others.

I rate Micro Focus Fortify on Demand a nine out of ten.

We use it as the source for code review for static code analysis.

The user interface is good.

There are lots of limitations with code technology. It cannot scan .net properly either.

I've been using it for the last five to six years.

The initial setup of this solution on-premises is easy; however, we have had difficulties installing it online in our clients' environments.

We used both in-house and vendor teams for deployment.

On a scale from one to ten, I would rate Micro Focus Fortify on Demand at five because we get better scan results from other tools.

The SAST feature is the most valuable.

I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple.

I have been using this solution for three months. I am a DevOps engineer in customer service.

It's stable right now.

We have only installed the solution on one server.

The implementation process was complex. The documentation was not clear to me.

I'm also evaluating Black Duck and Snyk. I just have a demo – a POC.

I would rate this solution 7 out of 10.

I recommend Fortify, but I need more documentation, especially in integration with CI tools like GitLab and Jenkins. The reporting from Fortify to Jenkins or for GitLab needs to be clarified in documentation.

We are using it for application security testing. We have microservices and applications within the organization, and the testing is being done on a continuous basis right through the development cycle or the development chain.

We are using its latest version. It is deployed on the cloud and on-premises.

It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.

It is an extremely robust, scalable, and stable solution.

It enhance the quality of code all along the CI/CD pipeline from a security standpoint and enables developers to deliver secure code right from the initial stages.

It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.

It doesn't do software composition analysis. We've asked their product management team to look into that as well.

We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.

I have been using this solution for four years.

It is very stable. 

It is very scalable.

Their tech support is absolutely outstanding. Their tech support is the most responsive tech support I've ever seen.

It is very straightforward to set up. You can set it up in minutes.

If somebody wants to shift left or integrate security early on in the CI/CD pipeline from a DevOps standpoint, this is probably one of the best tools available.

I would rate Micro Focus Fortify on Demand a nine out of 10. There are three areas for improvement. Once they improve it in those areas, then it would be 10 out of 10.

We have an application sending service that we are providing to our customers and we are using Micro Focus Fortify on Demand to ensure our applications are secure. 

The most valuable features are the server, scanning, and it has helped identify issues with the security analysis.

We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve.

We are receiving false positives. We then have to repeat the scan even though it is a false positive and tell it to ignore some of those issues. Some of the false positives could be a design issue which we will know, but they keep coming up on the report.

I have found the processes a bit cumbersome for the developers.

I have been using this solution for approximately eight years.

I did not have any problems with the stability of this solution.

The scalability is good.

We did have some issues but we did not contact the technical support of Micro Focus.

The initial setup was a medium effort, not too complex. However, the bulk scan uploads took time. Overall it took an average amount of time and it was easy to integrate and work with.

The solution is a little expensive.

I rate Micro Focus Fortify on Demand a six out of ten.