OpenText Core Application Security Reviews

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.

This solution would benefit from having more customization available for the reports. 

We have been evaluating Fortify on Demand for close to a year.

Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.

In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.

I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.

We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.

My understanding is the this is not a difficult solution to manage and maintain.

Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.

Overall, it is a very good tool and it works well for what it is designed for. 

I would rate this solution a seven out of ten.

We use this solution for our web applications. 

We have the option to scan web applications on demand. We have the option to do dynamic analysis. We also have an on-premise solution for static code analysis.

We have the option to test applications with or without credentials.

Overall, it's very good. They have very good support, but there is always room for improvement.

I've been using this solution for two to three years.

They are helpful, and we have a good relationship with them. I'd rate them an eight out of ten.

Positive

It was straightforward. It took us two or three months because we had to integrate with our DevOps and pipeline solutions. It took a bit of extra time.

In terms of maintenance, we need to update the version. Micro Focus releases new versions every two months or so.

We had our DevOps manager, and then we had two people from IT. We also had the support of the provider. We also worked with a partner to help us to implement faster.

I'd rate it an eight out of ten in terms of pricing.

Overall, I'd rate it a nine out of ten. We are very satisfied with it.

I mainly use Fortify on Demand for static scanning.

Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud.

An improvement would be the ability to get vulnerabilities flowing automatically into another system.

I've been using Fortify on Demand for over a year.

Fortify on Demand's stability is fantastic - I've never seen slowness, and it performs consistently.

I previously used ShiftLeft, but Fortify on Demand gives me a portal, and it's much easier to get details about the issues affecting us.

The initial setup is very simple because no installation is necessary - you just need to access the application and configure it. 

We used a vendor team.

Fortify on Demand is moderately priced, but its pricing could be more flexible.

I would rate Fortify on Demand nine out of ten.

I am using Micro Focus Fortify on Demand for SAT analogies and data analysis.

The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security.

Micro Focus Fortify on Demand can improve by having more graphs. For example,  to show the improvement of the level of security.

I have been using Micro Focus Fortify on Demand for approximately six months.

Micro Focus Fortify on Demand is stable.

The scalability of Micro Focus Fortify on Demand is good.

We have eight users using this solution. We plan to increase our usage in the future.

The technical support of Micro Focus Fortify on Demand is very good.

The initial setup of Micro Focus Fortify on Demand was simple. The deployment took approximately three or four days.

We have used a consultant for one deployment in the past. We have two people that do the deployment of the solution.

There are different costs for Micro Focus Fortify on Demand depending on the assessments you want to use. There is only a standard license needed to use the solution.

Micro Focus Fortify on Demand is a very easy-to-use solution. You don't need some technical staff. It's very easy to implement and use the application. I don't require assistance I only have my advisories that are users.

I rate Micro Focus Fortify on Demand a nine out of ten.

Fortify on Demand is primarily used in DevSecOps in a banking environment.

Fortify on Demand could be improved with support in Russia.

I've been working with Fortify on Demand for two years.

Fortify on Demand is stable.

Fortify on Demand can be scaled very easily.

Deployment takes between four to six months.

We use an in-house team.

Fortify on Demand is affordable, and its licensing comes with a year of support.

I would give Fortify on Demand a rating of nine out of ten.

Fortify is used for static scans — cold-scanning.

Fortify supports most languages. Other tools are limited to Java and other typical languages. IBM's solutions aren't flexible enough to support any language. Fortify also integrates with lots of tools because it has API support.

We have some stability issues, but they are minimal.

We've been using Fortify for two or three years

Fortify is stable. 

Fortify is scalable. 

Whenever we have any issues, Micro Focus support has been helpful. They have lots of products, and they're established in the market. When you open a ticket, you get an immediate response by phone.

The initial setup is straightforward and the second or third-tier support is available whenever we face an issue or something. Most of the components are plug-and-play, so it doesn't take much time. 

I rate Micro Focus Fortify on Demand. This is a good solution for doing static analysis. There is also a dynamic component, but we haven't used it because we are unsure how flexible it is. We are using it only for static scanning.

I use it for SAST, security analysis static code.

The features that I have found most valuable include its security scan, the vulnerability finds, and the web interface to search and review the issues.

In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise.

In the next release, we need more reports and more analytic views for all the  applications. There is no enterprise view in Fortify. I would like enterprise views and reports.

I am using Micro Focus Fortify on Demand for one year.

It is very stable.

It is scalable. Micro Focus Fortify on Demand requires a big hardware with a big processing capacity, but it is scalable.

Their customer support is very good. I sometimes need it, and I get the answer quickly. They are very helpful.

The initial setup is not so easy, but not so difficult. I would say it is medium difficulty.

On a scale of one to ten, I would give Micro Focus Fortify on Demand an eight.

We use it for normal, daily source code reviews and code analysis.

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

I would like to see easier integration to CI/CD pipelines. The reporting format could be more user friendly so that it is easy to read.

I've been working with Micro Focus Fortify on Demand for three years.

There were some issues with it before, but I think they have been fixed now.

There were several limitations when I was using it before, but I am sure that they have been fixed by now.

My experience with technical support has been very good.

The initial setup is straightforward and not that complex. We had some support from IT.

The price is fair compared to that of other solutions.

If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security.

I would rate it at eight on a scale from one to ten.