OpenText Core Application Security Reviews

Our clients use it for scanning their applications and evaluating their application security. It is mostly for getting the application security results in, and then they push the vulnerabilities to their development team on an issue tracker such as Jira.

I usually have the latest version unless I need to support something on an older version for a client. We're not really deploying any of these solutions except for kind of testing and replicating the situations that our clients get into.

Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.

It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.

I have been using this solution for seven or eight months.

I've never seen any issues with stability or crashing, and it looks fine to me, but I don't run it long enough to see. If I was using it as a customer, it is always possible that I would see more issues.

Usually, I just run it against a single application. I don't know how it is if you are running it across a large enterprise.

Our clients are medium to large businesses. We have a lot of Fortune 500 companies, and scalability is very important to us. Our product is made to scale to hundreds of millions of findings from various tools. 

Most of what I've been doing with them is just getting help with being able to set up an environment and the license keys, and they've been pretty helpful. I haven't had many issues that required me to report a bug or a problem. I did deal with them maybe once for a tech problem, and they were very responsive. They seemed pretty good.

As compared to the other tools that I've worked with, it is probably in the middle range. It is definitely not the simplest one where you just run the installation, and it will be all done, but you also don't tend to run into too many problems that aren't easy to figure out during the install process. If you go from lowest to highest complexity, it would be right in the middle.

It seems like a good scanner than the other ones that we support, but there are some other products such as Prisma that seem more polished and have tighter integration with different types of scanners. Whether they've acquired different scanners or build them themselves, they do seem like a cohesive product, whereas Fortify seems a little bit more like a collection of several different products.

I would rate Micro Focus Fortify on Demand a seven out of ten.

We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.

In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.

The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far. 

Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.

Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation. Without it, we would have to spend much more time finding hidden weaknesses in our code.

One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.

Another reason I like Fortify on Demand is because our code often includes open source libraries, and it's important to know when the library is outdated or if it has any known vulnerabilities in it. This information is important to us when we're developing our solutions and Fortify on Demand informs us when it detects any vulnerable open source libraries.

During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.

Similarly, I would love to see some kind of tracing solution for use in stress testing. So when we stress the application on a certain page or on a certain platform, we would be able to see a complete stress test report which could quickly tell us about weak points or failures in the application. 

Further potential for improvement is that, when we deploy our Java WAR files for review in the QA area, we want to be able to create a report in Fortify on Demand right from within this deployment stage. So it might inspect or check the solution's Java WAR package directly and come up with a report in this crucial phase of QA. 

I have been using Fortify on Demand for about a month or so. 

Overall, we have not had any issues with stability, although we have not used it for very long.

We have had no problems with scalability in our current use case, which is only one client at the moment. As a cloud service, it has satisfied our requirements well and we haven't had any situations where scalability is an issue.

When we sent a question about the product to their support team, we had to wait a while but they did send us a response eventually. I think that they could work on reacting faster to support questions.

We have also tried SonarQube, but Fortify on Demand appealed to us more due to their source code review with emphasis on open source vulnerabilities. Fortify seems stronger in that aspect and we like to use many open source libraries in our work. 

The setup is easy and it only takes about 30 minutes to perform a basic code review in Java when dealing with WAR files.

It can get more complicated when you want to fine-tune the reporting interface to give only the details that you want to see. This is because the initial configuration depends on other variables like the scope of the review, the client's preferences, the technician's preferences, and other factors.

When it comes to launching Fortify on Demand and connecting it to our codebase, it's quite easy. Getting quick reviews done on WAR files is a relatively simple procedure.

Our company implements Fortify on Demand ourselves on behalf of our client. When the client requests any changes, we then implement it for them.

We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.

In our case, we are constrained by the client's budget, but others might find that the price is not too bad. It all depends on the budget.

For us, Fortify on Demand is a good quality product that I can recommend for a few reasons, including:

• Very useful source code review and vulnerability detection.
  

• Clear and easy-to-read test results and reports.
  

• Good integration with other platforms during development.
  

I would rate Fortify on Demand a nine out of ten.

All in-house developed code or a third-party developed code on our behalf is scanned via Fortify on Demand. Any results for unsecure code, vulnerabilities, or issues are passed back to the development teams for remediation.

Secure code is an important part of our day-to-day development activities. So, having code out there gives us some reasonable assurance that it is not vulnerable or open to attack. It certainly makes our overall risk posture better.

Being able to reduce risk overall is a very valuable feature for us.

They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.

It is a very stable product. They are constantly updating and keeping it up to date. There are no issues.

It is extremely scalable and flexible. We scan very small applications from our in-house innovations team and all the way up to millions of lines of code from our e-commerce teams. We currently have about 50 users, but the number varies. Some development teams are fairly small, and some are fairly large.

Technical support is very good. I've never had an issue that we couldn't resolve. If we have a scan running and we need it to finish sooner, they will allocate extra resources to it if we identify. We've had very good results with their tech support.

This is the first solution that was implemented. I inherited this from somebody else. We are a government organization, so we have to do an RFP next year to renew. We'll see how it goes.

The basic scanning is not very complex. When you get into more detailed scanning such as APIs, the level of complexity is moderate. However, when you are scanning that type of application, you usually have teams available that know what to do and what the configuration needs to be. We did our first scan within two days.

It was implemented in-house. We have in-house expertise. Our strategy was basically just to stand it up and use the default settings initially with a pilot. We planned to do some pilot scans and get a good feel for the product, and then adjust accordingly on an ongoing basis.

I managed it for two years single-handedly. As we expand and add more and more applications, we are adding extra hands. If we're looking at an FTE, equivalency is probably 0.5 to 0.75 people to manage it.

Looking for a return on investment on security is a little challenging. Some CIOs might argue one way or another. Some look at it as a cost, and some look at it as cost avoidance. I'm a security professional, and I look at it as cost avoidance. So, we're avoiding breaches, people being able to manipulate the code or cause any issues, and downtime. I always look at the positives of the product. If we eliminate any of the security risks or attack factors on these products before they go live, we're doing due diligence in making sure that the product stays up and running, especially for something like e-commerce.

Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.

We plan to keep using this solution. Every year, we seem to have more and more code, and they add more and more features such as third-party library assessments, etc. Open source has become a big thing as companies try and save money, but with open source comes additional risk. This solution helps us mitigate the risk of those open-source components. So, we're using this more and more as we move forward.

The important part of this is automation. There are lots of automation options for this tool. Initially, trying to do it manually was a great start, but we kind of got lost a little bit along the way of implementing it. We should have done more automation right from the beginning, made it our standard, and created the policies. Sometimes, you put the cart before the horse. The tool does a great job, and you get lost in the results. It does provide good results and good information, but I think it's very important to have those policies and procedures in place right up front with this product. It will save you a lot of time in the end.

The biggest lesson that I have learned from using this product is that even if you have the best people, there are always vulnerabilities and things that will surprise you.

I would rate Micro Focus Fortify on Demand a nine out of ten.

We use this solution for our web applications. 

We have the option to scan web applications on demand. We have the option to do dynamic analysis. We also have an on-premise solution for static code analysis.

We have the option to test applications with or without credentials.

Overall, it's very good. They have very good support, but there is always room for improvement.

I've been using this solution for two to three years.

They are helpful, and we have a good relationship with them. I'd rate them an eight out of ten.

Positive

It was straightforward. It took us two or three months because we had to integrate with our DevOps and pipeline solutions. It took a bit of extra time.

In terms of maintenance, we need to update the version. Micro Focus releases new versions every two months or so.

We had our DevOps manager, and then we had two people from IT. We also had the support of the provider. We also worked with a partner to help us to implement faster.

I'd rate it an eight out of ten in terms of pricing.

Overall, I'd rate it a nine out of ten. We are very satisfied with it.

The solution is used for web application listing, like, SaaS.

The solution is user-friendly.

I would like the solution to add AI support.

I have been using the solution for one month.

I give the stability a nine out of ten.

I give the scalability a nine out of ten.

We have three people using the solution in our organization.

I am satisfied with the technical support.

Positive

We previously used SonarQube which is an open-source solution. We switched because we needed an easy-to-understand and configure UI.

I give the initial setup a nine out of ten. The deployment took a few hours and required one person to implement.

I give the solution a nine out of ten.

I recommend the solution to others and I am totally satisfied with it.

I mainly use Fortify on Demand for static scanning.

Fortify on Demand's best feature is that there's no need to install and configure it locally since it's on the cloud.

An improvement would be the ability to get vulnerabilities flowing automatically into another system.

I've been using Fortify on Demand for over a year.

Fortify on Demand's stability is fantastic - I've never seen slowness, and it performs consistently.

I previously used ShiftLeft, but Fortify on Demand gives me a portal, and it's much easier to get details about the issues affecting us.

The initial setup is very simple because no installation is necessary - you just need to access the application and configure it. 

We used a vendor team.

Fortify on Demand is moderately priced, but its pricing could be more flexible.

I would rate Fortify on Demand nine out of ten.

I am using Micro Focus Fortify on Demand for SAT analogies and data analysis.

The most valuable features of Micro Focus Fortify on Demand have been SAT analysis and application security.

Micro Focus Fortify on Demand can improve by having more graphs. For example,  to show the improvement of the level of security.

I have been using Micro Focus Fortify on Demand for approximately six months.

Micro Focus Fortify on Demand is stable.

The scalability of Micro Focus Fortify on Demand is good.

We have eight users using this solution. We plan to increase our usage in the future.

The technical support of Micro Focus Fortify on Demand is very good.

The initial setup of Micro Focus Fortify on Demand was simple. The deployment took approximately three or four days.

We have used a consultant for one deployment in the past. We have two people that do the deployment of the solution.

There are different costs for Micro Focus Fortify on Demand depending on the assessments you want to use. There is only a standard license needed to use the solution.

Micro Focus Fortify on Demand is a very easy-to-use solution. You don't need some technical staff. It's very easy to implement and use the application. I don't require assistance I only have my advisories that are users.

I rate Micro Focus Fortify on Demand a nine out of ten.

Fortify on Demand is primarily used in DevSecOps in a banking environment.

Fortify on Demand could be improved with support in Russia.

I've been working with Fortify on Demand for two years.

Fortify on Demand is stable.

Fortify on Demand can be scaled very easily.

Deployment takes between four to six months.

We use an in-house team.

Fortify on Demand is affordable, and its licensing comes with a year of support.

I would give Fortify on Demand a rating of nine out of ten.