OpenText Core Application Security Reviews

We use it for normal, daily source code reviews and code analysis.

The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.

It is easy to install, and the cost is fair.

I would like to see easier integration to CI/CD pipelines. The reporting format could be more user friendly so that it is easy to read.

I've been working with Micro Focus Fortify on Demand for three years.

There were some issues with it before, but I think they have been fixed now.

There were several limitations when I was using it before, but I am sure that they have been fixed by now.

My experience with technical support has been very good.

The initial setup is straightforward and not that complex. We had some support from IT.

The price is fair compared to that of other solutions.

If you are looking for commercial tools, Micro Focus Fortify on Demand is one of the best tools. It has all the features compared to those of its competitors. It is also within budget, if you're really focusing on security.

I would rate it at eight on a scale from one to ten.

We're implementing DevSecOps in Fortify only a part of the big picture. We are implementing the entire secure development lifecycle.

The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.

There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

The initial setup is a bit complex.

We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

I've used this solution over the last 12 months at least.

The solution is stable. It's reliable. It doesn't crash or freeze. There aren't bugs or glitches.

We haven't tried to scale the solution just yet. As we didn't take the SaaS solution, scalability may be limited for us. I'm unsure. I can't really comment on that.

Currently, we have about 20 people on the development team.

Right now, we don't plan to increase usage.

The technical support is fine, however, it would be very helpful, especially during implementation, if there was more documentation and help surrounding setup.

We did not use a different solution previously. Before we had this solution, we were just evaluating other solutions and looking at the costs, and trying to bring in something newer, like an integrated automated secure stack, or something like that.

We found that the initial setup a bit complex. It's not exactly straightforward. For a newbie, there's a learning curve, and that can slow things down a bit.

Our deployment took about three to four months.

We only deployed in our company and we didn't use a consultant or integrator. We handled it completely in-house.

At this time, I don't have an answer on the return of investment. As far as I can see, it's necessary. If we got exposed or had a data leak it would cost the company dearly. With that in mind, while I can see there's an ROI, I can't provide an exact number.

We pay for licensing. We do pay an extra cost for implementing the infrastructure into the cloud. 

I've briefly looked at Kiuwan and compared it to this solution. We also looked at Veracode.

We're just a customer and we offer consulting services.

We are bringing up all the infrastructure inside GCP. It's not ready yet, and we're still implementing it. We're going to bring it up next week, probably, in terms of the infrastructure. We'll perform the SSC installation, install the controller and sensors.

The most important thing a company needs to do is to pay attention to the license calculation. They need to know how many licenses are going to be used. They need to understand the Micro Focus offer. That way, you won't be charged if you have surpassed the application limit. This is very important. That's something we faced in the past that caused a lot of problems. We needed to estimate the sizing correctly of the infrastructure. Doing that will bring value to the builds and deployments. Otherwise, you're going to spend a lot of time doing the scanning, and the developers will be very mad.

I'd rate the solution ten out of ten. It's the best on the market for me.

We use Micro Focus Fortify on Demand to access web applications and more.

Reporting could be improved. It would nice to export to an Excel sheet or another spreadsheet. At the moment, my only option is a PDF.

Micro Focus Fortify on Demand is tailored towards more web application APIs, and I would like to see mobile applications added to the next release.

We've been using Micro Focus Fortify on Demand for almost two years.

Focus Fortify on Demand is a stable solution.

Focus Fortify on Demand is a scalable solution. 

The setup and installation were straightforward. 

On a scale from one to ten, I'll give it an eight.

We use it for statistical analysis for Java applications that are used in the collection process of a bank. It is also used for an internal web page. The tellers use this web page in the branches to make money transactions, such as withdrawals, deposits, etc.

The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications.

It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for.

It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. 

They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team.

I have been using this solution for two or three months.

It has been pretty stable.

It is scalable, but we haven't scaled it much. Currently, we have ten users, but it is capable of taking many more users.

Their support is good, but sometimes, they take a bit longer. For high severity incidents, they should properly identify the team that has to be engaged to solve an issue. I would rate them an eight out of ten.

The initial setup was pretty much straightforward. It was quite easy to implement. 

It is quite intuitive, and the training model that they have helps the development team in using it easily. The deployment process took only about two weeks.

In terms of the implementation strategy, it started with a kickoff meeting with the provider who offered the solution. We involved the development team, security information team, and infrastructure team from the beginning. They all knew what can be done with the solution and what role they are going to play in the implementation process, which helped a lot to achieve a pretty short implementation time.

It is cost-effective.

It is a great solution. It is cost-effective for a secure development process. If an enterprise wants to adopt the DevOps process, Micro Focus Fortify on Demand is a great starting point. 

I would rate Micro Focus Fortify on Demand a nine out of ten.

We are architecting applications for e-commerce websites similar to Amazon. Everything is running on the cloud, and Micro Focus Fortify on Demand is totally integrated with our solution at this point in time.

Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices.

Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.

In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication.

They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful.

I have been using this solution for three years.

We have not come across anything major. We have been using it for quite a while, and we are happy with it. 

Scalability is good. Our customer bases are not that huge. Bigger enterprises may have trouble in scaling it, but for our load of work, it is working fine.

We have more than ten users. We are a very small startup, and we don't have too many people. 

Till now, we have not raised any tickets. If we are stuck with something, we just google and find out. We use their documentation, which is good enough. That's why we didn't raise any technical queries or things like that.

It was good. I don't think we struggled that much.

We implemented it ourselves. We have two people to maintain this solution.

We didn't evaluate any other solution. I was trying to find out which solution should I use, and I just saw good reviews of this solution. This was the first solution that we tried out, and we liked it. We started with a trial, and it was doing good. Our necessities were met, so we didn't try to figure out any other competitive tool in the market. 

You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. 

I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.

We use Micro Focus Fortify on Demand to check the vulnerabilities of developments that we perform.

The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them.

The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools.

I have been using this product for four years. 

It is stable.

It is scalable. However, it poses a challenge in terms of pricing and licensing.

I haven't contacted their support, but I know that a team was in touch with Fortify technical support because they do get to have a lot of questions about migrating the software, licensing, and other stuff. They contact the support quite often. I know that they get responses, not always the ones they would like, but they do get a response from them.

I have used SonarQube but not at the same level. It has some functionalities that are related to security. It does not go as deep as Micro Focus Fortify on Demand. 

We have evaluated other tools that are competitors of Micro Focus Fortify on Demand, but we still decided to keep Micro Focus Fortify on Demand.

I wasn't responsible for setting it up. 

We have a team that works with the product. All development teams work with this team to accomplish the goals. Everything was set up by this team, and afterward, the development team just has to look at the reports and vulnerabilities so that they can run scans.

It is quite expensive. Pricing and the licensing model could be improved. 

Before using it, evaluate other possibilities because it's quite expensive if you don't have the need to use it. For example, replace it with SonarQube or another competitor's tool that may not do quite the same thing, but it is enough for what you want for your objectives. It could be a cheaper way to get to those goals.

I would rate Micro Focus Fortify on Demand a seven out of ten. Improvement in pricing would be the biggest thing that would improve the scoring.

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

This solution cannot do dynamic application security testing. It needs to be able to simulate a situation where a hacker is trying to break into the system.

The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood. Adding more information to provide a better analysis would be an improvement.

This solution would benefit from having more customization available for the reports. 

We have been evaluating Fortify on Demand for close to a year.

Fortify on Demand has been stable from what I have seen. We have not had any problem with the reports, and we have not seen any instability or glitches.

In our trial, there are seven or eight applications that are relying on this solution. Different departments in our company have their own technology centers in different locations, and I am not aware of what the other departments are doing.

I have not interacted with the Fortify on Demand technical support team directly. Our own infrastructure support is the group that would deal with them. My team only communicates with our internal support.

We did not use another solution prior to starting our evaluation that includes Fortify on Demand. People were relying on some open-source static code analyzers. However, I don't think that it was very reliable.

My understanding is the this is not a difficult solution to manage and maintain.

Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.

We are currently using WebInspect but it does not satisfy all of our requirements. We are continuing to research other tools from other vendors, including open-source technologies. We have not fully decided yet. Before deciding on any product or vendor, we have to look at the whole cost of procuring the product license, as well as the recurring cost.

Fortify on Demand is a product that I recommend but the suitability of this solution depends on exactly what the requirements are. Every product has a unique feature as well as limitations with respect to what it can and can not do. What it comes down to is how the application is built, as well as the technology stack. The licensing costs are also something that needs to be considered.

Overall, it is a very good tool and it works well for what it is designed for. 

I would rate this solution a seven out of ten.

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.

This solution would be improved if the code-quality perspective were added to it, on top of the security aspect. It would rate performance and other things. This is one of the reasons that people are interested in SonarQube. This would make it a more complete and unique platform that would be a great player in the industry.

We have been using Micro Focus Fortify on Demand over the past four years.

This is a very stable solution. Once it is deployed there are not a lot of challenges.

This platform is very much scalable in terms of integrating with other solutions.

We have about 600 developers, but I think that we have between 300 and 400 who using Fortify on Demand.

I have not been in touch with technical support from the vendor.

Our technical support team is comprised of three people. Two of them help to demonstrate the product and instruct people on how it works. The other one is connected to the development team and can help with troubleshooting issues.

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

I had one person from Fortify to assist me with the deployment and integration with Microsoft Information Server. We also had some peers working with us. For example, I had the global head of security assurance working with me. Between us, we got everything working.

We did not evaluate other vendors beyond the solutions that we are using.

My advice to anybody who is considering this solution is to first get buy-in from the entire organization about adopting a culture of Security by design. Fortify on Demand can scan your code, but you need to have plans in place for what needs to be done when problems are identified. It may mean that things will have to change with regards to how code is being written. It may also require integration with other platforms. You can't just start scanning without first understanding what the security architecture is. You need to understand the vulnerabilities and all of the standards, as well. Essentially, I would recommend a security design overhaul.

I would rate this solution an eight out of ten.