OpenText Core Application Security Reviews

We recommend this product to our customers. We act as vendors and resellers. This is actually one of the solutions we often recommend to our customers most often. Usually, this is the best choice for banking and financial institutions. It is deployed by their development team in-house. They use it to manage and test product lifecycles.  

We actually find all of the product's features valuable. But at this point, we are trying to upsell by adding additional components like RAFT (Re-usable Automation Framework for Testing) to the test cycle.  

Strictly in terms of this product, I think it is a top-notch solution and I think the technology is still the best on the market. What might be improved is maybe just look at the pricing. It is a bit confusing compared to other products that we also sell.  

Whatever innovation they can come up with would be an excellent addition if it adds useful functionality. The only thing I can think of that they might add is something like features you can find in Codebashing that they have not yet implemented. I don't know if it has all of those features. If not, it would be useful for something like that to be added.  

We have been suggesting the product since before the merger with Hewlett Packard.  

This is a very stable product.  

This product is scalable. Most of our customers are enterprise customers. I can point out three off the top of my head. If the product can scale to the enterprise level, it makes sense that it is quite scalable.  

The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to. Micro Focus has a whole lot of solutions that are of value in our region, but it seems that they are not doing a proper job of coordination of knowledge. There is a huge knowledge gap from the Micro Focus team in the way they support businesses. We were hoping that the transition was the thing that affected the lack of better support. But by now we should be able to point to who the person is that is in charge and the person to talk to when it comes to the various products. I really don't know anybody in charge of the technical team to help us properly with issues.  

I think the initial setup for the on-demand product is straightforward. The product installed on-premises is somewhat complex. For this reason, it is better that the on-premises version is installed with the help of integrators or consultants. 

I would definitely recommend Micro Focus Fortify any day for clients who are looking for a good security solution.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Micro Focus Fortify on Demand as a nine out of ten.  

What is most useful is how you can have related features upgraded on the tools. The tools themselves have details for the code as well, where the issues have been flagged, and all the vulnerabilities are there, in one place.

The solution has some problems with latency. Sometimes it takes a while to respond. This issue should be addressed.

They should improve the data path where the issue has been flagged. They can improve the flow module details. If you can understand from the data flow or data path what is happening, you can better understand what the issue is.

The solution is very stable.

The solution is okay in terms of scalability. I'm still not really familiar with the tool, and I'm still learning from it. So far, I think it has a good ability to scale.

Technical support is okay. They have a platform that you can create tickets on. Once you raise a ticket, support is quick to help you. 

If they wanted to improve technical support they could offer meetings with the developer or security team.

It's a cloud-based solution, so there was no installation involved.

We use the cloud deployment model of the solution.

Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool.

I would rate the solution seven out of ten.

Our primary use case for this solution is static code analysis.

This solution has helped us to improve our security processes.

The static code analyzers are the most valuable features of this solution.

The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment. It needs a better configuration and more options for reports.

The solution is working, so I would say that its stability is fine.

We have approximately twenty users who perform code scanning. They are developers and security experts. We do plan to increase our usage of this solution in the future.

Technical support for this solution is fine.

The initial setup of this solution is straightforward.

It took approximately two hours to deploy, and because it is a cloud-based solution it does not require anybody for maintenance.

We handled the implementation in-house.

All I can say is that it is reducing security issues.

We evaluated Veracode before choosing this solution.

This solution works, so I suggest using it.

I would rate this solution an eight out of ten.

We use Fortify on Demand to test our e-commerce website. We do static codes testing before it goes live.

Before we migrate a new code to our production website, it is scanned with Fortify and all security vulnerabilities are identified. Then we try to remediate them so we don't expose ourselves.

I've been involved in deciding what's right or wrong. I've been involved in deciding on the product early on, and then if we should go on-premise or in the cloud, if we should build it into part of the software development life cycle or if we should do it on demand before we go to production. I've been involved in a lot of that. I've been involved in working with the development team to decide what is a vulnerability and what is not, and which vulnerabilities we need to take to heart, regardless if we understand what it is that we should ignore, and regardless of the fact that we think it's highly critical.

The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for.

The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it. 

Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. And they try to look at it saying, "Okay. From a pure standards perspective, this is a critical vulnerability for you." Which in reality, if you would really try to exploit it, you'd see that we actually did cross a little something around it, and the vulnerability is not there. So they would expect to have a certain type of a formatting requirement around a specific field to avoid being able to put in special characters. They would assume that because we don't have that, it's a vulnerability. But in reality, you actually do have a custom function that has been defined somewhere else in the code and these fields are subject to that function. I don't carry along with that in the same way as the application really does. That's something that we found that needs improvement.

We're actually going to transfer from them, and the main reason is that there is nobody home. We could have tickets open with them for months trying to escalate and have them remediate certain false positives as I described. We have had no success bringing this product to a level that we feel there's not too much noise. It gives you specifically what you need. You could take it at face value and run with it.

We're going to switch to Checkmarx. We're in the middle of the deployment.

Stability is good. The product works.

Scalability is irrelevant to us because it's in the cloud. For the past few years, we've been using it in the cloud, so it's a common scanner. It's not handling transactions. It's not a firewall or an antivirus that you have doing real-time transactions. It looks at the code and the volume of code we migrate. We write a lot of code every week, but it's still within reason. We're not talking about thousands of developers sending code at the same time. So I don't think that scalability was much in our conversation.

The product is being used by the e-commerce application development team, and we have senior developers who are responsible to scan and evaluate security concerns that come out of the product. We also have a lead security person and a development team who are responsible to oversee this and ensure that the issues are being addressed.

Deployment and maintenance, are not really applicable because it was somebody at DNH working with the company, setting it up. We did not put it into part of the platform of real-time migration, such that the code automatically goes there, marks it, and allows it to go to production or not. We didn't go that route, so it really didn't need too many people to be involved in the deployment.

The technical support is just not there. We have open tickets. They don't respond. Even if they respond, we don't see eye to eye. As the company got sold and bought, the support got worse.

Our website is complex, so the setup is also complex. By definition, we expected it to be complex, and Checkmarx should also be complex because of the culture, habits, and complexity of our custom-developed website. Our website is not an off-the-shelf product, so there's a lot of complexity that comes with it by nature. But that's okay.

The initial deployment goal was to scan every bit and byte of code on the production e-commerce site. That was the plan. We started rolling this out and then we started sending tests. We went back and forth on whether we should make it in-line automatic that we scan sales, in a way that it would not allow the code to move further, or if we should do it off to the side, such that the application development life cycle continues to run separately, while somebody is scanning it making sure we dissolve all the issues. So we tried both routes. There are benefits to each, and it's definitely safer to do it in-line. Again, the culture, habits, and technology's use mean that it is not always best to do it in-line because it could become too complicated and break too many things. So we actually switched that. There is a person that does that. It's not built into the migration system by default. Somebody is scanning it and then moves to the next one.

We worked with them and they helped us deploy. We tried a few different versions. We tried on-premise, and then we went to the cloud. Fortify on Demand is the cloud-based version, which we're using now.

Our experience with their developer team was good. But now, over time, the company went from a partner to a disconnected environment. Overall, the experience started out with a back and forth and an active relationship but over time, they became very disconnected.

It's a yearly contract, but I don't remember the dollar amount.

I don't remember if we evaluated anybody else. I think Fortify was recommended through a consultant. Some years ago, there were not so many vendors at a time playing in this arena. There's not so many today for static analysis, but I don't think that we really evaluated any others.

I would advise others not to use Fortify, but rather get something like Veracode or Checkmarx. The most important thing is not the functionality of the product. The most important thing is the knowledge, support, and availability of the team of security specialists as a vendor, that you have somebody to work with and talk to. Everybody's website is different, and if you try to use the product out of the box the way they built it and you have nobody to talk to to figure out how to tweak your application or the product to reduce the noise and the false positives, it becomes literally useless. So I would not advise anybody to go to Fortify based on the fact that they really don't have a very forthcoming support team and availability.

Could be the other options would provide professional services, but that's not the point. The point is that if you want to pick up the phone and send them an email, open a ticket saying that, "This is a false positive," somebody should get back to you. So I don't think that Fortify's a viable option still these days based on the fact of where they sit and how they operate.

I would rate the product a four out of ten. It works. The reason why I give it a four is because of the limitations of the product to understand the dynamics of our website and the number of things that are not working smoothly due to the fact that our website is complex.

My primary use case is to help the teams in development. It helps us scan.

First, you don't have very high requirement and we could do it quickly and efficiently. Second, it was easy for us to install the reading bot facing challenges and such, while doing that installation. Third, when we were doing the scan, it was self intuitive and we were able to scan faster while we had two challenges in the other two solutions that we were using. In terms of finding out where to configure, what are the next steps to configure what we are missing and those kind of areas.

Usually what happens, because we were part of the COE, we had to find those faster and go through old ECs and deliver the results to the short duration income. So, that's where it helped us, it helped us setting up that environment quickly on a laptop, do the scan and come back.

The features I found most valuable is that it is very configurable. The installation was also very easy. 

Yeah, some of the technologies and framework for libraries were not available at that point of time. For example, if it was in the back end, at that point in time we had to look at other tools. There were some analytical compliances so when we had more tools, it took all the technologies frameworks that Fortify was having. We required this because we were widely working with different clients for the different varieties of technology and domains. There were some regulated compliances, which were not there, but these were the factors because of which we had to use some instances of other tools as well.

I do not remember any issues with stability. Of course, it is common that if there is some misconfiguration, it can lead to crashes and the site of the code can crash. But, this is something we have learned to tweak and estimate the length of code before the site of the application. Then, we can consider which technology could be configured, what technology should be excluded, and then scan to optimize some of the related issues.

In terms of the scalability of the solution, we did not have a centralized server connecting to multiple clients. We did not have scalablility issues due to our small-scale use.

We had a good tech support experience.

It was very straightforward in comparison to other solutions that we had used in the past.

The licensing was good because the licenses have the heavy centralized server. It connects to the other PTs, or even if it connects to the old EC servers. We had to put it within an old EC, in order for the licensing to be available at all scales.Then, you had to open multiple ports in that scenario that was not possible. But, you can do it at the application level, which is faster. You can buy a license, do a scan at that level, as well as scale up. So we also had multiple requests in terms of helping a client before they start in terms of doing something easy so that you do not require a complete license to be purchased.

We were using many other tools like TechAbility, IBM AppScan and I think these were the predominant ones.

Today's security has become so complex that you cannot lean completely dependent on one tool. What I have learned is that you should have multiple tools. Now, with different areas coming into space, all of these tools have to co-exist. To make the right choice of a tool is really important. A solution must have ease-of-use. If it becomes too difficult for installing, configuring, learning the scan, then the add option becomes a challenge.

We previously used it for static and dynamic scans, but now we use it only for dynamic scans.

We have close to 85 products in-house, so we run a lot of scans.

We are using lost programming languages, because we have a lot of product development going on because we have a product-based company. Fortify helps us to stay updated with the newest languages and versions coming out. We can run our scans on a timely basis.

We can run our scans properly on it. It improves future security scans.

Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues.

We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days.

There are no stability issues. Though, we would like the scans to run faster.

We have no scaling issues.

Tech support has been a great help. They always respond to us in a timely manner.

Whenever we contact support, they assist us in running our scans.

We did not have another solution before. We tried other solutions, but they were not as good as Fortify.

I was not involved in the initial implementation.

The pricing is expensive.

Currently, Checkmarx offers us a graphically, revised run.

We use it for externally exposed applications that we want to scan before releasing them to production. As you can imagine, it's important to make sure they're secure and that we will not be exposed. For internal apps, we use other static code scanning, primarily SonarQube. But Fortify on Demand is for externally exposed applications.

Because of the kind of products we deal with, and the kind of customers we have, we have really specific security requirements and practices we need to follow, specifically applying to our SDLC. Our SDLC dictates that we have security scanning, and that improves our code quality. Thankfully, we have never had any kind of serious security flaw or any kind of deviation of the process. We can certainly account for that because of the security tools and analysis that we have prior to moving code to production.

One of the valuable features is the ability to submit your code and have it run in the background. Then, if something comes up that is more specific, you have the security analyst who can jump in and help, if needed. I think that's really useful.

It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers. That's one of the reasons we don't use it throughout the company and for all our applications, only for the ones we judge to be most important.

Also, if you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time. 

And it's too expensive to afford to run it for every application all the time. That's certainly something that requires improvement.

I haven't really encountered any issues with stability.

No issues with scalability. It has been able to handle all our workload so far.

Our experience with tech support has been good. We haven't needed support that much but whatever we needed we were able to find on their website. There were a couple of things regarding the licensing and payment that we had to get some help with. But it was quick and easy.

We didn't have a previous solution. We researched a couple of the tools, but we ended up using Fortify because of the comprehensive scans they have, and mainly because they are focused on the kind of apps that we have and the kind of requirements we have. They are able to cover most of the standards and practices that we need to adhere to.

The initial setup was straightforward. We had onsite training from HPE to help set up the local environment and first scans, and that was helpful.

The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps. That subscription model is probably something that needs improvement.

We looked at CheckMarkx and SonarQube Enterprise. As I said, we are currently using SonarQube for other apps, but we use the open-source version. We tried to use the Enterprise version but it didn't cover all the aspects that we needed it to cover.

Understand what you want to get out of it and be sure to fully understand what you will be paying per scan if you go for the subscription model. As I said, having to scan hundreds or thousands of apps using that subscription model and doing that several times a week, or several times a day, may increase your costs. That might be something that you need to look at.

I rate it at nine out of 10. It's not a 10 because of the cost model, it's a bit pricey, and the slowness, it could be a little bit faster. I understand the reasons why but you just need to be aware before you start using it that the local scan won't be as fast as the static code scan.

I analyzed more than 20 applications implemented in BIT Brainery University. The static analysis has to be done every release before putting it in production.

Even though it was our final choice, it has saved us a lot of time as we focus primarily on programming rather than tool operational work. We did not need third-party consultants.

We shared the easy to use dashboard with our programmers and involved outsourcers for a quick issues fix. 

It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt.