OpenText Core Application Security Reviews

It enforces source-code scanning, finding vulnerabilities in source code.

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

We've had no issues with deployment.

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

The initial setup was pretty easy and straightforward.

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

It's one of the leaders in the application security space. I've used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer.

It's forced the incorporation of security in the development process. That's really the biggest benefit for us.

It could use better integration with the incident management processor. This would allow us to understand the vulnerabilities that arise in the software and how they're linked to the incident management center.

The deployment has not had issues.

It is a quite stable solution.

It's quite scalable and addresses a huge volume.

It's good, but could be better to align with other main vendors, such as IBM.

It's not straightforward, but it's not complex either. It could also be improved.

I'm very familiar with IBM and Barracuda and others. I always know HP's competition, but I feel most comfortable with HP.

My advice would be to look not only at the software, but also at the processor and the people who will be using the software. You should buy not just the software, but also the services to train people to use it.

• It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
• Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

It has added a very quick turnaround for security code reviews which allowed us to integrate this (formerly missing) function into the overall development and testing lifecycle.

It needs to support more languages.

I've used it for three months.

No issues encountered.

No issues encountered.

No issues encountered.

Excellent – from the PoC through setup and implementation; we received timely and knowledgeable support whenever we need it.

We tried to do it by hand (which was very time consuming and error-prone) and some tools built-in to Visual Studio (which was not widely accepted by individuals).

We had some issue with logins and account setups, but received excellent support.

We implemented it ourselves with the help of HP.

Don’t know since the project got cancelled.

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).

I was able to quickly pass compliance with HIPAA.
Correlated static and dynamic results with detailed priority guidance.
Accurate results, tailored to each application.
All results manually reviewed by application security experts .
Central testing program management for all applications.

HP Fortify on Demand provides an independent review of third-party applications, allowing organizations to test software before purchasing, and also allowing software vendors to demonstrate the security of their software. Third-party vendors can upload the source code and/or provide a URL, review the results, and then publish a report back to their customer.

This service compels commercial vendors to take action to proactively fix vulnerabilities, while allowing them to remain in control of their applications. Security professionals can demand that high-priority problems be addressed and verified during the procurement or upgrade process, prior to acceptance. HP Fortify on Demand serves as an independent third-party solution to conduct unbiased analysis of applications and provide a detailed tamper-proof report back to the security team.

You are going to like the new detailed reporting. It can correlate the results from different forms of testing and prioritize them by severity to present the truest representation of application risk.

1 year

It was very easy to install and deploy.

No.

No. Scalable infrastructure allows for fast turnaround times and it has no limitations based on lines of code, megabytes, or anything else.

Good

Good

I currently use other solutions. We gave HP Fortify on Demand a try and we are very happy with the results.

Yes. Very easy.

We tried the free version first and then we acquired the software the product website.

Keep in mind that the calculation for return on investment and, therefore the definition, can be modified to suit the situation. It all depends on what you include as returns and costs. The definition of the term in the broadest sense just attempts to measure the profitability of an investment and, as such, there is no one "right" calculation. But, I have to say the client is very satisfied.

Try the free version first.

I am already using other software. We wanted to try it and it works like a charm.

Trust me, you want to be able to do automated and manual testing on a web application that is live.