OpenText Core Application Security Reviews

It's saved us a lot of time as we focus primarily on security consultancy work rather than tool operational work.

Also, the features SAST, DAST, Dashboard/Reports, Fortify on Demand Portal and Vulnerability Tracking, have all helped with our work.

Finally, it's reduced operational costs as we minimized security incidents and ensured all vulnerabilities are remediated during the development lifecycle.

The results it provides are more than 95% accurate, helping us to focus on the right things first.

Our new software procurement process benefited as well as we use this as a central control to provide security assurance and evaluate the quality of our deliverables.

Its ease-of-use has influenced developer behavior and enabled them to follow security principles.

It would be useful if they could integrate secure design reviews, security user stories in Fortify on Demand Portal, and also look for possible options to get just one view of risks for given services (Covering Application, Infrastructure, Pen. Test, etc.).

I’ve used it since 2010.

We've had no issues with deployment.

It’s a very stable product. We've had no issues with instability.

It’s scaled for our needs. We've had no issues with un-scalability.

Customer service is excellent.

The technical support is very good.

We've used various other tools, including the Fortify on-premise solution. We chose Fortify on Demand as it is cost effective, scalable, easy to deploy, and helps us to manage our vulnerabilities centrally.

The initial setup was very easy and straightforward. We were able to roll out this service to all our business units.

We performed the installation in-house.

There is no setup cost as it is an on-demand solution. However, if there is any firewall change required for an internal application, we would need to raise that from our end.

We considered SonarQube, MSFox, and CodeInspect.

Fully utilize this product and its feature as it covers almost everything required for software security assurance.

It enforces source-code scanning, finding vulnerabilities in source code.

We're able to find vulnerabilities and weaknesses actually posting to site. We can get to these issues in our staging areas for active data and for verifying user vulnerabilities. It helps the development cycle in that we don't need other people involved in the scans. We're doing pre-scans and then getting other teams involved.

There are a lot of false positives and there's not a good way to manage them. They appear after every scan, and it would be nice to have them marked out so that we don't see them.

We've had no issues with deployment.

Stability could use a little improvement as we've had some issues. It runs out of memory sometimes and uses a lot of resources. Sometimes the scans don't work.

For code scans, company size doesn't really matter so much as the size of the code. It works well with the code scans we're running. Our lines of code aren't as huge as other applications we build, and it doesn't support every type of our applications, which are primarily .NET and HPE apps.

Technical support isn't top-notch, but it's not bad. It's just average. They take a while to resolve issues.

The initial setup was pretty easy and straightforward.

Find the solution that works best for your environment, using the group concept to try them all. Then determine which is best for you.

It's one of the leaders in the application security space. I've used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer.

It's forced the incorporation of security in the development process. That's really the biggest benefit for us.

It could use better integration with the incident management processor. This would allow us to understand the vulnerabilities that arise in the software and how they're linked to the incident management center.

The deployment has not had issues.

It is a quite stable solution.

It's quite scalable and addresses a huge volume.

It's good, but could be better to align with other main vendors, such as IBM.

It's not straightforward, but it's not complex either. It could also be improved.

I'm very familiar with IBM and Barracuda and others. I always know HP's competition, but I feel most comfortable with HP.

My advice would be to look not only at the software, but also at the processor and the people who will be using the software. You should buy not just the software, but also the services to train people to use it.

• It's On-Demand, and cloud-based which is well suited to occasional and price-conscious use.
• Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

It has added a very quick turnaround for security code reviews which allowed us to integrate this (formerly missing) function into the overall development and testing lifecycle.

It needs to support more languages.

I've used it for three months.

No issues encountered.

No issues encountered.

No issues encountered.

Excellent – from the PoC through setup and implementation; we received timely and knowledgeable support whenever we need it.

We tried to do it by hand (which was very time consuming and error-prone) and some tools built-in to Visual Studio (which was not widely accepted by individuals).

We had some issue with logins and account setups, but received excellent support.

We implemented it ourselves with the help of HP.

Don’t know since the project got cancelled.

Take advantage of the free trial and conduct a meaningful PoC. Get a buy-in from upper management early and co-ordinate with all stakeholders (e.g. developers, testing and/or QA groups).

I was able to quickly pass compliance with HIPAA.
Correlated static and dynamic results with detailed priority guidance.
Accurate results, tailored to each application.
All results manually reviewed by application security experts .
Central testing program management for all applications.

HP Fortify on Demand provides an independent review of third-party applications, allowing organizations to test software before purchasing, and also allowing software vendors to demonstrate the security of their software. Third-party vendors can upload the source code and/or provide a URL, review the results, and then publish a report back to their customer.

This service compels commercial vendors to take action to proactively fix vulnerabilities, while allowing them to remain in control of their applications. Security professionals can demand that high-priority problems be addressed and verified during the procurement or upgrade process, prior to acceptance. HP Fortify on Demand serves as an independent third-party solution to conduct unbiased analysis of applications and provide a detailed tamper-proof report back to the security team.

You are going to like the new detailed reporting. It can correlate the results from different forms of testing and prioritize them by severity to present the truest representation of application risk.

1 year

It was very easy to install and deploy.

No.

No. Scalable infrastructure allows for fast turnaround times and it has no limitations based on lines of code, megabytes, or anything else.

Good

Good

I currently use other solutions. We gave HP Fortify on Demand a try and we are very happy with the results.

Yes. Very easy.

We tried the free version first and then we acquired the software the product website.

Keep in mind that the calculation for return on investment and, therefore the definition, can be modified to suit the situation. It all depends on what you include as returns and costs. The definition of the term in the broadest sense just attempts to measure the profitability of an investment and, as such, there is no one "right" calculation. But, I have to say the client is very satisfied.

Try the free version first.

I am already using other software. We wanted to try it and it works like a charm.

Trust me, you want to be able to do automated and manual testing on a web application that is live.

The solution is used for web application listing, like, SaaS.

The solution is user-friendly.

I would like the solution to add AI support.

I have been using the solution for one month.

I give the stability a nine out of ten.

I give the scalability a nine out of ten.

We have three people using the solution in our organization.

I am satisfied with the technical support.

Positive

We previously used SonarQube which is an open-source solution. We switched because we needed an easy-to-understand and configure UI.

I give the initial setup a nine out of ten. The deployment took a few hours and required one person to implement.

I give the solution a nine out of ten.

I recommend the solution to others and I am totally satisfied with it.