Sonatype Lifecycle Reviews

My main use case for Sonatype Lifecycle is open-source scanning for SCA. We pair it with Fortify (our SAST/DAST platform), and together they give us a more complete security picture within the CI/CD pipeline.

A recent example: we integrated Sonatype Lifecycle with its Nexus SCA Manager into our Jenkins workflow. Our code already went through SAST/DAST, but some smaller open-source packages and sub-libraries were not primary focus —especially those with licensing or legal considerations. Lifecycle fills that gap by checking every component for vulnerabilities, version risks, and license obligations, so we’re confident the entire codebase is covered.

We also use Lifecycle’s JSON mapping to share vulnerability and application data across Jenkins, Fortify, and other tools. What used to be a bit scattered is now clean, automated, and easy to maintain. This brings better visibility on all components across applications and versions.

sonatype lifecycle has helps us get clearer visibility into open-source risk, improve compliance, and catch issues earlier in the development process. By automating checks in our CI/CD pipeline, it has reduced manual effort needed by teams to deliver secure, reliable software with more confidence.

One of the best things about Sonatype Lifecycle, in my experience, is how easy it is to set up and start using. You don’t need to be a core developer to get started with it. Anyone with basic technical knowledge can create an application, assign it to an org, connect the code, and within just a few clicks generate a CycloneDX(SBOM report) or a PDF. Even integrating it with Jenkins was straightforward, and with clear and simple instruction, we had everything up and running in just a couple of days.

Sonatype Lifecycle has also made a clear positive impact on our organization. It helps us stay streamlined with  open-source risks (security, license, quality). Customer in the financial, manufactoring, government and technology sectors appreciate and do value. The tool is easy to integrate, well-documented, and lightweight, which made adoption simple and required minimal resource overhead. Overall, it strengthened our software supply chain and gave management confidence in our open-source security process.

Sonatype Lifecycle already does a nice job, but as you use it, you can’t help but notice a few spots where it could feel even smoother. Imagine opening it and immediately seeing a clearer, friendlier dashboard that tells you exactly what deserves your attention without digging around. As you move through your workflow, it would be great if the tool connected more naturally with what you’re already using, so everything just flows. And when an issue pops up, instead of leaving you guessing, it could guide you through what to do next in a way that feels simple and supportive. 

Even having a bit more visibility into anything happening behind the scenes would make the experience feel more complete. It’s already strong, but with touches like these, it could feel even more helpful and intuitive in everyday use.

I've been using Sonatype Lifecycle for a little over two years.

Solution is fairly stable in terms of core functionality, and with minimal technical issues. Aside for minor resolves all goes well.

Sonatype Lifecycle scales really well. Whether you are using it on-prem or the SaaS version, it is pretty easy to add more resources and handle bigger workloads as you grow. It adjusts smoothly without much hassle, so you don’t really feel limited as your team or projects get larger.

Customer support has been quite responsive, usually getting back to us within a couple of hours. Teams are flexible to connect on criticality of issue and the assistance needed.

Positive

We previously tried using an open-source scanner from Fortify, but eventually shifted to Sonatype Lifecycle because it offered a more complete and dependable approach for our SCA needs. There are other options in the market like Snyk and JFrog, but Lifecycle aligned better with what we were looking for in terms of accuracy, ease of use, and overall coverage.

The initial setup was straightforward overall, and with the technical know-how and a clear understanding of the environment, the whole process moves smoothly and rather quickly.

We have specialized consultants who are fully trained on Sonatype products and available for consultation, architecture design, and integration or deployment support. They take the time to understand each customer’s environment, which allows them to deliver solutions that truly fit the need rather than just dropping in technology.

Customer have seen a clear return on investment with Sonatype Lifecycle. Compliance scores improved, vulnerabilities dropped, and the overall workload became much lighter because we now get clear visibility into everything being built. Need for fewer people to manage the process, developers get quicker feedback, and testing team has far less manual work. Cost of running infra for the same needs went down since we’re able to run things efficiently on a single VM. All of this has saved us both time and effort in a noticeable way.

From my experience, the licensing side is pretty straightforward to handle. Most of the cost and pricing considerations really come down to how the solution is deployed. Since we work with partners and other OEMs who help run Sonatype Lifecycle through their services, the final pricing details are usually best explained by the sales teams who manage pricing and licensing more directly.

I was not the deciding person on evaluating options before selecting Sonatype Lifecycle; however, the ease of adoption with sonatype to connect with existing SAST and DAST solutions was a key factor in the decision to choose Sonatype Lifecycle.

I would rate Sonatype Lifecycle a 9/10. It’s a great product, and my main advice for anyone considering it is to take the time to understand your organisation needs get most out of this offering. Once you match the features to your goals, it really strengthens and simplifies your security process.

I have used Sonatype Lifecycle for one year, primarily as a part of DevSecOps and software composition analysis initiatives focused on my application security project, which involves identifying and managing open-source dependencies risks within application environments.

For Sonatype Lifecycle, I actually use it for two purposes in application security: security composition analysis (SCA) and Static Application Security Testing (SAST), with the intention to identify code-level vulnerabilities when developers write any code, allowing me to scan the code, prioritize vulnerabilities, and fix those areas to reduce overall application risks.

Before using Sonatype Lifecycle, I used to get vulnerabilities in the deployment phase, also known as Dynamic Application Security Testing (DAST), but after implementing Sonatype Lifecycle, it adds an additional security layer by allowing me to conduct SAST and SCA scans early in the coding phase, enabling me to prioritize and remediate vulnerabilities as soon as possible, which reduces time and effort.

In my opinion, the strongest feature of Sonatype Lifecycle is its ability to provide continuous visibility and governance over open-source dependencies throughout the software development lifecycle, with the most standout aspect being its effective integration of security directly into DevSecOps workflows instead of treating security as a separate, post-development activity.

The policy-based governance and vulnerable component rejection capabilities are tremendously valuable for my team because they shifted security enforcement earlier in the lifecycle. For example, I configured policies to flag or block builds with open-source components with critical vulnerabilities, and that was impactful when Sonatype Lifecycle detected a high-severity vulnerability during a build process.

Overall, Sonatype Lifecycle has a very positive impact on the organization, particularly in improving software supply chain security and DevSecOps practices, with measurable improvements including earlier detection of vulnerabilities and faster remediation cycles.

I have definitely observed measurable operational improvements after integrating Sonatype Lifecycle into my workflows, highlighted by a noticeable reduction in vulnerable open-source components progressing to production stages, allowing me to remediate them before deployment.

While Sonatype Lifecycle provides strong value for software composition analysis and software supply chain security, one area for improvement is alert prioritization and noise reduction, especially in larger development environments.

The primary area for improvement I mentioned is alert prioritization and noise reduction, in addition to improving dashboard and reporting customization.

I have used Sonatype Lifecycle for one year.

Sonatype Lifecycle is pretty stable and works fine.

In my experience, Sonatype Lifecycle scales well for enterprise DevSecOps and software supply chain security use cases, particularly in environments with multiple development teams and a large number of applications and dependencies.

The customer support for Sonatype Lifecycle is very helpful, and they are technically sound, providing positive feedback.

Before Sonatype Lifecycle, I used a DAST solution called Qualys for application security, and this is my first tool for SAST and SCA scans.

From my point of view, once I introduce Sonatype Lifecycle with the DevSecOps pipeline, it offers automated vulnerability scanning, prioritization, and allows me to focus on risk assessment and remediation, saving me about 40% in time and effort.

If you are working in a DevSecOps or application security project and want to prioritize vulnerabilities early, implementing Sonatype Lifecycle in your project will be helpful in addressing risks before they escalate. I provided this review with a rating of 8.

Positive

I work for a service-based company where we develop solutions based on customer requirements. That server was currently put up. 

I've also worked with product-based companies, developing software products for end-user requirements. That's my background, working broadly in telecom and healthcare.

This solution is for the client, and we do have internal customers who have been using this solution too.

Sonatype Lifecycle primarily has two main products: 

1. Sonatype Nexus and 
2. Sonatype Lifecycle. 

Lifecycle is mainly used for firewall management. If any issues are detected during the build process, they will be flagged, and each port can be addressed based on firewall and code scanning reports. 

Essentially, it streamlines the process, allowing us to easily identify code snippets that need attention and then act upon those findings.

It's heavily integrated within our organization due to our adherence to HIPAA regulations, which are critical for protecting health information. We ensure regulatory compliance is incorporated into both our code and the applications we develop.

• Detailed Violation Reports: The violation reports provided by Lifecycle are key, giving specific details on the types of violations and identifying the component within the application. Even with multiple components like web, app, and database tiers, each is evaluated separately through individual pipelines, and reports are provided for each.

• Version Tracking: Another important aspect is the version details, showing which version is causing issues. We follow a standard release naming convention (major, minor, patch), so we can easily see which version is problematic.

• Dependency Management: Additionally, we can address dependency-related information at a granular level, identifying component versions causing build blockages. This is a very helpful feature.

With Sonatype, I primarily work with the Nexus Repository. I like it the most because it can store many artifacts generated after applications are built. These artifacts can be retrieved at any time. 

Another valuable aspect of Sonatype is that it combines Lifecycle with the repository. The Lifecycle component integrates into every stage of the release, starting from code checkout and throughout the build process. This integration gives us insights into the code's quality and overall health. 

Additionally, Sonatype seamlessly integrates with other tools like GitLab, providing continuous integration, delivery, and deployment capabilities. 

It offers comprehensive reports on each stage, facilitating static code analysis and improving our understanding of code quality. All these integrations help provide valuable feedback to developers and stakeholders.

Mitigates security vulnerabilities:

It primarily analyzes code and provides vulnerability check results through the IQ Server. This server takes the application configuration and details, then provides a dashboard showing the vulnerabilities as critical, low, or high.

This is based on the policies defined in Lifecycle. Besides the default policies, we have custom policies that can be defined. These features evaluate the code and present those reports in the dashboard.

While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further.

I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen.

I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads. 

• I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information. 
• Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports,
• Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future.

On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.

I have experience with this product. 

The stability of the product is very normal. If we don't bump it up with minor releases, and instead use the stable releases, there are no major issues. So far, the stability is perfectly fine.

I would rate the scalability an eight out of ten. 

Earlier, licenses were specific to on-premise servers, but now, Sonatype is also available in the cloud, offering more flexibility. Now, we can bump it up if required.  We can increase the number of user licenses as needed by contacting the Sonatype team.

We regularly evaluate our license usage and adjust based on our needs. For example, we initially had 100 licenses, but after analyzing usage patterns and integrating another team, we increased it to 200.

So, scalability is not an issue.

The support was good. However, getting the right resources for specific activities is a problem. 

Once an issue is identified, we need to raise a user request, which might become a development request, leading to long wait times. This is where we experience delays and needs improvement.

Neutral

Another tool that is equivalent to Sonatype is JFrog, but it does not have Lifecycle kind of features.

But, we can compare the Sonatype Nexus repository with JFrog Artifactory. We also have other options like Azure Artifacts in the cloud.

I would rate my experience with the initial setup a nine out of ten, with ten being easy. 

The installation itself is quick, but the configuration takes longer, especially with custom policies. If you use the default policies, it's much faster. 

The configuration needs to be tailored to the specific requirements of the team or application. Installation can be completed in three to four hours, but configuration may take a couple of days.

Deployment model: It is deployed both on the cloud and on-premises. 

Deployment resources: It doesn't require many resources. One engineer and another person should be able to handle it, especially for the policies and other details. Installation and setup are not difficult. 

However, ongoing maintenance is required, so an additional person might be helpful. Is the requirement solely for Sonatype, or do you have other tools to maintain as well?

I successfully set it up from scratch for my organization, conducted training sessions for the development team and leadership, and collaborated extensively with the Sonatype team for over eight years.

Steps for the deployment process:

1. First, we get the bundle. Once we receive the bundle, we will review the installation tips and identify the server for installation. The installation server is designed based on the environment, considering CPU, RAM, storage requirements, and database choice (Oracle or PostgreSQL). After all, the database is key. 
2. We download the package bundle from the website, which includes the installation script and a configuration file. The configuration file defines the connection details to the database. This is usually handled by the admin ID.
3. The next step is to create roles for the development team and other relevant teams, assigning users to these roles. The most time-consuming part is defining the custom policies tailored to our organization's specific needs, as we have numerous applications running with different teams and product lines.
4. Once the policies are defined, we integrate Sonatype with the CI/CD pipeline. This allows us to run scans, generate reports, and start using the tool effectively.

In terms of Sonatype, it's definitely worth it. The software is valuable. However, I'm expecting more additional features and frequent releases, as major releases take a long time. I think the Sonatype development team should release updates with additional features more often.

I would rate the pricing a seven out of ten, with ten being expensive. The price is high. 

It depends on the number of licenses. The price increases based on the fact bundle you are collecting. The number of licenses depends on the organization and how many we have.

My advice:

Sonatype Lifecycle has a lot of uses based on the user base. It's licensed based on support, not per user. So, if a team has 200 developers, I would recommend starting with a smaller number of licenses, like 50 or 75, and increasing it later if needed, rather than buying 200 licenses upfront. They can always compare and adjust based on their usage.

Overall, I would rate it an eight out of ten. 

We use Sonatype Lifecycle for scanning our SCA product, software composition analysis. It is a category of product we use to scan third-party packages imported into the source code like Java, Node.js, or Python. 

It reports back as an enterprise product with UI reports and is very useful. We integrate it into our pipelines, generate reports, and our developers engage with it to fix issues and ensure the software supply chain is secure.

The solution provides a comprehensive overview of dependencies and their security status. The onboarding process is straightforward, and the UI is very clear. The integration into our CICD pipeline enables us to continuously monitor code changes and identify new vulnerabilities. This ensures we can address issues proactively. Lifecycle effectively manages dependencies and highlights unsecure packages. It does what it does better, with integration into other Sonatype products. This integrated ecosystem is advantageous for us.

It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections. It is specific to only one category, and we would like them to add more diverse application security features. We expect products to do multiple things. It only does one thing, and we want it to expand its capabilities.

We have been working with Sonatype Lifecycle for four years.

The product is stable and works as expected. There are no performance or reliability issues.

I find the solution scalable.

The technical support is good. I would rate them as eight out of ten. They are helpful when we raise any tickets.

Positive

We did not use another solution before this one.

The initial setup is not straightforward as it includes databases, yet the documentation is good, and we did not face any issues. The support is good, and the setup went smoothly.

It is a security product, so we installed it in our automation environment without tweaking anything. We brought users in, provided an overview of how developers should use it, and integrated it into a few applications before rolling it out to all.

We have seen cost savings and efficiency improvements as we now know what happens in what was previously a black box. The ROI is around two years, however, security improvements are hard to quantify.

We didn't evaluate other options since the product aligns with our ecosystem, enabling it to work well with other solutions we use.

I recommend it because it integrates well with other Sonatype products and does its job effectively. 

Overall, I would rate Sonatype Lifecycle as seven out of ten.

We use Fortify SCA or SAST for scanning the source code, and we use Sonatype Nexus to scan libraries for any vulnerabilities. We get secure code and libraries by combining these two solutions. If we find any issues, we can fix them.

We use Fortify SAST to scan our code. It is used for the static code and not the running code. It finds vulnerabilities, and it finds bad practices. If you are using something that can be exploited in the code, it highlights that and gives you recommendations on that. It gives you ideas on how to fix that.

We have a more secure code because it is based on top security standards. Before we moved to Fortify SAST, we already had code running in production. When we moved to Fortify SAST, we had to rescan our code running in production. We got more and more vulnerabilities, which made people upset, but overall, our security was enhanced. It also enhanced the knowledge of our developers. Our developers are learning more. Many developers were frustrated in the beginning because there were many vulnerabilities, but as time went on, they liked its features. They find it straightforward now. They read about it, and they can fix their code easily. Without any back-and-forth communication, they can find the line, the recommendation, and what to do about it in one place. That is awesome.

Fortify Software Security Center gives a good overview of how the application is implemented, but it is not a 360-degree view. Sometimes we have false positives, and sometimes, it does not catch the design flows. It will mark something as vulnerable because it does not have the full picture. The highlighted code might be a part of another module, so it cannot see the full picture, but it is a very good tool. It is better than the ones we had before.

I have not yet used Fortify Software Security Center for managing and tracking risks associated with the open-source components used in our software project. We recently started to use Fortify SAST and are still exploring and discovering things. We usually do that through Sonatype Nexus, but I have seen it catching vulnerabilities. Some users have scanned the library by mistake, and I have seen it catching vulnerable code in the library. It points out why we wrote the code this way, and the code should have been that way. If there is a variable that has a sensitive name, such as a key, password, or something else, it catches that. After we have integrated it with Sonatype, we will have more exposure, but we are not yet at that stage.

I really like Fortify Software Security Center. We can scan the code and push the results. I can also see all the applications. I know the portfolio of the applications that we have. I can see all the information about the organizations, the code, and the developers in one spot. It is good for the management and also for the development teams. If their supervisors want to know the security status of their applications, they can go there straight away and check that information. It is very good in this aspect.

Fortify SAST has helped in the remediation of potential vulnerabilities by using accurate and reliable results. I like that they use standards such as OWASP Top 10 or SANS Top 25. They are very good at this. When it finds any vulnerabilities, it shows you by the rank. You can filter by so many standards. It gives you a description of the vulnerability as well as recommendations on how to fix it. It also gives you some references if you want to read more. It is very good.

Fortify SAST has helped a lot to enable developers to build secure code from the start. We have many developers. They have the development skills, but they do not have security skills. Now, there is something that tells them how to write the code properly. For instance, they use a function, and then they get the recommendation to use another function. They do not know the other function. They go ahead and use it, and the code still runs as before, but it is safer. With time, people avoid these issues. It is like a spelling checker. You get recommendations while writing the code.

Fortify and Sonatype solutions help to maintain compliance with applicable regulations. Fortify SAST is built on top of very high standards such as OWASP Top 10, SANS Top 25, PCI DSS, etc. These are very repeatable security standards. It includes over a thousand vulnerability categories. It covers a lot of vulnerabilities.

Fortify SAST helps us reduce our risk exposure on applications through the discovery of vulnerabilities and weaknesses. They have something called rulepacks that are the guidelines. There are rulepacks for different languages. They are the security standards that the code will follow. These rulepacks are updated frequently by the Fortify team themselves, and we just have to feed them into Fortify Software Security Center so that it has updated information about vulnerabilities, and it can discover more. The more you discover and fix, the more secure and resilient code you will have.

Fortify SAST provides real-time feedback on security issues. When you scan, you get the results instantly. Sometimes, for certain code languages, it takes a little more time to scan, which can be frustrating, but it provides real-time feedback. You get a small description, and you also have the details. There is one tab for recommendations, and there is also a tab for references.

We recently had this activity where we wanted to integrate the tool with a pipeline. We are using Azure DevOps, and we managed to integrate that. It was straightforward. You get a plugin or an extension, and the code is pushed and scanned, and you get the results. It is straightforward. I can see it functional for such deployments. We are ready for the cloud and automation, but we are still in the testing phase.

Fortify SAST has helped free up our staff for other projects or tasks. Because it is very informative and clear, we have a lot fewer issues for which people come back to us. They come back to us if they think it is a false positive or if they need a waiver because they cannot fix it due to some limitations, but in the majority of cases, they can control and learn, and they can do it on their own. It helped us a lot in this aspect, but I do not have the metrics. We have been using it only for a few months, and we have a shortage of people. It has saved the communication time that we were spending on emails and reporting. We now have less of that. We all go to one place. Instead of sending me an email or having a phone call, developers now go to Fortify Software Security Center and put in what they think. For example, they will say that it is a false positive because of this and that. They will send it to me, and I will go to Fortify Software Security Center. I will read it and review it, and if I find it okay, I will give the go-ahead to get rid of it. Otherwise, we would need more discussion. It improves communication big time for me.

I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions. I like Fortify Software Security Center. It was not the way we had before. We used to have another tool, and it did not have this feature. I also like the fact that it supports many languages. It supports more than 30 languages. It covers a lot of what we do. Its configuration is a little bit tricky, but after you configure it, it is intuitive.

I also like the integration capability. It can integrate with many IDEs, such as IntelliJ, Eclipse, VS Code, etc. It integrates with all the main ones. It also can integrate with Nexus. It can integrate with Secure Code and Azure DevOps. This is really good to have something that can work with many vendors. It gives you versatility and flexibility.

We have integrated it with Azure DevOps for the pipeline, and we have integrated it with Secure Code. It is not a major integration. We have a plan to integrate it with Sonatype. I like to have everything in one place. All the integrations happen in the IDEs. We have people using Eclipse, IntelliJ, Visual Studio, VS Code, etc. We have integrated it with all the IDEs that we have here. The integration with IDEs was straightforward. You just install the plugin, add it to the IDE, and add your configuration. For Azure DevOps, we needed to add the binary, and it took a day or two because people were not familiar with it. For Secure Code, it was straightforward again. It is not hard to integrate. Its integration is easy.

One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use.

The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved.

There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process.

During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time.

It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier.

For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.

We are a big company. We have different organizations. For our organization, we started using this solution this year, but other organizations have been using it for two years.

From what I have seen so far, it is very stable. It is a browser-based solution. You just log in to the website and see all your applications. From your machine, you can just push, and it will be published there. You click a scan, and your results will be in Fortify Software Security Center. It is straightforward and easy to use.

It is being used at multiple locations and in multiple buildings. The security requirements are very high in our environment, so not everything will work as you expect it because not everything is open. We struggle a bit, but it is required. We have around 60 people who use Fortify SAST.

We have not tested it yet, but they have something called ScanCentral. Currently, developers scan the code on their machines, and then they push it to Fortify Software Security Center. ScanCentral is a feature that we will start to experiment with soon where we offload the scan to a server. It will not utilize developers' resources. It will just initiate a scan, and it will use another system to scan. I have heard that you can have many of them implemented. I have not experienced it yet, but it seems like a cool feature to free the resources for developers because they need to deploy, compile, and fix. If it frees up their resources, it will be good.

I am very satisfied with their support. They are very nice people, and they are very helpful. I would rate their support a ten out of ten.

Positive

We were using IBM Appscan. We switched because of limitations and support. We found that developers were able to tweak it and play with it. They could play with the results. Its support had also ended, and it supported fewer languages. There were multiple reasons, and this is why we had to switch to something else.

I needed their help with the setup. It was mainly because our environment is a little bit strict. It is not the easiest environment to work in. It is not only applicable to Fortify; it is applicable to many other vendors, but with their help and support, it was doable. We have a very restricted environment. If you read a document and follow it, it should work, but because of our environment, we need to open this or that. We had access issues at the beginning, but once we resolved them, it was fine.

It took weeks because of the access issues that we had. We had to reach out to the vendor and ask them why it is behaving this way.

In terms of maintenance, we need to update rulepacks. We need to take care of the licenses. In the beginning, we used licenses from a neighbor until we got ours. We need to take care of the routine activities related to licensing and patching. If we find any vulnerability with the tool itself, we need to do patching. It is like any other tool.

We had people from the cloud team. We had people from the administration team. We had people from the database team. Overall, we had four or five people involved but not always together. When you configure the database, you will be with the database team. When you configure the cloud, you will be with the cloud team.

It is too early to say whether we have seen an ROI, but we have had a great communication and learning experience.

Identifying vulnerabilities using Fortify SAST early in the development lifecycle saves costs versus discovering vulnerabilities later in the software development lifecycle (SDLC). If you discover a vulnerability early, it is helpful. For instance, if you are writing Java code and you know that there is a limitation or vulnerability in that version of Java, it helps to plan your journey of development earlier. You get to know that your server does not support this version of Java. It helps you make decisions earlier in the process. Time is money. The earlier you handle things, the better it is.

There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost.

I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use. In the future, if they have other versions for smaller organizations or individuals who want to install it on their machines and use it, it would be good.

To someone whose company is still using manual methods to find vulnerabilities, I would say that when you automate it, you control it. You give more power to people, especially from a security point of view.

I would recommend Fortify SAST if you have money and multiple teams. It is useful for multiple teams, but for a small company with one team of two to three people, I would not recommend it. If you have a big community with many organizations and many development teams, it is worth it.

Overall, I would rate Fortify SAST an eight out of ten.

We use Fortify SCA or SAST for scanning the source code, and we use Sonatype Nexus to scan libraries for any vulnerabilities. We get secure code and libraries by combining these two solutions. If we find any issues, we can fix them.

We use Fortify SAST to scan our code. It is used for the static code and not the running code. It finds vulnerabilities, and it finds bad practices. If you are using something that can be exploited in the code, it highlights that and gives you recommendations on that. It gives you ideas on how to fix that.

We have a more secure code because it is based on top security standards. Before we moved to Fortify SAST, we already had code running in production. When we moved to Fortify SAST, we had to rescan our code running in production. We got more and more vulnerabilities, which made people upset, but overall, our security was enhanced. It also enhanced the knowledge of our developers. Our developers are learning more. Many developers were frustrated in the beginning because there were many vulnerabilities, but as time went on, they liked its features. They find it straightforward now. They read about it, and they can fix their code easily. Without any back-and-forth communication, they can find the line, the recommendation, and what to do about it in one place. That is awesome.

Fortify Software Security Center gives a good overview of how the application is implemented, but it is not a 360-degree view. Sometimes we have false positives, and sometimes, it does not catch the design flows. It will mark something as vulnerable because it does not have the full picture. The highlighted code might be a part of another module, so it cannot see the full picture, but it is a very good tool. It is better than the ones we had before.

I have not yet used Fortify Software Security Center for managing and tracking risks associated with the open-source components used in our software project. We recently started to use Fortify SAST and are still exploring and discovering things. We usually do that through Sonatype Nexus, but I have seen it catching vulnerabilities. Some users have scanned the library by mistake, and I have seen it catching vulnerable code in the library. It points out why we wrote the code this way, and the code should have been that way. If there is a variable that has a sensitive name, such as a key, password, or something else, it catches that. After we have integrated it with Sonatype, we will have more exposure, but we are not yet at that stage.

I really like Fortify Software Security Center. We can scan the code and push the results. I can also see all the applications. I know the portfolio of the applications that we have. I can see all the information about the organizations, the code, and the developers in one spot. It is good for the management and also for the development teams. If their supervisors want to know the security status of their applications, they can go there straight away and check that information. It is very good in this aspect.

Fortify SAST has helped in the remediation of potential vulnerabilities by using accurate and reliable results. I like that they use standards such as OWASP Top 10 or SANS Top 25. They are very good at this. When it finds any vulnerabilities, it shows you by the rank. You can filter by so many standards. It gives you a description of the vulnerability as well as recommendations on how to fix it. It also gives you some references if you want to read more. It is very good.

Fortify SAST has helped a lot to enable developers to build secure code from the start. We have many developers. They have the development skills, but they do not have security skills. Now, there is something that tells them how to write the code properly. For instance, they use a function, and then they get the recommendation to use another function. They do not know the other function. They go ahead and use it, and the code still runs as before, but it is safer. With time, people avoid these issues. It is like a spelling checker. You get recommendations while writing the code.

Fortify and Sonatype solutions help to maintain compliance with applicable regulations. Fortify SAST is built on top of very high standards such as OWASP Top 10, SANS Top 25, PCI DSS, etc. These are very repeatable security standards. It includes over a thousand vulnerability categories. It covers a lot of vulnerabilities.

Fortify SAST helps us reduce our risk exposure on applications through the discovery of vulnerabilities and weaknesses. They have something called rulepacks that basically are the guidelines. There are rulepacks for different languages. They are the security standards that the code will follow. These rulepacks are updated frequently by the Fortify team themselves, and we just have to feed them into Fortify Software Security Center so that it has updated information about vulnerabilities, and it can discover more. The more you discover and fix, the more secure and resilient code you will have.

Fortify SAST provides real-time feedback on security issues. When you scan, you get the results instantly. Sometimes, for certain code languages, it takes a little more time to scan, which can be frustrating, but it provides real-time feedback. You get a small description, and you also have the details. There is one tab for recommendations, and there is also a tab for references.

We recently had this activity where we wanted to integrate the tool with a pipeline. We are using Azure DevOps, and we managed to integrate that. It was straightforward. You get a plugin or an extension, and the code is pushed and scanned, and you get the results. It is straightforward. I can see it functional for such deployments. We are ready for the cloud and automation, but we are still in the testing phase.

Fortify SAST has helped free up our staff for other projects or tasks. Because it is very informative and clear, we have a lot fewer issues for which people come back to us. They come back to us if they think it is a false positive or if they need a waiver because they cannot fix it due to some limitations, but in the majority of cases, they can control and learn, and they can do it on their own. It helped us a lot in this aspect, but I do not have the metrics. We have been using it only for a few months, and we have a shortage of people. It has saved the communication time that we were spending on emails and reporting. We now have less of that. We all go to one place. Instead of sending me an email or having a phone call, developers now go to Fortify Software Security Center and put in what they think. For example, they will say that it is a false positive because of this and that. They will send it to me, and I will go to Fortify Software Security Center. I will read it and review it, and if I find it okay, I will give the go-ahead to get rid of it. Otherwise, we would need more discussion. It improves communication big time for me.

I like Fortify Software Security Center or Fortify SSC. Basically, this tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions. I like Fortify Software Security Center. It was not the way we had before. We used to have another tool, and it did not have this feature. I also like the fact that it supports many languages. It supports more than 30 languages. It covers a lot of what we do. Its configuration is a little bit tricky, but after you configure it, it is intuitive.

I also like the integration capability. It can integrate with many IDEs, such as IntelliJ, Eclipse, VS Code, etc. It integrates with all the main ones. It also can integrate with Nexus. It can integrate with Secure Code and Azure DevOps. This is really good to have something that can work with many vendors. It gives you versatility and flexibility.

We have integrated it with Azure DevOps for the pipeline, and we have integrated it with Secure Code. It is not a major integration. We have a plan to integrate it with Sonatype. I like to have everything in one place. All the integrations happen in the IDEs. We have people using Eclipse, IntelliJ, Visual Studio, VS Code, etc. We have integrated it with all the IDEs that we have here. The integration with IDEs was straightforward. You just install the plugin, add it to the IDE, and add your configuration. For Azure DevOps, we needed to add the binary, and it took a day or two because people were not familiar with it. For Secure Code, it was straightforward again. It is not hard to integrate. Its integration is easy.

One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use.

The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved.

There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process.

During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time.

It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier.

For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.

We are a big company. We have different organizations. For our organization, we started using this solution this year, but other organizations have been using it for two years.

From what I have seen so far, it is very stable. It is a browser-based solution. You just log in to the website and see all your applications. From your machine, you can just push, and it will be published there. You click a scan, and your results will be in Fortify Software Security Center. It is straightforward and easy to use.

It is being used at multiple locations and in multiple buildings. The security requirements are very high in our environment, so not everything will work as you expect it because not everything is open. We struggle a bit, but it is required. We have around 60 people who use Fortify SAST.

We have not tested it yet, but they have something called ScanCentral. Currently, developers scan the code on their machines, and then they push it to Fortify Software Security Center. ScanCentral is a feature that we will start to experiment with soon where we offload the scan to a server. It will not utilize developers' resources. It will just initiate a scan, and it will use another system to scan. I have heard that you can have many of them implemented. I have not experienced it yet, but it seems like a cool feature to free the resources for developers because they need to deploy, compile, and fix. If it frees up their resources, it will be good.

I am very satisfied with their support. They are very nice people, and they are very helpful. I would rate their support a ten out of ten.

Positive

We were using IBM Appscan. We switched because of limitations and support. We found that developers were able to tweak it and play with it. They could play with the results. Its support had also ended, and it supported fewer languages. There were multiple reasons, and this is why we had to switch to something else.

I needed their help with the setup. It was mainly because our environment is a little bit strict. It is not the easiest environment to work in. It is not only applicable to Fortify; it is applicable to many other vendors, but with their help and support, it was doable. We have a very restricted environment. If you read a document and follow it, it should work, but because of our environment, we need to open this or that. We had access issues at the beginning, but once we resolved them, it was fine.

It took weeks because of the access issues that we had. We had to reach out to the vendor and ask them why it is behaving this way.

In terms of maintenance, we need to update rulepacks. We need to take care of the licenses. In the beginning, we used licenses from a neighbor until we got ours. We need to take care of the routine activities related to licensing and patching. If we find any vulnerability with the tool itself, we need to do patching. It is like any other tool.

We had people from the cloud team. We had people from the administration team. We had people from the database team. Overall, we had four or five people involved but not always together. When you configure the database, you will be with the database team. When you configure the cloud, you will be with the cloud team.

It is too early to say whether we have seen an ROI, but we have had a great communication and learning experience.

Identifying vulnerabilities using Fortify SAST early in the development lifecycle saves costs versus discovering vulnerabilities later in the software development lifecycle (SDLC). If you discover a vulnerability early, it is helpful. For instance, if you are writing Java code and you know that there is a limitation or vulnerability in that version of Java, it helps to plan your journey of development earlier. You get to know that your server does not support this version of Java. It helps you make decisions earlier in the process. Time is money. The earlier you handle things, the better it is.

There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost.

I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use. In the future, if they have other versions for smaller organizations or individuals who want to install it on their machines and use it, it would be good.

To someone whose company is still using manual methods to find vulnerabilities, I would say that when you automate it, you control it. You give more power to people, especially from a security point of view.

I would recommend Fortify SAST if you have money and multiple teams. It is useful for multiple teams, but for a small company with one team of two to three people, I would not recommend it. If you have a big community with many organizations and many development teams, it is worth it.

Overall, I would rate Fortify SAST an eight out of ten.

Neutral

We manage the overall software development security organization, encompassing assistance to all developers across our organization worldwide. Our 10,000 developers help identify vulnerabilities in their code. We use Fortify Static Code Analyzer to explore methods to expedite vulnerability detection and remediation through a self-service pipeline.

Initially, we utilized Just Cloud, but subsequently, we developed our on-premises tools over the ensuing year. This resulted in substantial cost savings, as on-premises security solutions are generally more economical than their cloud-based counterparts.

Fortify Software Security Center, often abbreviated as SSC, offers both an on-premises and cloud-based version. The cloud-based version is called Fortify On Demand or FOD. FOD is a popular choice for organizations that want a flexible and scalable solution, while the on-premises version is preferred by organizations that require more control over their security infrastructure. OpenText, the vendor of Fortify, offers various consumption models for its solutions. Users can pay per scan or opt for an annual subscription with unlimited scans. However, annual subscriptions can be expensive, with some organizations paying millions of dollars per year. Using the on-premises tools can provide significant cost savings compared to cloud-based solutions, but it also requires a dedicated team of IT professionals to manage and maintain the infrastructure. If an organization lacks the resources to manage on-premises tools, FOD is often the most affordable and robust solution available. In comparison, competitors like Synopsys and Checkmarx typically charge even more for their cloud-based solutions.

The Fortify portal is well-suited for managing and tracking risks associated with the open-source components used in our software projects. The increasing availability of open-source options has been beneficial. OpenText's acquisition of Debricked a couple of years ago has further enhanced its capabilities in this domain. They continue to utilize Sonatype within the FOD, providing customers with a choice. For existing Sonatype customers who have been using the tool as Micro Focus' and OpenText's partner for FOD for many years, continuing with Sonatype remains a viable option. However, for new users or those seeking an alternative to Sonatype, Debricked, now OpenText's open-source security tool, is an excellent choice, seamlessly integrated into FOD.

Utilizing Fortify to identify vulnerabilities has become remarkably effortless. Based on my experience, I've observed a significant increase in user satisfaction with the tool. Over the years, we've acquired several companies that initially held negative perceptions of Fortify, stemming from its previous reputation as a cumbersome and resource-intensive tool. However, with the introduction of FOD and the enhanced capabilities of the on-premises tools, we've witnessed a dramatic shift. The availability of lightweight on-premises tools, coupled with seamless IDE plugins for Visual Studio, Eclipse, and other intelligent IDEs, alongside integrations into Azure and Jenkins pipelines, has significantly empowered users to conduct self-service vulnerability scans in minutes, a stark contrast to the time-consuming hours it previously required.

Fortify enhances our vulnerability remediation efforts by providing more reliable results. Secure Code Warrior integration plays a significant role by providing developers with access to secure coding training, which I believe positions them better to identify and resolve issues promptly. Many companies lack access to this level of guidance and often rely on standard verbiage. I appreciate that users can leverage Secure Code Warrior's guidance for their Fortify findings. This capability is not offered by any other company in the space. Additionally, they have recently partnered with MAB to offer automated code remediation solutions. Automated code remediation means that if I'm a developer and Fortify identifies a vulnerability, instead of manually fixing it, MAB, their partner, can automatically resolve the issue by providing a prebuilt fix and incorporating it into our build pipeline.

Fortify enables our developers to build secure code from the beginning. I can speak with confidence that without Fortify, we wouldn't have fixed thousands of vulnerabilities, and it is helping to streamline that process for developers, whereas Many other security teams rely on traditional PAN testers, Fortify has given our developers the confidence to be able to find, fix, and remediate issues, and a fully self-service mechanism that few other companies have.

Both Fortify and Sonatype have excellent integrations with compliance frameworks such as GDPR, PCI, and DSS, providing comprehensive reporting capabilities that help us meet regulatory requirements. These integrations enable us to stay abreast of evolving regulatory requirements and ensure that our vendor partners promptly address any changes. For example, when the OWASP categories were updated two years ago, both Fortify and Sonatype quickly released support for the updated categories, allowing us to seamlessly update our reporting without delay.

Fortify mitigates risk exposure in applications by identifying vulnerabilities and weaknesses. It pinpoints all the issues that developers need to address and provides comprehensive guidance for remediation.

It provides robust details about the issues, along with comprehensive insights into what needs to be fixed. The ability to see all of the different versions in Sonatype results has been particularly helpful as an indicator.

Fortify's expansion into shift-left security for cloud-native applications has been an exciting development. I wasn't expecting them to venture into this area, but I'm pleasantly surprised by their progress. It appears that they are well-positioned to gain significant market share.

Fortify has helped free up our staff time for other projects by improving our automation capabilities. As a result, we have been able to significantly reduce our turnaround time for remediation tasks. This has allowed our developers to focus on more strategic initiatives, such as automation and engineering, instead of being bogged down with manual remediation work. We have saved over $40 million in headcount expenses by automating these tasks. It would have taken over 100 years to fix all of these issues manually, using our previous processes. In other words, Fortify has automated millions of hours of work, equivalent to the work of hundreds of thousands of people over decades. This is one of the most significant automation projects we have ever undertaken.

Identifying vulnerabilities using Fortify early in the software development life cycle has resulted in significant cost savings compared to discovering them later on. Fortify has enabled us to detect and remediate these types of issues at the beginning of the SDLC. As a result, we can prevent potential problems from reaching the production stage.

Fortify integrates seamlessly with other solutions, which is a significant advantage in our opinion. As I mentioned earlier, Synopsys has struggled with third-party integrations. In contrast, Fortify has taken the lead in collaborating with Secure Code Warrior, reconciled, and MOB to facilitate these integrations. This has allowed us to establish an ecosystem of solutions from various providers that are at the forefront of innovation.

We have integrated Fortify with Sonatype, Secure Code Warrior, and MOB. The integrations take no more than a few hours.

The Software Security Center, which is often overlooked, stands out as the most effective feature. This on-premises portal, included with their primary SaaS offering, streamlines the process of triaging our results. With thousands of daily active users, the Software Security Center serves as a centralized platform, consolidating results from various tools, including Sonatype, WebInspect's DAST results, and Pen Test findings from our internal team. This unified view eliminates the need for developers to log into multiple portals to access code vulnerabilities, open-source issues, web app scans, and Pen Test results. Instead, they can access everything they need from a single, convenient location.

Secure Code Warrior is an invaluable integration and partnership for us. Fortify consistently collaborates with top-tier companies to deliver cutting-edge solutions. For instance, if a developer encounters a common code vulnerability, such as a path manipulation vulnerability in their Java website, and is unsure of how to resolve it, Fortify provides some guidance and standard response protocols. However, for more in-depth information and assistance, they direct us to Secure Code Warrior. Upon providing information on the vulnerability type and language, Secure Code Warrior offers tailored training courses, such as how to fix path manipulations in Java-based applications. This remediation technique, which is unmatched by any other provider, has proven to be incredibly effective.

Fortify's software security center needs a design refresh. It has maintained the same design for the entirety of our five years of use, making it feel outdated compared to its FOD portal, which receives regular bi-monthly updates. This area is a prime candidate for improvement in the future.

Fortify needs to move to a more frequent release cycle Currently, they only release two updates per year, which is considerably slower than their peers, so I would very much like to see that improve.

I have been using Fortify Static Code Analyzer for five years.

Fortify Static Code Analyzer stability has improved and I would give it a ten out of ten.

The scalability of the Fortify Static Code Analyzer is a ten out of ten.

We have a weekly call with their technical support team. Their service has improved dramatically since they allocated a dedicated premium support team to us. We now have a point person who works closely with us to address our concerns.

The support itself is very good. They are always responsive and present, and they're willing to work with us on challenges. I would give them a ten out of ten for their responsiveness and presence. However, for issues that require product enhancement, I would give them a lower score. These issues often require us to wait for someone on their product team to implement something, which can be frustrating.

Positive

We have previously used Synopsys, Coverity, and Checkmarx. Fortify stands out for its comprehensive language support, which is a major reason for our satisfaction with their product. For example, Fortify is the only tool that supports mainframes and COBOL. It's encouraging to see their turnaround in this area, and they now support over 30 languages. Checkmarx excels in the design simplicity of its open-source integration in FOD, a new feature, and its cloud-native capability. Checkmarx boasts a sleek user interface that is highly intuitive for new users, while Fortify may require some time to get accustomed to. Coverity used to be a top contender, known for its accuracy and effectiveness. However, their quality and execution speed significantly deteriorated following the Synopsys acquisition. Synopsys has shifted some of its engineers to other projects, negatively impacting the quality of its Coverity product. Despite these drawbacks, Checkmarx remains a strong competitor to Fortify in terms of quality. While Synopsys invests heavily in marketing, its product no longer meets the standards of a robust enterprise tool.

Initial deployment of the SaaS SOD solution was straightforward to get started with. However, on-premises deployment took a bit longer. It took us several months to get that piece up and running.

The initial deployment required seven people.

We did work with a third party to help us facilitate the buildout. That third party was Saltworks Security.

Through our ongoing partnership with Fortify and their commitment to working closely with us, we have experienced a significant return on investment, with benefits ranging from ten to twenty times our initial investment. Additionally, the continuous introduction of new features over the years has further reinforced our assessment of Fortify's value.

From our standpoint, we are significantly better off with Fortify due to the favorable pricing we secured five years ago. I'm unable to comment on their current pricing; however, I am aware that switching to a different vendor like Checkmarx would result in considerably higher costs. It appears that we're paying a premium for the robustness of their design rather than being able to benefit from the pricing that was previously negotiated.

I would rate Fortify Static Code Analyzer ten out of ten.

It is incumbent upon any security leader to incorporate automation and self-service into any initiative, regardless of whether it pertains to identity and access management or software development security. The goal is to simplify security and make it an enabler rather than a hindrance. Organizations should strive to provide cybersecurity controls as intuitive solutions, not as complex configurations that require extensive effort to understand and implement.

We have close to 20 people who support Fortify full-time.

I recommend doing a POC and confirming that the automated integrations work for the organization before implementation.

We use the product as a SaaS analysis tool. We review static code. It allows you to find vulnerabilities.

The value that combining Fortify and Sonatype is that we use Fortify as a SaaS analysis tool. We review static code and Sonatype allows you to find vulnerabilities.

I use it as a security center. I review it for any kind of issues, whether for proof or to deny, the source code, the findings, and then the enterprise can go back and provide their recommendation for how to fix the issue. It is used to scan the code base.

As a security analyst, I like the management view. From there, you can review the code and review findings in order to approve, deny, or recommend. Their Software Security Center, which acts as a portal, is quite useful. It's a good overview. You can really see what's happening after you've developed something.

Fortify's AppSec testing is great for application portfolio inventory and project releases. It works both at a portfolio level and also at a project level.

They also give you the capability to click train of all your vulnerabilities that happened within Apache Crossroads support. You give them a history to keep track of them, how they've been developed, how they've been saved, to give you a way of tracking your issues and how they get resolved.

It's pretty easy to find vulnerabilities. Then, you go to the source. It is very good at tracking to see where the data or the issue enters into your source code so you can track it or go back to where it started.

Fortify helps remediate potential vulnerabilities by using more accurate, reliable results. They offer recommended remediation. I can go to the website tools to resolve issues and search for remediations. This helps our developers to build more secure code from the start.

It has reduced vulnerabilities. We've never had issues when we ran our scans. We're notified, and we're able to identify most of our vulnerabilities and fix them before anything goes to production. If you're running this on your CI/CD pipeline, notifications are in real-time.

The level of detail is very informative. It provides you with recommendations on how to fix items. And they provide you with other resources available for how to address the issues. You can also see the root cause.

It works well with cloud-native applications.

Fortify helped us to free up staff time since it helps us resolve issues faster.

It's helped us save costs as, if we catch a vulnerability faster, it's easier to fix than later.

Fortify and Sonatype help maintain compliance with the applicable regulations. We mostly use Sonatype for compliance and licenses. By combining both solutions together, it enables you to solve a lot of issues that may occur in the future.

It would be nice if they had a version suitable for single developers that could be more cost-effective and maybe faster to learn.

I've been Fortify for two or more years.

I've never had an issue with the solution crashing.

I've never had issues with scaling.

I've never had to contact technical support.

I was not involved with the initial deployment.

We only integrated the product with one other solution. It was easy to do so.

There is some general maintenance needed, such as adding or removing users and projects and things of that nature.

Their licensing is expensive.

I do not use the open-source components of Fortify. However, we use other tools for open-source stuff.

I'd advise people who are still using manual methods to find vulnerabilities to adopt some sort of scanner to cut the time spent by 100%.

I'd rate the solution ten out of ten.

I would advise other potential users that you need to make sure your source code can work with Fortify.