We use it to scan the bank's applications systematically. This process aims to identify and address security vulnerabilities within the applications, ensuring the robustness of our security measures.

It stands out by generating fewer false positives which has a distinct advantage, as it translates to reduced remediation efforts, requiring less human resources and cost. The tool provides more accurate feedback to the development team, allowing them to focus their efforts on addressing genuine vulnerabilities efficiently.

I appreciate all the features, with a particular emphasis on their vulnerability scanner. For instance, in our environment where two-factor authentication is prevalent across many of our sites, the scanner efficiently identifies vulnerabilities, including those related to second-factor methods or mobile codes. What stands out to me is the user-friendliness of each feature. Given that we're a bank with multiple applications, having the flexibility to customize solutions according to the unique needs of each application is crucial.

It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security. This could enhance the solution significantly. Moreover, considering the evolving threat landscape and the inevitability of zero-day vulnerabilities, implementing mechanisms like heuristic approaches would be advantageous. By incorporating heuristic algorithms or leveraging artificial intelligence, especially in the form of behavioral analysis akin to network security practices, Fortify could evolve into a more resilient solution. This could involve heuristic analysis for source code, the introduction of AI-driven processes for enhanced security, and the identification of security hotspots.

In this company, I have been using it for three months.

When it comes to stability, I haven't observed any issues such as crashes or performance issues during the scanning process. I would rate it ten out of ten.

I would rate its scalability capabilities nine out of ten. Our approach involves a centralized team, and we conduct scans across all applications within UBS. Throughout my experience, we've successfully scanned 150 applications.

The ability to install software often depends on individual circumstances. In my case, coming from a security background, the machines provided in our company are typically set up by the network or DevOps team.

Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings.

We were considering upgrading to the enterprise level, given the need for a robust solution in the banking environment. During this evaluation, we compared Netsparker, Burp Suite, and Fortify. After conducting a proof of concept (POC) that involved testing APIs, websites, and infrastructure arrangements, we presented our analysis to management. Ultimately, Fortify was selected as the preferred choice.

With over 12 years in application security, I've consistently observed the adoption of Fortify in major organizations like Cognizant, Barclays, and Credit Suisse. Across large banks in Europe, Fortify has established a reputation for reliability and effectiveness. Drawing on my experience, I am confident that organizations with clear problem statements and no budget constraints will find Fortify to be a comprehensive solution. Its technical capabilities and features align well with the diverse needs of large organizations in the banking sector. Overall, I would rate it ten out of ten.

We use the solution to scan our software. We scan it at every build. We run the scans and read the reports.

The solution is very fast.

The products must provide better integration with build tools. In SonarQube scans, the pull requests are decorated. I don't know if it is a missing integration or a limitation, but I don't see the same feature in Fortify. The developer must be able to see whether the build has failed. I would like the pull request to be decorated like SonarQube. It's just not the same experience with Fortify.

I have a problem with the Java version because our projects now use OpenJDK 7 or 17, but the scan still requires JDK 1.8. It is a problem for me, and I don't know how to change it.

I have been using the solution for a couple of months.

The tool is stable. I have no problem with it. I rate the stability a nine out of ten.

My team has started using it recently. I rate the tool’s scalability a nine out of ten. We don't have any issues whatsoever.

My organization has been using the solution for at least four years. I don’t deal with technical support directly. I would recommend the solution to others. We are dealing with some issues with the report.

The reports might be meaningful, but they sometimes do not match the situation. We cannot really deal with them. We don't know if they are false positives or if they're simply not relevant because they concern vulnerabilities in the development cycle and not in the production operations. It is sort of a mystery. Overall, I rate the tool an eight out of ten.

We used Fortify for static code analysis, dynamic security testing, and both white box and black box testing. We applied these scanning methods to our business-critical applications such as Temenos (T-24), which was our core banking application. 

Additionally, other business-critical applications like Murex and various applications in trade finance or treasury security services also rely on Fortify.

Our CSD team used multiple tools for different scenarios. When dealing with sophisticated threats or vulnerabilities, manual analysis was necessary alongside Fortify's machine-based analysis. So, in handling complicated vulnerabilities, we couldn't rely on just one tool. Multiple tools were required. One such tool was OS Zap Proxy. We integrated Zap Proxy with Fortify, and this integration proved quite useful. Instead of relying solely on Fortify's dashboard, we integrated it with other tools, which made more sense. The security analysts, up to the level of the CSO, wouldn't rely only on a single dashboard. They used multiple tools to detect and work on vulnerabilities across various platforms and products. Fortify seamlessly integrates all these aspects.

Temenos's (T-24) info basic is a separate programming interface, and such proprietary platforms and programming interfaces were not easily supported by the out-of-the-box versions of Fortify. Although Fortify already supports around 25 programming languages, during our evaluation, we found it lacking in terms of support.

So Fortify on Demand doesn't support all programming languages. Additionally,  automating everything from the pipeline, which means the build will stop if any single vulnerability is found by their particular tool during the scan.

Fortify has been with our bank since its inception in 2008.

Fortify is very reliable and doesn't experience frequent crashes. It provides a stable and dependable tool for our needs.

It is a quite scalable product. We can start small with single instances and gradually scale up with multiple instances. This scalability aspect is similar to SonarQube as well. 

When the scan load increases, we reach a threshold where we may need to purchase additional resources or adjust our pricing brackets. For instance, if I exceed one million lines of code, there might be an extra cost or a change in the pricing bracket. 

However, the cost we see initially is different and covers up to one million lines of code. Overall, it's quite manageable to handle the loads we encounter.

Whenever required, we have reached out to the technical support team. Our architecture team thoroughly evaluated Fortify along with our stakeholders. We always prioritize leveraging our existing applications from an inventory of over 340 applications, rather than opting for new ones. 

When we onboarded Fortify in 2008, we had other choices for tools and products as well, but we didn't choose them. This decision was made by the cybersecurity defense team, who are the primary users of the product. 

They were satisfied with Fortify, and we didn't require extensive support. However, whenever needed, we can rely on the support included with the license.

I am the architecture manager, and my team evaluated and onboarded Fortify based on reviews and evaluations from GQ, Peerspot, Gartner, and even Forrester.

During the setup process, we had concerns regarding the cost. From the CSD perspective, Fortify was not very cost-friendly. The CSD has a separate budget and reports directly to the CEO and CIO. We had to consider our budget limitations because we have been leveraging Fortify since the bank's inception in 2008. Although we have utilized it extensively, the cost appeared higher compared to SonarQube. Hence, we decided to go with SonarQube. However, I must say that Fortify offered a lot of value.

It was quite manageable to maintain. We have a dedicated team that supports Fortify in production. So, it was quite manageable. 

We have a support team consisting of around five or six engineers, specifically CICD engineers from the platform support team. They handle the deployment and maintenance tasks. 

For version upgrades, the team takes care of it as and when needed. Additionally, if there are any junior members required, they assist in the maintenance process. The primary user of Fortify is the CSD team. 

We were on a subscription-based model. The subscription was expiring in December 2022, and we have decided not to renew it for this year.

We are already decommissioning Fortify and have already implemented SonarQube. We are currently using SonarQube Enterprise. 

Fortify on Demand was utilized for a considerable period. However, we have now transitioned away from Fortify on Demand. It was primarily used by our CSD team, the cybersecurity defense team at the bank. 

Initially, we performed penetration testing and vulnerability assessments within the Fortify platform. However, we have since implemented a DevSecOps pipeline in partnership with Red Hat. Currently, all testing, including penetration testing and vulnerability assessments, is automated within the pipeline. The pipeline runs on Tecton, enabled on the OpenShift site. 

Therefore, any tool we use, be it Fortify or SonarQube, must be integrated into that pipeline. This approach has addressed most of the pain points we faced previously. Consequently, we are satisfied with SonarQube's performance now.

Fortify on Demand only offers static analysis and lacks dynamic security testing capabilities. However, if it's integrated into the pipeline, we can incorporate another tool for dynamic security testing. This was not possible with Fortify alone. 

Additionally, Fortify has limited programming language support compared to SonarQube. The recent global launch of SonarQube in the GA version expanded its support for various programming platforms, such as CSM and .NET on the Java side, among others. 

In our bank, we use T24 as our core banking system, which relies on a proprietary programming language called Infobasic. SonarQube also supports this language. When we place the code into the pipeline and perform builds, including the repository, we scan the entire codebase, including Infobasic code for the banking application. In summary, SonarQube offers broader programming language support. Previously, we only scanned other business-critical applications, but now we can scan our most critical banking application, T24, using SonarQube.

Fortify has excellent support for various programming languages. Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases. This advantage may not be present in SonarQube. 

Additionally, if a feature is not offered out of the box, Fortify allows customization, providing flexibility. Apart from dynamic security testing, Fortify is reliable for generating and distributing v-scan reports to multiple stakeholders, making it less of a hassle for the CAC team as most tasks are automated.

I would rate Fortify on Demand as an eight.