I primarily use Fortify to check for sensitive information disclosure in the source code and for identifying security vulnerabilities. These types of issues are scanned by Fortify.

Fortify helps me find serious issues, such as developers inadvertently leaving access tokens, including API access tokens, in the source code. Fortify is effective in identifying such oversights, making it a really helpful tool despite its problems. It is valuable in improving our overall security posture by catching significant errors.

There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as password exposure. 

Additionally, it would be beneficial if Fortify could check for CVEs (Common Vulnerabilities and Exposures) in third-party libraries, which I currently use a separate dependency checker tool for. Implementing AI technologies for enhanced security testing would also be a positive development.

This product has been used in my company for more than two years.

We have a dedicated Fortify team, along with service teams with developers involved in the deployment process. It does not take longer than thirty minutes to deploy.

Based on the experience of our company, I would recommend Fortify. It is helpful despite its problems, and I rate it as a seven out of ten. 

It effectively detects serious security issues, adding to our confidence in using it as a vital tool in our processes.

Fortify On Demand is a cloud-based service/software-as-a-service model. Fortify On-Prem, which I have implemented, is an on-prem service where the customer provides the server infrastructure, and then Fortify On Demand comes fully implemented out of the box. 

But you're still able to connect all of your Git repositories and your build environments like Maven and Gradle and all these different build environments, even like Jenkins that customers are using. It's fully connected either whether it's on-prem or cloud, and then you can do a full scan analysis of your security posture.

SAST and DAST scanning. Dynamic application scanning as well as static application scanning. So that would be websites, and you can do an audit and crawl scan of your web-based or web-facing applications, and then also scan your source code of your static application code.

The source code analyzer is the actual tool. It's the engine that sits behind Fortify. And this engine or this intelligence is within your tools. So, the great thing about Fortify is that you have plugins for your build environment. So when you're building and executing that code, you can scan that code at that interval. You can shift left. The commonality is that you want to shift left. You want to find threats early in production, as early as before it actually goes into production. It saves money that way, so you don't have to recode or reinvent your entire architecture.

We also have plugins for your actual interface. We call them IDEs. It's the interface where the developer will actually code and write programs. So from there, the source analyzer will give an analysis, and the developer can fix the code.

Then the second gateway that we have is our plugins work in both environments. So when the developer has written and remediated and fixed some of the issues, in the build environment, when he's testing his code, when it's actually running the application, the Source Code Analyzer will then analyze it again, and then there can be remediation. The code can be fixed.

We even have a tool called RASP, which is a tool that works in production. So even when your code is now being published, it's now an actual application, it's a live application, we have a RASP tool also in Fortify that also further on, in real-time, will scan and do an analysis of your code to find any zero-day attacks or threats or emerging threats. And then, again, from the dashboard interface, you'll be able to remediate.

And you can also do on-demand, we build AI Audit Assistance 2.0. It's the GEM 2.0 tool that we now have in Fortify that uses artificial intelligence where you can set thresholds. You can set a score to say that if I am sure, or if the system is sure with absolute certainty, with 90% accuracy, there is, in fact, a threat or a high risk; it will find those vulnerabilities and give you a score.

So, what it does is actually reduce the time spent on false positives. When you have false positives, you have to scrutinize all of them. We've got a lot of new technologies and methods within Fortify that allow us to reduce the false-positive rate that you generally find with scanning tools because we're using artificial intelligence as well as the source code analyzer tool. All of this has been built over years and years of development and research, and it actually gives you a better rate of reducing false positives, and you can then remediate actual threats. So, the tool has a lot of value.

The reduction of false positives is in the region of 98% or more. We now have even a new tool or AI product line called Aviator. So Fortify, OpenText Fortify now harnesses the power of artificial intelligence within the architecture, which will reduce your false-positive rate and actually give you scores on actual threats that it finds. Then, the threats and the threshold scores, the threats that are not seen as a low risk or a medium risk, can still be tended to. 

So, it doesn't exclude the thresholds. It will still give you a full analysis, but it will, with surety and with the correct analysis, give you the threats that do matter, the threats that you do need to tend to immediately.

By doing this, you also reduce the time to threat response because in cybersecurity, your time to threat response is very important. You need to ensure that you detect the threats early and that your response time is also very quick to reduce any business impact or downtime to a business. So, this is where Fortify really excels with all the new technology and artificial intelligence metrics that we have within our architecture.

The source code analyzer is the most effective for identifying security vulnerabilities. It is the engine or the artificial intelligence behind the scanning engine that does the actual analysis of the data, and they then create an FPR file. This FPR file can then be further analyzed and tested at ScanCentral, which is your centralized dashboard for security auditing and remediation.

So from there, once you've got the artifact or this file, which is created from scanning all of your applications, it gives you a comprehensive overview of the vulnerability scores or the bug densities of your code, and then you can further analyze and test those codes and draw reports from ScanCentral.

So, these reports are against the OWASP Top ten. So you've got different reports that will give you a detailed analysis of your scan data, and it also does it in a dashboard format. So you then get a comprehensive report, and you can also draw a developer's workbook report, which you can send to developers where they actually have a bird's eye view or code-level view of the vulnerabilities and the recommendations are made by Fortify on how you can remediate those threats or vulnerabilities.

And you can then improve your bug density and scores, and you can also do that from the dashboard interface. You can also remediate and within the dashboard, change your score. So you have the dashboard, which gives you a comprehensive overview across all the applications. Also, as you remediate and fix your code, the dashboards update your scores, and then you have a view, and you can control your bug densities across all of the applications once you've onboarded each and every application. And that's across all your DAST and SAST applications. And this is on a centralized dashboard.

Fortify is constantly improving. Their tools and their interfaces are modernized with every new feature or every new version. I constantly see improvements by OpenText. OpenText is very intuitive. They're also implementing a lot of new AI capabilities with the NerdTools, which I think is remarkable.

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve.

That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. 

But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. 

But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively.

So training is required. All skills are needed to learn how to use the tool.

I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool.

It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

I've been working with Fortify On Demand for two years. 

I would rate the stability a ten out of ten. It is very stable. 

It is a very scalable solution. Our customers are in banking and insurance. It's currently used by some of the major US banks. So, a lot of our clients are in the banking, insurance, and services industries.

I would rate the scalability a ten out of ten. It is suitable for medium to large businesses.

Customer support is amazing. They've got community forums, customer resources, a lot of free resources, and their premium support is very effective. So they have proper support internationally. They've been very good.

Positive

Fortify on Demand is fully functional and fully integrated with an open-source analysis tool that's fully integrated with Fortify on Demand. So, Fortify on Demand is easy to use. It's intuitive. No implementation or training is required.

Fortify on-prem requires a bit of work, but I was able to set up, in a lab environment, the controllers, the scanners, the architecture, and all of the different servers in a virtualized environment. You could set it up quite relatively easily without requiring major training because the user guides are very easy to follow. I've set up lab environments within an hour. 

So you could literally set up your entire on-prem Fortify solution within an hour because it is a very simple process to follow. The setup, installation, and configuration of the files are not that difficult to do. So you could effectively do it within an hour. You could set up the entire environment.

I would rate my experience with the initial setup an eight out of ten, where ten being easy and one being difficult. 

Cloud and on-prem. So that it's hybrid. There's three tiers for deployment model. You can do Fortify on Demand, which is a fully functional system on the cloud. Fortify On Prem, which is a system where your Fortify system is installed on client servers or on-premises. And then hybrid would be a combination of both services where you have some implementation with the client and some in the cloud.

I am the implementer. 

Fortify on Demand improved the overall security posture our customers. Fortify on Demand has reduced not only bug densities but also their attack surface quite drastically. And it's in real-time because it's got real-time dashboards, and their security teams are more proactive. It's a lot easier for them to implement their security mechanisms and gateways because Fortify allows that. I have seen a dramatic reduction in bug densities and incidents. So, a major reduction in security incidents as a result of using Fortify.

In comparison with other tools,  they're competitive. It is not more expensive than other solutions, but their pricing is competitive.

The licenses for Fortify On Demand are generally bought in units. So it's scalable in terms of pricing. It's tailored for the customer in terms of the amount of units the customer requires or the number of applications or users that the customer will onboard onto the system. So it is scalable in that regard.

As an expert, a lot of what I've seen in the tool is to use the principle of defense in-depth. Because that is the objective of Application Security, Fortify. Customers often need to look at their current security architecture, security gateways, rules, and policies.

To best utilize Fortify is to shift left, to use all of the tools and plugins that Fortify has throughout the SDLC process, to use the IDE tools, including the board tools, to use all of these respective tools together. And to shift left, to start from the IDE perspective, before source code even goes into production, before it even reaches a build environment. It is to reduce bug densities by shifting left. Use Fortify to get your bug densities and your security or your attack surfaces to reduce it by shifting left from inception, before the code is even written. They can scrutinize, go into Fortify tools, analyze them, and progressively test your code using all the tools that Fortify provides.

A lot of customers already use their own tools and their own third-party tools. It's best to use one security architecture. So for instance, rather use Fortify with Brakeman and RASP, use the Fortify suite of tools as your one architecture instead of using several third-party tools. It's always good to centralize your security architecture and use one architecture for your entire security posture instead of using different tools. Fortify has all the capabilities to centralize your security attack methodology.

So, your attack surface comes from different perspectives. It comes from an open-source code perspective. So you've got open-source code. You have proprietary code. You have repositories. You have different places where your code is, even in Azure. We even have a plugin for Azure. The point is to use all of the capabilities of Fortify as your central tool instead of using disparate tools that do not integrate with Fortify, that do not work with Fortify. It's always good to have one solid architecture as opposed to multiple disjointed tools.

Overall, I would rate it a ten out of ten. I've used several technologies and tools, even open-source or free tools, over the last fifteen years. In my opinion, from the perspective of the many tools used and other competitors, I have found Fortify to be the most reliable. They kind of align with my principles and the principles of cybersecurity specialists with defense-in-depth and shifting left. Because those are very important principles to me. And also confidentiality, integrity, and availability. They align with all of those pillars and building blocks of cybersecurity.

I use the solution in my company for security code scans.

The product has a lot of false positives. If the outputs can have fewer false positives, then that will be the greatest benefit the tool can offer.

I have experience with Fortify on Demand. I manage the product in my company.

The solution's technical support is okay and not outstanding.

It is a costly process to evaluate tools.

I rate the tool a six out of ten.

We use the tool for static code analysis. 

The solution is user-friendly. One feature I find very effective is the tool's automatic scanning capability. It scans replicas of the code developers write and automatically detects any vulnerabilities. The integration with CI/CD tools is also useful for plugins.

The tool's AI feature analyzes security threats and recommends updating the code accordingly. One major issue that AI detected for us was logging issues and hardware vulnerabilities. Fortify On Demand identified these, allowing our developers to address and fix the issues.

Fortify on Demand needs to improve its pricing. 

I have been working with the product for two years. 

I rate Fortify on Demand's stability an eight out of ten. 

I rate the tool's scalability an eight out of ten. My company has around 25 users. 

The initial setup experience with Fortify On Demand was straightforward for us. We installed the plugin and integrated it with our existing tools and logins. There was no need for configuration or setup—it was quite simple. The deployment time varies based on the code complexity. Once vulnerabilities are identified, the support team provides the necessary fixes. 

Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten.  

We use Burpsuite for dynamic code analysis. Fortify on Demand is a good tool for static code analysis. I rate it a nine out of ten. 

I have used Fortify on Demand for security scanning, along with outsourcing to companies that scan our systems and report vulnerabilities. My work has involved securing our APIs and systems.

We use Fortify across all stages of the environment: development, test, and production. We even use it for disaster recovery.

Whenever we deploy our Jenkins pipelines, the system automatically scans our Git repository to fix security vulnerabilities. All the security vulnerabilities are then created as tasks in Jira, so we can fix them as quickly as possible.

We have added it to our operational toolkit to ensure it's part of our development spectrum. We added it directly into our Jenkins pipelines.

We have some products that are publicly accessible via phone or website. These products need to be extra secure because they rely on firewalls, and hackers could potentially exploit them. Fortify on Demand provided us with valuable information on how to fix a critical API vulnerability.

So, Fortify on Demand identifies critical vulnerabilities. We have two security scans. One is Fortify on Demand, and the other is for an outsourced company. For Fortify, you assign the specific branch of code you want to scan. You can scan the code you're currently deploying through Jenkins pipelines. Since it's external, you can also scan other brands if needed. Otherwise, you can specify which specific brands or smaller branches to scan within your entire codebase.

The scanning capabilities, particularly for our repositories, have been invaluable.

There is room for improvement in the integration process, especially with the pipeline system, which could be streamlined. Making changes and configuring it for different systems, like desktop environments, is challenging. 

For example, Jenkins integration was hard. 

Improving the ease of integration would be beneficial.

I have been using it since July. 

It has been a stable solution for me. 

For me, it has been scalable enough. 

It provides good security. It is a backbone for our security needs. So, that's the biggest benefit for us. 

There is a licensing model in place. 

Overall, I would rate the solution an eight out of ten. I would recommend using it. 

The primary use case for Fortify On Demand in our environment revolves around its critical role in sales and desk operations. It helps identify application vulnerabilities from both a source code and web perspective. It directly detects issues such as SQL injection in the source code. It conducts website scans with customizable configurations to examine potential risks and vulnerabilities, which is crucial during software development. We can avoid risks before moving to the production stage.

One of the most valuable features of Fortify On Demand is its ability to integrate seamlessly with the DevOps lifecycle, particularly in terms of security testing. Injecting security testing into the DevOps process ensures that security measures are incorporated from the development stage onwards. It aligns with the main objective of DevOps, which is to automate and streamline the software development lifecycle, from code commit to deployment. With automation tools orchestrating the pipeline, tasks such as code compilation, testing, and deployment can be carried out rapidly and efficiently. This results in faster time-to-market for features, reducing deployment times from hours to minutes. It enhances trust from customers and cybersecurity teams, as security measures are built into the software from the outset, increasing confidence in the security.

They could provide features for artificial intelligence similar to other vendors like OpenText products.

We have been using Fortify on Demand for about three years.

I rate the platform's stability as seven out of ten.

The initial setup is complicated. It takes around four to five hours to complete, including installation and scanning. I rate the process a seven out of ten.

Fortify On Demand is not highly expensive. It provides options for the number of scans and tests for the on-premise version. The customers utilizing hardware must install the tool for cost-effectiveness and high availability.

The product's cost depends on the type of license. The on-premise licenses are more expensive than the cloud subscriptions. I rate the pricing a six out of ten.

I rate the platform's accuracy for detecting vulnerabilities an eight and a half out of ten. By utilizing Fortify as a comprehensive security testing tool, financial institutions operating at high-security levels gain confidence in the security posture of their applications. It helps deploy and track changes easily as per time-to-time market upgrades.

I advise new users to learn about new features introduced in the last two years. I rate it a nine out of ten.