OpenText Fortify Static Code Analyzer Pros and Cons

Fortify SCA is having large Technologies Stack support, It supports more then 34+ Languages for Static Analysis. And also he is having huge integration capabalities with other third party tools. Review collected by and hosted on G2.com.

It gives few False Positive, which i didnt liked, But to manage false positive, we can make use of feature called, ignore teh issues, where once it is ignored, then it wont be availabe in furthr scans. Review collected by and hosted on G2.com.

Fortify is an excellent code analyzer. Its plugins are handy as compared to other solutions. It can quickly and accurately identify errors. We can efficiently address critical errors and warnings. It can scan the code in real time. Fortify Static Code Analyzer is handy for CI/CD programs. We can resolve the issues quickly at the development level. It is efficient and time-saving also. It can be easily integrated with Android Studio, Visual Studio, IntelliJ, etc. Fortify Static Code Analyzer notifies us on time if there are any security leaks. All the features are very beneficial once you know their proper functionalities, Review collected by and hosted on G2.com.

The price of Fortify Static Code Analyzer is a bit high. Also, sometimes we can face troubleshooting issues. Other functionalities can also be improved to make it more handy and easy to use. Review collected by and hosted on G2.com.

Fortify has been the first choice for doing secure (static) code analysis for many years because

1. Languages support - it supports both legacy and modern development languages.

2. Deployment Model - on-prem, cloud, Security as a service (FOD)

3. Technical support - Fortify not only helps the new onboarded customers with detailed documentation but also provides good trainings Review collected by and hosted on G2.com.

There is a native issue of false positives with all the SCA tools. Which somehow decreases the value and increases the turn around time for finding the exact true positives Review collected by and hosted on G2.com.

Friendly and Efficient Integrations - IntelliJ, VS, Android Studio, etc. Organized Dashboard and their absolutely wonderful reporting platform. It really helped us achieve our compliance goals! Review collected by and hosted on G2.com.

Fortify should develop a DAST setup as well, this would really marginalize our input and time efficiency. Review collected by and hosted on G2.com.

Exact pinpointing of issues in code and suggestions to fix them. Review collected by and hosted on G2.com.

bit costly, also bit difficult to set up at intial. Review collected by and hosted on G2.com.

It shows how to fix the vulnerable code. Review collected by and hosted on G2.com.

i did not find the automatic way to create the projects. Review collected by and hosted on G2.com.

Ease of using, deployment in CI/CD & the custom ruleset/report creation. Review collected by and hosted on G2.com.

Heavily depends on JRE configs, which makes compiling & running slower. Review collected by and hosted on G2.com.

Wide range of programming language support, Ability to generate FPR files from CICD pipelines, Externalization of scans into another server for performance reasons. Review collected by and hosted on G2.com.

Slow at times to complete at large number of files in a heavy software. Review collected by and hosted on G2.com.

I like fortify to scan source code in deply. It will compile the code and find the vulnerabilities. No others tools compile the code scan. Most important thing is result. It will find all critical issues. Review collected by and hosted on G2.com.

Sometimes it will show more duplicate issue. Developer should work on this and resolved it. Review collected by and hosted on G2.com.

It is an on-prem solution and is compatible with most of the commonly used languages. It can get the scan results verified by an audit assistant that will further reduce the false positives. Very easy to install and can be deployed over windows or Linux machines. SSC module can be utilized for better reporting and tracking. Furthermore, it can be integrated with CI/CD pipelines for automated assessments. Review collected by and hosted on G2.com.

Reporting can be me more intelligent, and false positives are little on the higher side. Review collected by and hosted on G2.com.