Fortify on Demand

Basic information

Fortify on Demand is a cloud-based Application Security as a Service (SaaS) solution offered by OpenText (formerly Micro Focus). It provides a comprehensive suite of security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Mobile Application Security Testing (MAST), and Software Composition Analysis (SCA). The service is designed to identify vulnerabilities in software applications throughout the software development lifecycle.

• Model/Version: Continuously updated SaaS. Recent versions include 23.2 (July 2023) and 25.2 (April 2025).
• Release Date: Continuous updates; major releases occur periodically, such as 23.2 in July 2023 and 25.2 in April 2025.
• Minimum Requirements: Primarily client-side browser access and internet connectivity for the portal. Integration tools have their own system requirements.
• Supported Operating Systems: For mobile application testing, it supports iOS up to version 15.7 and Android up to version 32 (Android 12), including native architectures ARMv7 and ARM64. Client access is browser-based, supporting modern operating systems.
• Latest Stable Version: As a SaaS, the service itself is continuously updated. The latest announced service update is 25.2 as of April 2025.
• End of Support Date: For the SaaS offering, support is continuous. Specific underlying components or integrated on-premise tools may have defined end-of-support dates (e.g., Fortify Static Code Analyzer 23.2 committed support ends December 31, 2025).
• End of Life Date: Not applicable for the continuous SaaS offering.
• Auto-update Expiration Date: Not applicable; the SaaS platform receives automatic updates.
• License Type: Subscription-based, typically purchased in "assessment units" or per application/developer, offering flexible consumption.
• Deployment Model: Cloud-based (Software-as-a-Service). Hybrid deployments are also possible, integrating with on-premise components.

Technical Requirements

As a cloud-based service, Fortify on Demand primarily requires client-side access for users and integration capabilities for development environments. It does not have traditional server-side hardware requirements for the end-user.

• RAM: Not specified for client access; depends on browser and operating system.
• Processor: Not specified for client access; depends on browser and operating system.
• Storage: Not specified for client access; depends on browser and operating system.
• Display: Minimum 1024 x 768 resolution for web portal access; 1280 x 1024 recommended.
• Ports: Internet connectivity is required. For dynamic application security testing (DAST), customer applications must provide port 80/443 access for remote testers.
• Operating System: Compatible with any operating system that supports modern web browsers for portal access. For mobile application testing, it supports iOS (up to 15.7) and Android (up to 32/Android 12) native architectures (ARMv7, ARM64).
• Browser: All modern browsers are supported for accessing the Fortify on Demand portal.
• Integration Requirements:
  • APIs for headless AppSec programs and custom integrations.
  • CI/CD plugins for Jenkins, Azure DevOps, and other build environments.
  • IDE integrations for Visual Studio and IntelliJ for real-time feedback to developers.
  • FoDUploader utility for uploading code from build servers.

Analysis of Technical Requirements

The technical requirements for Fortify on Demand are minimal for end-users, primarily revolving around standard internet access and modern web browser compatibility. This reflects its SaaS delivery model, which offloads infrastructure management to the provider. The more significant technical considerations lie in integrating the service into existing development and DevOps pipelines, requiring API knowledge and plugin configurations. This approach enables broad accessibility while providing deep integration capabilities for automated security testing. Mobile application testing has specific OS version and architecture support, which is standard for such specialized analysis.

Support & Compatibility

Fortify on Demand offers comprehensive support and broad compatibility through its cloud-native architecture and extensive integration ecosystem.

• Latest Version: The service is continuously updated, with the latest announced update being 25.2 as of April 2025.
• OS Support: Browser-agnostic for the web portal. For mobile application testing, it supports iOS up to 15.7 and Android up to 32 (Android 12).
• End of Support Date: As a SaaS, the service is continuously supported. Underlying Fortify components or integrated on-premise solutions may have specific end-of-support dates, such as Fortify Static Code Analyzer 23.2, which has committed support ending December 31, 2025.
• Localization: Support is available globally through regional contact points (Americas, Europe, Middle East & Africa, Asia Pacific).
• Available Drivers: Not applicable for a SaaS. Integrations are managed via APIs and dedicated plugins for various development tools and CI/CD platforms.

Analysis of Overall Support & Compatibility Status

Fortify on Demand demonstrates a strong overall support and compatibility status. Its SaaS model ensures continuous updates and eliminates the need for users to manage software versions or drivers. A dedicated support team, including Technical Account Managers (TAMs), is available 24/7, complemented by self-service resources. The platform's compatibility is broad, extending to various mobile operating systems for testing and integrating seamlessly with popular CI/CD tools and IDEs via APIs and plugins. This robust ecosystem allows organizations to embed security testing throughout their Software Development Lifecycle (SDLC) regardless of their existing technology stack.

Security Status

Fortify on Demand is designed with a strong focus on application security, offering a multi-faceted approach to vulnerability detection and management.

• Security Features:
  • Static Application Security Testing (SAST) for source, binary, or byte code.
  • Dynamic Application Security Testing (DAST) for web and API applications, mimicking real-world hacking techniques.
  • Mobile Application Security Testing (MAST) covering client, network, and backend APIs.
  • Software Composition Analysis (SCA) for identifying open-source components, vulnerabilities, and license details.
  • Expert review and manual analysis to reduce false positives and provide quality assurance for scan results.
  • Vulnerability management with detailed reports, remediation guidance, and issue tracking.
  • Continuous feedback to developers for secure code development.
  • Real-time threat intelligence updates.
• Known Vulnerabilities: The service itself is designed to identify vulnerabilities in *customer applications*. Information on specific vulnerabilities within the Fortify on Demand platform is not publicly disclosed, adhering to responsible disclosure practices.
• Blacklist Status: Not applicable.
• Certifications:
  • FedRAMP Authorized (for the U.S. Federal sector), including JAB certification.
  • ISO27001 requirements for segregation of duties and authentication of Micro Focus personnel.
• Encryption Support: Implied for a secure cloud service, ensuring data in transit and at rest is protected.
• Authentication Methods:
  • User credentials with unique tenant IDs.
  • Single Sign-On (SSO) support.
  • Two-factor authentication (2FA) options (SMS or Email).
  • IP restrictions for tenant access.
  • API authentication via bearer tokens.
  • Role-based access control (RBAC) with default and custom roles.
• General Recommendations: Integrate application security testing early and continuously throughout the SDLC (Shift Left), leverage expert review for accurate results, and utilize robust authentication mechanisms.

Analysis of Overall Security Rating

Fortify on Demand exhibits a high overall security rating. Its comprehensive suite of testing methodologies (SAST, DAST, MAST, SCA) provides "defense in depth" against a wide range of vulnerabilities. The inclusion of expert review significantly reduces false positives, enhancing the accuracy and actionability of findings. Certifications like FedRAMP and adherence to ISO27001 standards underscore its commitment to robust security practices, particularly for sensitive environments. Strong authentication options, including SSO, 2FA, and IP restrictions, further secure access to the platform. The continuous updates and security research by OpenText ensure the service stays ahead of evolving threats.

Performance & Benchmarks

As a SaaS offering, performance metrics for Fortify on Demand focus on the efficiency and scalability of its security testing services rather than traditional hardware benchmarks.

• Benchmark Scores: No specific public benchmark scores (e.g., CPU, RAM performance) are available, as these are managed by the cloud provider.
• Real-world Performance Metrics:
  • Can identify risks through static scans within minutes.
  • Reduces false positives by up to 95%.
  • Reduces repeat code vulnerabilities by up to 40%.
  • Supports one to thousands of scans per day, demonstrating high scalability.
  • Can save up to 25% in development time due to automated code scans.
• Power Consumption: Not publicly disclosed for the cloud service.
• Carbon Footprint: Not publicly disclosed for the cloud service.
• Comparison with Similar Assets:
  • Users highlight robust issue tracking (scoring 9.2 on G2) and comprehensive remediation suggestions (scoring 8.2 on G2).
  • Solid API and integration capabilities (scoring 8.3 on G2).
  • Some user reviews indicate a lower detection rate (scoring 6.9 on G2) compared to competitors like Semgrep or Coverity, potentially leading to more manual intervention.
  • Frequent complaints about false positives, though the service aims to reduce them through expert review.
  • Scanning can be slow in some contexts, particularly for on-premise implementations or complex automation scenarios.
  • Excels in compliance testing (scoring 9.1 on G2).

Analysis of Overall Performance Status

Fortify on Demand's performance is characterized by its ability to deliver rapid and scalable application security testing. The service emphasizes efficiency in identifying and helping remediate vulnerabilities, with claims of significant reductions in false positives and development time. Its capacity to handle thousands of scans daily highlights its enterprise-grade scalability. While it offers strong features like issue tracking and remediation guidance, user feedback suggests that its detection rate might be perceived as lower than some competitors, and false positives can still be a concern despite expert review. Overall, it provides a powerful and efficient solution for integrating security into the development pipeline, especially for organizations prioritizing compliance and comprehensive testing types.

User Reviews & Feedback

User reviews and feedback for Fortify on Demand generally highlight its strengths in comprehensive testing and integration, while also pointing out areas for improvement, particularly regarding false positives and specific language support.

• Strengths:
  • Comprehensive Testing: Praised for offering SAST, DAST, MAST, and SCA as a unified service.
  • User-Friendly and Intuitive: Users find the solution easy to use with automatic scanning capabilities.
  • Effective Vulnerability Detection: Good at identifying serious security issues, such as exposed access tokens in source code.
  • Integration Capabilities: Strong API and integration with CI/CD tools (e.g., Jenkins) are highly valued, allowing security to be embedded into development pipelines.
  • Remediation Guidance: Provides comprehensive remediation suggestions, helping teams address vulnerabilities quickly.
  • Issue Tracking: Features robust issue tracking for efficient vulnerability management.
  • Expert Support: The support team is noted for being quick to resolve issues and provide feedback.
  • Scalability: Designed to scale for organizations of all sizes, from small businesses to large enterprises.
• Weaknesses:
  • False Positives: Frequent complaints about false positives, which can require significant effort to triage, despite expert review.
  • Detection Rate: Some comparisons suggest a lower detection rate compared to alternatives, potentially requiring more manual intervention.
  • Limited Language Support (for niche platforms): While supporting many languages, it may lack out-of-the-box support for some proprietary platforms or less common programming interfaces compared to competitors.
  • Documentation: Can be perceived as less user-friendly, potentially hindering new users during initial setup.
  • Automation Challenges: Some older feedback indicates that automation with Fortify on Demand can be problematic, leading to reliance on manual processes and slow support responses for debugging.
• Recommended Use Cases:
  • Organizations looking to jumpstart or mature their application security program.
  • Identifying and prioritizing remediation efforts for vulnerabilities throughout the SDLC.
  • Integrating security testing into modern development and DevOps environments.
  • Companies requiring comprehensive SAST, DAST, MAST, and SCA capabilities.
  • Environments needing to meet industry standards and regulations (e.g., FedRAMP, PCI DSS, GDPR).

Summary

Fortify on Demand is a robust, cloud-based Application Security as a Service (SaaS) solution that provides a comprehensive suite of tools for identifying and managing software vulnerabilities. Its core strength lies in offering Static, Dynamic, Mobile, and Software Composition Analysis as a unified, continuously updated service, backed by expert review to enhance accuracy and reduce false positives. The platform boasts high scalability, supporting numerous scans daily, and integrates seamlessly with various development environments and CI/CD pipelines through extensive APIs and plugins, facilitating a "shift-left" security approach. Strong security features, including FedRAMP certification and robust authentication methods like SSO and 2FA, underscore its commitment to protecting sensitive application data.

However, user feedback indicates some areas for improvement. While the service aims to reduce false positives, they remain a recurring concern for some users, potentially impacting efficiency. Additionally, while supporting a wide array of languages, out-of-the-box support for highly specialized or proprietary programming platforms might be less comprehensive compared to some alternatives. Older feedback also suggests that automation can sometimes be challenging, requiring manual intervention.

Overall, Fortify on Demand is an excellent choice for organizations seeking a scalable, integrated, and expert-backed application security solution, particularly those prioritizing compliance and comprehensive vulnerability management across their software portfolio. Its strengths in broad testing coverage, integration, and dedicated support make it a valuable asset for maturing AppSec programs. Organizations should be prepared to fine-tune configurations and leverage the expert review to mitigate the impact of false positives and ensure optimal performance for their specific technology stacks.

The information provided is based on publicly available data and may vary depending on specific device configurations. For up-to-date information, please consult official manufacturer resources.