Azure DevOps (formerly VSTS, Microsoft Visual Studio Team System) is an agile development product that is an extension of the Microsoft Visual Studio architecture. Azure DevOps includes software development, collaboration, and reporting capabilities.
$2
per GB (first 2GB free)
Fortify by OpenText
Score 9.0 out of 10
N/A
An AppSec solution formerly from Micro Focus, spanning SCA, SAST and DAST that supports the breadth and management of any application portfolio, used to secure code. Features API discovery and testing for any application, throughout the software lifecycle.
N/A
Pricing
Azure DevOps
Fortify by OpenText
Editions & Modules
Azure Artifacts
$2
per GB (first 2GB free)
Basic Plan
$6
per user per month (first 5 users free)
Azure Pipelines - Self-Hosted
$15
per extra parallel job (1 free parallel job with unlimited minutes)
Azure Pipelines - Microsoft Hosted
$40
per parallel job (1,800 minutes free with 1 free parallel job)
Azure DevOps works well when you’ve got larger delivery efforts with multiple teams and a lot of moving parts, and you need one place to plan work, track it properly, and see how everything links together. It’s especially useful when delivery and development are closely tied and you want backlog items, code and releases connected rather than spread across tools. Where it’s less of a fit is for small teams or simple pieces of work, as it can feel like more setup and process than you really need, and non-technical users often struggle with the interface. It also isn’t great if you want instant, easy programme-level views or a very visual planning experience without putting time into configuration.
It is best suited for runtime application security scanning and very useful for automation. You can seemlessly integrate with pipeline for dynamic scans. Cloud based apps can also be scanned for vulnerabilities, cross site scripting attacks. Basically all OWASP TOP 10. It is less appropriate to use if you have serverless architecture
I did mention it has good visibility in terms of linking, but sometimes items do get lost, so if there was a better way to manage that, that would be great.
The wiki is not the prettiest thing to look at, so it could have refinements there.
I don't think our organization will stray from using VSTS/TFS as we are now looking to upgrade to the 2012 version. Since our business is software development and we want to meet the requirements of CMMI to deliver consistent and high quality software, this SDLC management tool is here to stay. In addition, our company uses a lot of Microsoft products, such as Office 365, Asp.net, etc, and since VSTS/TFS has proved itself invaluable to our own processes and is within the Microsoft family of products, we will continue to use VSTS/TFS for a long, long time.
Since every firm needs to perform static code analysis on their applications, I believe Micro Focus Fortify WebInspect would work well for them (they also offer dynamic scanning, although I haven't used it myself). Different static analysis tools scan code in different ways, and Micro Focus Fortify WebInspect asks you to submit a complete build of the application along with debugging files. Depending on how your company builds its apps, this requirement may be simple or challenging.
It's a great help to get more information about new feature release and stay updated on what the dev team is working on. I like how easy it is to just login and read through the work items. Each work item has basic details: Title, Description, Assigned to, State, Area (what it belongs to), and iteration (when it’s worked on). See image above.They move through different states (New → Discovery → Ready for Prod → etc.).
It is a cloud-based platform which can provide us a very useful and unique features like Application Assessment, Scans, Vulnerability Test, Comprehensive Reporting, Monitoring, etc. Fortify by Open Text is also outstanding in various parameters for the support and integration and it is highly adaptable in various DevOps Program where you need secure app testing with all given features.
When we've had issues, both Microsoft support and the user community have been very responsive. DevOps has an active developer community and frankly, you can find most of your questions already asked and answered there. Microsoft also does a better job than most software vendors I've worked with creating detailed and frequently updated documentation.
Microsoft Planner is used by project managers and IT service managers across our organization for task tracking and running their team meetings. Azure DevOps works better than Planner for software development teams but might possibly be too complex for non-software teams or more business-focused projects. We also use ServiceNow for IT service management and this tool provides better analysis and tracking of IT incidents, as Azure DevOps is more suited to development and project work for dev teams.
Fortify Application Defender is a little more timely and upfront with a lot of their information on cyber security. we like what they provide and how they communicate with our users. I think they have a good understanding and practice in their field. they seem best suited for us and the best fit.
We have saved a ton of time not calculating metrics by hand.
We no longer spend time writing out cards during planning, it goes straight to the board.
We no longer track separate documents to track overall department goals. We were able to create customized icons at the department level that lets us track each team's progress against our dept goals.
