Lacework vs. Fortify by OpenText

Lacework is well suited for behavioral analysis. One thing to consider thought is in the early stages there will be quite a bit of noise generated by Lacework. There will be a higher volume alerts generated initially - until a good baseline is generated. Overall Lacework is good with alert handling - integration with Slack is good.

Incentivized

It is best suited for runtime application security scanning and very useful for automation. You can seemlessly integrate with pipeline for dynamic scans. Cloud based apps can also be scanned for vulnerabilities, cross site scripting attacks. Basically all OWASP TOP 10. It is less appropriate to use if you have serverless architecture

Incentivized

• Easy to set-up the agent in cloud workloads.
• Easy integration with ticketing and messaging tools.
• Detailed visibility of all our container workloads across multiple accounts.

Incentivized

• DAST Scanning
• API Scanning
• Less detection of false positive

Incentivized

• UI can be complicated and hard to know where to click to find information.
• Ability to create and manage cases or tickets from events that trigger.

• Reporting could be better
• Can be an involved setup if your organization is not using common build tools
• Users get spammed with a lot of email updates from the service

Incentivized

Since every firm needs to perform static code analysis on their applications, I believe Micro Focus Fortify WebInspect would work well for them (they also offer dynamic scanning, although I haven't used it myself). Different static analysis tools scan code in different ways, and Micro Focus Fortify WebInspect asks you to submit a complete build of the application along with debugging files. Depending on how your company builds its apps, this requirement may be simple or challenging.

Incentivized

It is a cloud-based platform which can provide us a very useful and unique features like Application Assessment, Scans, Vulnerability Test, Comprehensive Reporting, Monitoring, etc. Fortify by Open Text is also outstanding in various parameters for the support and integration and it is highly adaptable in various DevOps Program where you need secure app testing with all given features.

Incentivized

Always receive excellent support from the vendor. No issues there.

Incentivized

Compared to Sysdig Falco (the free open-source IDS), Lacework helps security teams by providing actionable alerts and a user-friendly interface that gives you an overview of all workloads being monitored, and detailed insights into these workloads if needed. Falco requires you to build your own integration and interface around it, including a mechanism to whitelist certain alerts. This made it harder for the security team to focus their time on potential intrusions.

Incentivized

Fortify Application Defender is a little more timely and upfront with a lot of their information on cyber security. we like what they provide and how they communicate with our users. I think they have a good understanding and practice in their field. they seem best suited for us and the best fit.

Incentivized

• Being a FinTech company, financial institutions who partner with us want to know that we are appropriately maintaining a Security, Risk and Compliance program that maintains a level of comfort for their vendor management. Lacework gives us the ability to monitor and maintain a level of security for our infrastructure that puts our partners at ease, reduces the revenue cycle for new partners and opens doors to the future.

• DevSecOps helped in reducing efforts
• License cost was less
• We could roll out double the count of applications with implementation of WebInspect

Incentivized