Onapsis vs. Fortify by OpenText

Onapsis is divided into 4 major components,

1. Assess
2. Comply
3. Defend
4. Control

In assess, it does a whitebox and blackbox testing of the ERP systems that have been added to the Onapsis console. It highlights relevant application issues and automates the process, also provides the solutions to implement the fix. In comply, it provides a governance on the various regulatory compliances which the firm has to follow, as well as provides a firm grip to the audit and ERP admin team. In control, it enables a workflow of 15 pre-defined parameter values within the SAP system and helps monitor, and track the changes made to those parameters. The capabilities are to either block, or request for an approval for changes made to those parameters in addition to just monitoring them. In defend, it goes through the SAP logs; and compares it with a pre-defined ruleset to alert the end-users via email or SIEM tool or both.

Incentivized

SDLC deployment is simple. simple to use The coverage is thorough and complete as a DAST product.

Incentivized

• Eliminating the manual process improves the overall accuracy of results and also frees up valuable resources to focus on other different projects.
• Onapsis provides great leverage to our technical teams in order to review in a standardized way of the landscape.
• Onapsis always matches vulnerabilities with useful context and finds possible solutions.
• Onapsis is usually implemented to continuously monitor, and alert us on any issues on the SAP systems. Not only this but implementing Onapsis also eliminates the network on the year-end and month-end audits and helps in making the overall process faster, smooth, efficient as well as accurate.

Incentivized

• Detection of vulnerabilities
• Scanning pipelines
• Integration is super easy
• Scanned cloud based applications

Incentivized

• Multiple UIs
• No proper customization of UI log-off
• Tedious setup of Control component
• No proper error messages received

Incentivized

• Reporting could be better
• Can be an involved setup if your organization is not using common build tools
• Users get spammed with a lot of email updates from the service

Incentivized

Since every firm needs to perform static code analysis on their applications, I believe Micro Focus Fortify WebInspect would work well for them (they also offer dynamic scanning, although I haven't used it myself). Different static analysis tools scan code in different ways, and Micro Focus Fortify WebInspect asks you to submit a complete build of the application along with debugging files. Depending on how your company builds its apps, this requirement may be simple or challenging.

Incentivized

Always receive excellent support from the vendor. No issues there.

Incentivized

Honestly, I havent use something like Onapsis before and currently I am not aware if there is something similiar out there. They are one of a kind and is a complete suit, so is unlikelly that someone from outside will appear with a better solution.

Incentivized

Fortify Application Defender is a little more timely and upfront with a lot of their information on cyber security. we like what they provide and how they communicate with our users. I think they have a good understanding and practice in their field. they seem best suited for us and the best fit.

Incentivized

• It offers very reasonable packages.
• The customer support of Onapsis is reliable and efficient.
• It is a great platform as it shows a unified and easy-to-read different and complex topics in a simpler way.

Incentivized

• DevSecOps helped in reducing efforts
• License cost was less
• We could roll out double the count of applications with implementation of WebInspect

Incentivized