WebInspect for static scanning
June 16, 2022
WebInspect for static scanning
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with Micro Focus Fortify WebInspect
We use Micro Focus Fortify WebInspect for it's static analysis on our codebase of web applications. Using the reports generated for found vulnerabilities, we can work with our developers to target the high or critically ranked findings and reduce risk on our external and internally facing web apps and mobile apps.
Pros
- Static code analysis
- Organization of found vulnerabilities
- Usually provides clear feedback on how to correct vulnerable code
Cons
- Reporting could be better
- Can be an involved setup if your organization is not using common build tools
- Users get spammed with a lot of email updates from the service
- Static analysis
- Vulnerability reporting
- Automation
- A cheaper option than some other SAST tools
- Automation of code scanning
- Reduction of high and critical vulnerabilities
- Veracode is the product I've used that is most similar to Fortify WebInspect. They both do a good job at reporting code vulnerabilities and both allow for good automation.
- SonarQube can be a free tool, but does a much better job at finding bugs that aren't necessarily vulnerabilities.
- Contract Assess takes a different approach for finding vulnerabilities. Instead of doing a code scan, it observes the running program to find vulnerabilities. In our experience this was harder to automate since it required developers and QA to exercise the application.
Do you think Fortify by OpenText delivers good value for the price?
Yes
Are you happy with Fortify by OpenText's feature set?
Yes
Did Fortify by OpenText live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Fortify by OpenText go as expected?
Yes
Would you buy Fortify by OpenText again?
Yes
Comments
Please log in to join the conversation