WebInspect for static scanning
June 16, 2022

WebInspect for static scanning

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Micro Focus Fortify WebInspect

We use Micro Focus Fortify WebInspect for it's static analysis on our codebase of web applications. Using the reports generated for found vulnerabilities, we can work with our developers to target the high or critically ranked findings and reduce risk on our external and internally facing web apps and mobile apps.
  • Static code analysis
  • Organization of found vulnerabilities
  • Usually provides clear feedback on how to correct vulnerable code
  • Reporting could be better
  • Can be an involved setup if your organization is not using common build tools
  • Users get spammed with a lot of email updates from the service
  • Static analysis
  • Vulnerability reporting
  • Automation
  • A cheaper option than some other SAST tools
  • Automation of code scanning
  • Reduction of high and critical vulnerabilities
  • Veracode is the product I've used that is most similar to Fortify WebInspect. They both do a good job at reporting code vulnerabilities and both allow for good automation.
  • SonarQube can be a free tool, but does a much better job at finding bugs that aren't necessarily vulnerabilities.
  • Contract Assess takes a different approach for finding vulnerabilities. Instead of doing a code scan, it observes the running program to find vulnerabilities. In our experience this was harder to automate since it required developers and QA to exercise the application.

Do you think Fortify by OpenText delivers good value for the price?


Are you happy with Fortify by OpenText's feature set?


Did Fortify by OpenText live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Fortify by OpenText go as expected?


Would you buy Fortify by OpenText again?


I think Micro Focus Fortify WebInspect could fit really any organization well that needs to perform static code analysis on their applications (they do have dynamic scanning but I don't have any experience using it). Different static analysis tools scan code differently, Micro Focus Fortify WebInspect requires you to provide a full build of the application to be submitted with debugging files which could be easy or hard depending on how your organization is building it's apps.