4 out of 5.0, Reviewed Aug 18, 2016
Software works relatively well; however, it does take some time to learn and get up to speed in order to optimize and customize for your environment.
No one tool does it all, but this is pretty robust. Consider this as a part of your toolbox.
Ability to provide insight into potential weaknesses in your software and recommendations as to how to address.
Significant false positive rate, especially if you don't know how to tune it to your environment.
Improved APIs to assist in integrating with other software as part of a holistic assurance program.
More training of users up front.
4 out of 5.0, Reviewed Jun 16, 2016
Required incremental upgrades from our older versions of WebInspect/AMP to be able to continue to view/use legacy scan database.
Shop the market, this tool does not scan very many types of source code and does not scan or report on open source libraries that may be included in your code.
Provides great advice on how developers can fix the bugs discovered.
Limitation on the types of code it scans.
Provided support/visibility into open source libraries and integrated into Jenkins.
May look at some smaller, start-up vendors to save cost.
Good for what it does.
4 out of 5.0, Reviewed Jun 15, 2016
HP WebInspect is a useful web application security scanning tool. It compliments IBM AppScan and most of the findings are not false positive. The tool is very efficient and accurate in finding vulnerabilities such as SQL Injection.
Less false positives.
The Pricing. Pricing is very expensive when compared to other tools.
3 out of 5.0, Reviewed Jun 14, 2016
What has worked - identifying vulnerabilities in applications (boon). What has not worked - building the skill set and retaining them to operate the tool (curse).
Try cloud services in this area.
The ability to identify vulnerabilities in application code.
Cost- procurement and operations
Help with providing resources for running the tool in times we didn't have any.
We would identify resources who could be trained from ground-up with a goal to retain them for at least 2 to 3 years. Go towards cloud services that provides the same services as HP WebInspect.
Doing what we want.
1 of 1 peer(s) found this review helpful.
5 out of 5.0, Reviewed May 12, 2016
HP Fortify identified critical security needs which were not identified by other vendors in our trials.
We are taking an incremental approach, beginning with our most key applications. This is providing valuable time to understand the outcomes and develop our approach in resolving identifed issues.
Adaptability to be used during application development.
Would like higher integration in continuous builds.
3 out of 5.0, Reviewed May 11, 2016
Produces lots of false positives
Compare results with some of the latest tools in this area.
Very sophisticated tool - may be one of the very few in this space.
Not a whole lot of API support. Need modernization of the technology stack.
Better UI and better API support.
I would validate the results. This tool can produce a lot of false positives.
4 out of 5.0, Reviewed May 11, 2016
The HP reps. We have worked with vendor and it have been very responsive to our questions and needs.
Make sure you consider all the scenarios you want to cover with these tools. Make sure you consider automation where possible.
Once setup, it works really well.
There are some complexities in getting the product setup and some learning curve when it comes to "false positives".
Focus more on the cloud-based offerings up front rather than tack them onto the end.
Does exactly what we need it to do, and then some.
Our HP representatives have been very responsive.
A bit of a learning curve but not really a surprise.
3 out of 5.0, Reviewed Dec 7, 2015
Product has good functionality. However, vendor changed the licensing model and the new model and support is not as good as it use to be.
Look for pro-active measures of scanning code during development and not after the code is ready to cutover to production.
Product functionality is good and goes through known exposure evaluations.
New licensing model and vendor support.
Reduce the time they take to get back the scan results or discussion on false positives.
Look for other static code review products that can scan the code during development stages.