We performed a comparison between OWASP Zap and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Micro Focus Fortify on Demand. Although both products have valuable features and ROI, our reviewers found that Micro Focus Fortify on Demand has a more complex installation process and slower support response times.
"It is an extremely robust, scalable, and stable solution."
"It's a stable and scalable solution."
"The SAST feature is the most valuable."
"We have the option to test applications with or without credentials."
"Fortify on Demand is easy to use and the reporting is good."
"The licensing was good."
"The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
"The scanning capabilities, particularly for our repositories, have been invaluable."
"The product discovers more vulnerabilities compared to other tools."
"It can be used effectively for internal auditing."
"The community edition updates services regularly. They add new vulnerabilities into the scanning list."
"They offer free access to some other tools."
"The stability of the solution is very good."
"The most valuable feature is scanning the URL to drill down all the different sites."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."
"The biggest deficiency is the integration with bug tracker systems. It might be better if the configuration screen presented for accessing the bug tracking systems could provide some flexibility."
"Micro Focus Fortify on Demand could improve the user interface by making it more user-friendly."
"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."
"I would like the solution to add AI support."
"Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."
"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."
"The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The product reporting could be improved."
"It doesn't run on absolutely every operating system."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"OWASP Zap needs to extend to mobile application testing."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"Deployment is somewhat complicated."
"There isn't too much information about it online."
Fortify on Demand is ranked 9th in Static Application Security Testing (SAST) with 56 reviews while OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews. Fortify on Demand is rated 8.0, while OWASP Zap is rated 7.6. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Fortify on Demand is most compared with SonarQube, Veracode, Checkmarx One, Coverity and HCL AppScan, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and SonarCloud. See our Fortify on Demand vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.