We compared Fortify on Demand and SonarQube based on our user's reviews in several parameters.
In summary, Fortify on Demand is praised for its robust security, comprehensive scanning capabilities, and prompt vulnerability reporting, with positive feedback on customer service and pricing. SonarQube stands out for its support for multiple languages, seamless integration, and comprehensive features, with exceptional customer service and positive feedback on pricing and ROI. Areas for improvement include enhancing performance and usability for Fortify on Demand, while SonarQube could focus on analysis speed, UI navigation, setup instructions, documentation, performance, and integration options.
Features: Fortify on Demand is highly appreciated for its robust security, comprehensive scanning capabilities, user-friendly interface, and timely vulnerability reporting. SonarQube stands out with its support for multiple languages, simplified design, integration with DevOps pipelines, and ability to detect vulnerabilities and code smells. Additionally, SonarQube offers configurability, flexibility, and a user-friendly interface.
Pricing and ROI: Fortify on Demand's users have found the setup costs to be manageable and appreciate the flexible licensing options. On the other hand, SonarQube's pricing is considered reasonable and competitive, and its setup cost is straightforward and easy. SonarQube also offers flexible licensing options to cater to different needs., Fortify on Demand users expressed satisfaction with the platform's effectiveness and value for their investment. SonarQube helped improve code quality, detect vulnerabilities, and ensure code compliance, resulting in cost savings and increased productivity.
Room for Improvement: Fortify on Demand could benefit from enhancements in performance, scanning capabilities, customization options, reporting features, and user interface. SonarQube should focus on improving analysis speed, user interface, setup instructions, documentation, performance, and integration options.
Deployment and customer support: The user reviews for Fortify on Demand and SonarQube show that the duration required to establish a new tech solution can vary between users. While both products have similar timeframes mentioned by users, Fortify on Demand has a wider range of deployment and setup durations compared to SonarQube., Fortify on Demand's customer service is praised for its prompt and helpful assistance. Users appreciate the attentiveness and expertise of the support team. SonarQube also receives praise for its exceptional customer service and support, with users acknowledging the prompt and knowledgeable assistance provided. The support team is commended for their responsiveness and willingness to go above and beyond.
The summary above is based on 51 interviews we conducted recently with Fortify on Demand and SonarQube users. To access the review's full transcripts, download our report.
"The SAST feature is the most valuable."
"Provides good depth of scanning and we get good results."
"It helps deploy and track changes easily as per time-to-time market upgrades."
"It is an extremely robust, scalable, and stable solution."
"I do not remember any issues with stability."
"The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives."
"The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
"Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
"Can tweak rules and feed them into our build pipelines."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
".NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio."
"It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."
"New technologies and DevOps could be improved. Fortify on Demand can be slow (slower than other vendors) to support new technologies or new software versions."
"Temenos's (T-24) info basic is a separate programming interface, and such proprietary platforms and programming interfaces were not easily supported by the out-of-the-box versions of Fortify."
"They have very good support, but there is always room for improvement."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise. In the next release, we need more reports and more analytic views for all the applications. There is no enterprise view in Fortify. I would like enterprise views and reports."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"It would be better if SonarQube provided a good UI for external configuration."
"Currently requires multiple tools, lacking one overall tool."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
"I am not very pleased with the technical debt computation."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
Fortify on Demand is ranked 10th in Application Security Tools with 56 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Fortify on Demand is rated 8.0, while SonarQube is rated 8.0. The top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Fortify on Demand is most compared with Veracode, Checkmarx One, Coverity, Fortify WebInspect and Snyk, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Mend.io. See our Fortify on Demand vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.