We just raised a $30M Series A: Read our story

Compare Micro Focus Fortify on Demand vs. SonarQube

Cancel
You must select at least 2 products to compare!
Veracode Logo
61,411 views|33,718 comparisons
SonarQube Logo
89,055 views|73,138 comparisons
Featured Review
Find out what your peers are saying about Micro Focus Fortify on Demand vs. SonarQube and other solutions. Updated: November 2021.
554,873 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.""It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.""There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.""Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool.""Good static analysis and dynamic analysis.""The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end.""The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."

More Veracode Pros »

"Fortify on Demand is easy to use and the reporting is good.""This product is top-notch solution and the technology is the best on the market.""The UL is easy to use compared to that of other tools, and it is highly reliable. The findings provide a lower number of false positives.""Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much.""Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning.""It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support.""It's a stable and scalable solution.""The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."

More Micro Focus Fortify on Demand Pros »

"Before you even compile, it can catch known vulnerability issues or patterns.""The product itself has a friendly UI.""The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.""Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers.""The most valuable features are the segregation containment and the suspension of product services.""The static code analysis is very good.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""We have worked with the support from SonarQube and we have had good experiences."

More SonarQube Pros »

Cons
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.""The solution could improve the Dynamic Analysis Security Testing(DAST).""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.""I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help.""It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.""One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.""When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."

More Veracode Cons »

"During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us.""Reporting could be improved.""We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.""The vulnerability analysis does not always provide guidelines for what the developer should do in order to correct the problem, which means that the code has to be manually inspected and understood.""Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve.""We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve.""They have a release coming out, which is full of new features. Based on their roadmap, there's nothing that I would suggest for them to put in it that they haven't already suggested. However, I am a customer, so I always think the pricing is something that could be improved. I am working with them on that, and they're very flexible. They work with their customers and kind of tailor the product to the customer's needs. So far, I am very happy with what they're able to provide. Their subscriptions could use a little bit of a reworking, but that would be about it.""It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."

More Micro Focus Fortify on Demand Cons »

"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.""We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.""The reporting can be improved.""Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.""You may need to purchase add-ons to get the useability you desire.""The documentation is not clear and it needs to be updated.""Technical support and the price could be better.""The solution could improve by providing more advanced technologies."

More SonarQube Cons »

Pricing and Cost Advice
"We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive.""Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.""For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.""Veracode's price is high. I would like them to better optimize their pricing.""From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.""It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.""The pricing is really fair compared to a lot of other tools on the market.""Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."

More Veracode Pricing and Cost Advice »

"It is cost-effective.""We make an annual purchase of the licenses we need.""Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide.""The pricing can be improved because it is complex when compared to the competition.""The solution is a little expensive.""We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price.""The price is fair compared to that of other solutions.""It is quite expensive. Pricing and the licensing model could be improved."

More Micro Focus Fortify on Demand Pricing and Cost Advice »

"The developer edition is based on cost per lines of code.""It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.""This solution is free.""The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.""There is both a free and licensed version. The free version has limitations on development languages and support.""I am satisfied with the pricing.""We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.""I use the full trial version of SonarQube."

More SonarQube Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
554,873 professionals have used our research since 2012.
Questions from the Community
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
Top Answer: There is a single area on the dashboard where you can get a full view of all of the tests and the results from… more »
Top Answer: I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.
Top Answer: Once we have our project created with our application pipeline connected to the test scanning, it only takes two… more »
Top Answer: Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we… more »
Top Answer: I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
Top Answer: We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
Top Answer: Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
Comparisons
Also Known As
Fortify on Demand
Sonar
Learn More
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Micro Focus Fortify on Demand’s application security-as-a-service is the easy and flexible way to identify vulnerabilities in your applications without additional investment in software or personnel. Allow our global team to work for you, providing support and technical expertise 24/7.

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

Offer
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about Micro Focus Fortify on Demand
Learn more about SonarQube
Sample Customers
State of Missouri, Rekner
SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
Top Industries
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
REVIEWERS
Financial Services Firm30%
Retailer15%
Manufacturing Company10%
Computer Software Company10%
VISITORS READING REVIEWS
Computer Software Company31%
Comms Service Provider15%
Financial Services Firm12%
Government7%
REVIEWERS
Computer Software Company24%
Financial Services Firm20%
Comms Service Provider10%
Insurance Company8%
VISITORS READING REVIEWS
Computer Software Company28%
Comms Service Provider17%
Financial Services Firm12%
Manufacturing Company7%
Company Size
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
REVIEWERS
Small Business24%
Midsize Enterprise14%
Large Enterprise62%
VISITORS READING REVIEWS
Small Business18%
Midsize Enterprise13%
Large Enterprise69%
REVIEWERS
Small Business28%
Midsize Enterprise18%
Large Enterprise53%
VISITORS READING REVIEWS
Small Business29%
Midsize Enterprise20%
Large Enterprise52%
Find out what your peers are saying about Micro Focus Fortify on Demand vs. SonarQube and other solutions. Updated: November 2021.
554,873 professionals have used our research since 2012.

Micro Focus Fortify on Demand is ranked 7th in Application Security with 15 reviews while SonarQube is ranked 1st in Application Security with 47 reviews. Micro Focus Fortify on Demand is rated 8.0, while SonarQube is rated 8.0. The top reviewer of Micro Focus Fortify on Demand writes "Makes it easy to discover hidden vulnerabilities in our open source libraries". On the other hand, the top reviewer of SonarQube writes "This is a very capable analysis tool for development projects but the free version has limitations". Micro Focus Fortify on Demand is most compared with Checkmarx, Coverity, Fortify WebInspect, HCL AppScan and Sonatype Nexus Lifecycle, whereas SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, WhiteSource and Snyk. See our Micro Focus Fortify on Demand vs. SonarQube report.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.