micro-focus-fortify-on-demand-vs-sonarqube

SonarQube, from SonarSource, and Micro Focus Fortify on Demand are application security tools. SonarQube provides a free and open source community edition and focuses on static code analysis. Micro Focus Fortify on Demand is commercially available and provides the functionality of multiple Micro Focus security tools delivered as service: Fortify Static Code Analyzer, Fortify WebInspect, and Fortify Application Defender. Together the service encompasses DAST, SAST, RAST, IAST, static code analysis (SCA), and real-time security assist that provides guidance while developers are working in their preferred IDE. Its Software Composition Analysis is powered by Micro Focus’s partnership with SCA specialist Sonatype. SonarQube is not as extensive an option, rather it is focused on code quality and SAST.

Both products are commonly deployed at larger enterprises, while SonarQube also appears among cost-conscious smaller companies, who enjoy free and open source tools like SonarQube. While the options present overlapping features, there is nothing to prevent developers from deploying Fortify on Demand and SonarQube together, which may present an attractive best-of-both-worlds (e.g. code quality + security) solution for some projects.

Features

Developers turn to Micro Focus and SonarQube for a variety of reasons.

SonarQube excels as an SAST tool. It allows users to set their own coding standards, enforce them, and ensure best practice. Users describe an excellent code checking process, and detailed issue and bug tracking with commenting and issue highlighting. SonarQube integrates well into a CI/CD pipeline, and will work beside Fortify on Demand. In fact a SonarQube plugin exists in the Micro Focus marketplace for doing just that.

Micro Focus is a large, multifarious and trusted provider of developer tools for those with the budget to use them. Fortify on Demand is among a small class of products that provide SAST, DAST, static code analysis, as well as real-time security assessment delivered together in a single service. There are  very few similarly broad options, including Synopsys’ managed application testing, Checkmarx, and Veracode. Very few other AppSec suites match the sheer breadth of Micro Focus Fortify on Demand from a similarly respected vendor. Reviewers appreciate its ease of use and deployment vs on-premise testing tools and suites, the automated delivery of features, and the centralization of test result review and management.

Limitations

There are a few reasons some businesses choose to pass on including Fortify on Demand, or SonarQube, in a CI/CD pipeline for AppSec.

While SonarQube is praised for enforcing coding standards, it is not as well-regarded as a security tool. Users also point to unreliability in some of its integrations (Jira), and an open source community that is not as active as other more widely adopted tools. Also, SonarQube provides SAST only. It cannot be the singular, comprehensive solution some might desire.

While Fortify on Demand is a comprehensive solution, reviewers note a few issues, such as scans with a high rate of false positives along with less than helpful remediation, feeble (relative to SonarQube) code quality assistance, and byzantine pricing with uncertainty about what features will be included going forward (as opposed as being gated off as an “add-on” available for an additional fee) making it difficult to determine what the ROI will be vs. on-prem solutions that might include open source tools posing little or no cost.

Pricing

Users can get started with SonarQube for free via the open source Community Edition. Paid plans are priced per instance per year, starting with the Developer Edition that adds Branch Analysis and other vulnerability detection features for $150, the Enterprise Edition which adds advanced reporting and portfolio management for $20,000, and the Data Center edition available for $130,000.

Delivered as-a-service, Fortify on Demand offers a cloud-based subscription available with a 15-day free trial. Pricing is not published through Micro Focus, however, through VARs a Fortify on Demand subscription license for one assessment unit is available for about $990 for a year long subscription.