We performed a comparison between Black Duck and Fortify Static Code Analyzer based on real PeerSpot user reviews.
Find out what your peers are saying about Synopsys, Veracode, Snyk and others in Software Composition Analysis (SCA)."The cloud option of the product is always available and a positive aspect of the solution."
"It is able to drill down to the source level."
"The most valuable feature is the vulnerability scanning, and that it's easy to use."
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"The installation is very easy."
"The stability is okay."
"The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately."
"The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach."
"We write software, and therefore, the most valuable aspect for us is basically the code analysis part."
"You can really see what's happening after you've developed something."
"The most valuable features include its ability to detect vulnerabilities accurately and its integration with our CI/CD pipeline."
"The reference provided for each issue is extremely helpful."
"Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it."
"I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
"The integration Subset core integration, using Jenkins is one of the good features."
"It's helped us free up staff time."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"It needs to be more user-friendly for developers and in general, to ensure compliance."
"It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."
"They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
"The product's pricing is higher compared to other competitor products."
"The initial setup could be simplified. It was somewhat complex."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good."
"The pricing is a bit high."
"Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date."
"Fortify's software security center needs a design refresh."
"The price can be improved."
"Not all languages are supported in Fortify."
"The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit."
"The generation of false positives should be reduced."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Fortify Static Code Analyzer is ranked 3rd in Static Code Analysis with 14 reviews. Black Duck is rated 7.8, while Fortify Static Code Analyzer is rated 8.4. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Fortify Static Code Analyzer writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Black Duck is most compared with Snyk, JFrog Xray, Mend.io, FOSSA and Sonatype Lifecycle, whereas Fortify Static Code Analyzer is most compared with Snyk, Veracode, Sonatype Lifecycle, GitLab and Mend.io.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.