We performed a comparison between Black Duck and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"It is able to drill down to the source level."
"Policy management is a valuable feature."
"The most valuable feature is the vulnerability scanning, and that it's easy to use."
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"The solution is very good at scanning and evaluating open source software."
"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
"The most valuable feature is the SAST capability and its integration into the Veracode pipelines."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes."
"What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred."
"Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation."
"Veracode does not require any maintenance."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"The most valuable feature is detecting security vulnerabilities in the project."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"The solution must provide more open APIs."
"Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."
"The documentation is quite scattered."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"The scanner client is limited by the size of software it can handle."
"It needs to be more user-friendly for developers and in general, to ensure compliance."
"The product's pricing is higher compared to other competitor products."
"Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code."
"An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"It's taking too much time to do a quality scan."
"The scanning process for records could be faster and there is room for improvement in Veracode's performance."
"It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture."
"It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack."
"We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Veracode is ranked 3rd in Software Composition Analysis (SCA) with 194 reviews. Black Duck is rated 7.8, while Veracode is rated 8.2. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, Mend.io and Polaris Software Integrity Platform, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Mend.io. See our Black Duck vs. Veracode report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.