What is our primary use case?
We have been using this solution for between two and three years.
We frequently use this solution for software composition analysis. We also use it for vulnerability assessment and operational risk assessment. This is usually for customers who want to do one-off assessments, trying to check open source components they are using in their build.
How has it helped my organization?
This solution helps our customers to understand what really lies in their application. In terms of the open source components, it can show the dependencies that other components are relying on, which you don't see. For example, if your application is packaged with other stuff, it would help to pull up all of the dependencies. It will list all of the open source dependencies in the entire library and show details about what they are using. It highlights what the developers have done, and it shows the impact from an intellectual property point of view.
This can also impact them from a security perspective. For example, it can tell you about the health of an application. What we often see is that developers are using an older version of an open source component, and they don't change it because it works. In cases where a newer version is available, we are able to show them what old components they are using, and the age of those components. This gives them a measure of health for their application in terms of operational risk. If an application were to break tomorrow, the chances that it can be quickly fixed may be dependent on the age of the component.
Largely, this is the kind of value we use Black Duck to provide to customers in this part of the world.
What needs improvement?
I would like to see more integration with other solutions, such as IntelliJ IDEA.
What do I think about the stability of the solution?
This solution is stable. Maybe, depending on the browser that you use, you might have delays in response. If you are using Chrome, for example, and you click refresh on the web GUI, you get delays sometimes. I think that this is normal with most applications.
What do I think about the scalability of the solution?
In terms of scalability, we are a small team so we have never tried with too many users. We only have one user and have used this for two or three customers in South Africa. I think that it is pretty scalable, but the limitation comes from the pricing and licensing agreement.
Beyond the licensing, you might be limited by your hardware capacity. I think that it starts off with 16GB RAM and four cores minimum, but if there are more people on it then you might need to expand the resources.
How are customer service and technical support?
Like with any product, the technical support can be better. They have a feedback system where you raise a ticket, and it usually takes twenty-four hours before they respond. If there is something very urgent then you can escalate it, and I think that the delay is reduced to six hours.
How was the initial setup?
The initial setup for this solution is straightforward. It is Dockerized, and very easy if you use Linux. If you have a server on Azure then you can just go to the Azure marketplace and spin it up straight from there.
If you are using an instance on Google Cloud, for example, we've done deployments where you simply spin up the application and it deploys by itself in about four minutes. If you have to deploy by yourself, you have to wait for Linux to completely finish, etc. But if you're using a cloud service provider then it is automatic. You put in your license and you integrate it with whatever you want to do.
Once it is deployed, it is again straightforward. You can easily take your build, use the Hub Detect to scan it and get a JSON file, then upload it to the server. It will do the analysis and it is usually fast, except sometimes when you want to check code snippets.
It does not require more than one person for deployment and maintenance.
What about the implementation team?
We handle the deployment ourselves.
What was our ROI?
It is difficult to determine ROI when it comes to security because it depends on many things. For example, it may tell you how much knowledge your developers have about licensing, or security, which may ultimately reduce the cost of training.
On the other hand, it may increase the rate at which you find bugs or problems with specific components. This, again, may contribute to the ROI. However, it is difficult to say without a set of predefined metrics.
What's my experience with pricing, setup cost, and licensing?
The pricing works either by the number of users or by code size. In the case of code size, they give you unlimited users. For example, if you have two thousand developers but you want a code size of 20GB, then that is what you get. If, however, you have forty developers and a lot of projects then you can say "We'll use forty developers and then we can scan unlimited applications, even if our applications are going to be 3,000GB."
Depending on the use case, the cost could range from $10,000 USD to $70,000 USD. It depends on what you are doing. There are no costs in addition to the standard licensing fees, including the academy. If you buy the license then they give you access to their academy, where you can get trained. The integrations are free, and the plug-ins are free.
What other advice do I have?
This is a good solution. My advice to anybody interesting in implementing it is to be clear in their mind whether they want to go on a user-based model, or they want to do a code-based model. It can get tricky if your development team is growing rapidly.
Maybe you started off with five developers and then the next year you are growing to ten. Then, in another year, there are fourteen or twenty. As you grow, a user-based model may not work for you so you might consider going with the code-based model.
However, if you are working on multiple projects then you may consider the user-based model, as long as your headcount is relatively stable.
Overall, the deployment is straightforward, uploading code is straightforward, analysis is straightforward, but with integration then it may be slightly lacking.
I would rate this solution a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.