We performed a comparison between Black Duck and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The solution works well on Mac products."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"It is able to drill down to the source level."
"The solution is very good at scanning and evaluating open source software."
"I like the fact that the product auto analyzes components."
"The most valuable feature is the vulnerability scanning, and that it's easy to use."
"The product enables other applications to be secure."
"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
"What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities."
"From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode."
"The capability to identify vulnerable code is the most valuable feature of Veracode."
"Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
"The article scanning is excellent."
"Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered."
"The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development."
"It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
"They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
"The solution must provide more open APIs."
"The scanner client is limited by the size of software it can handle."
"It needs to be more user-friendly for developers and in general, to ensure compliance."
"The documentation is quite scattered."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"In the future, I would like to see the RASP capability built-in."
"The UI is not user-friendly and can be improved."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
"They could improve how they fix vulnerabilities. They could have more support in place to help the developers."
"We connected with Veracode's support a couple of times, and we got a different answer each time."
"From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front."
"The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 16 reviews while Veracode is ranked 3rd in Software Composition Analysis (SCA) with 194 reviews. Black Duck is rated 7.8, while Veracode is rated 8.2. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, Mend.io and Polaris Software Integrity Platform, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, Fortify on Demand and HCL AppScan. See our Black Duck vs. Veracode report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.