We just raised a $30M Series A: Read our story

Compare Black Duck vs. Veracode Software Composition Analysis

You must select at least 2 products to compare!
Featured Review
Find out what your peers are saying about Black Duck vs. Veracode Software Composition Analysis and other solutions. Updated: November 2021.
554,873 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.""I like the fact that the product auto analyzes components.""The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach.""The most valuable feature is the vulnerability scanning, and that it's easy to use.""The solution works well on Mac products.""The stability is okay.""The installation is very easy."

More Black Duck Pros »

"There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.""Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code.""This is a great tool for learning about potential vulnerabilities in code.""The most valuable feature is the efficiency of the tool in finding vulnerabilities.""For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool.""The solution is stable. we've never had any issues surrounding its stability.""The most valuable feature is the dynamic application security testing.""The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting.""

More Veracode Software Composition Analysis Pros »

"It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.""The scanner client is limited by the size of software it can handle.""We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck.""Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive.""We're not too sure about the extension of the firewall. It never shows up in the Hub.""It needs to be more user-friendly for developers and in general, to ensure compliance.""The initial setup could be simplified. It was somewhat complex."

More Black Duck Cons »

"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified.""The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way.""In the future, I would like to see the RASP capability built-in.""There were some additional manual steps or work involved that we should not have needed to do.""Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided.""The scanning could be improved, because some scans take a bit of time.""The documentation is poor and the technical support isn't helpful.""A high number of false positives are reported and this should be reduced."

More Veracode Software Composition Analysis Cons »

Pricing and Cost Advice
"The price is quite high because the behavior of the software during the scan is similar to competing products.""The price is low. It's not an expensive solution.""Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."

More Black Duck Pricing and Cost Advice »

"Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors.""The Veracode price model is based on application profiles, which is how you package your components for scanning.""It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator.""Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support."

More Veracode Software Composition Analysis Pricing and Cost Advice »

Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
554,873 professionals have used our research since 2012.
Questions from the Community
Top Answer: We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »
Top Answer: Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.
Top Answer: We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing. We are only using a few of the licenses because they had acquired several… more »
Top Answer: There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go… more »
Top Answer: Checkmarx is a very good solution and probably a better solution than Veracode, but it costs four times as much as Veracode. You need an entire team to maintain Checkmarx. You also need on-premise… more »
Top Answer: The scanning could be improved, because some scans take a bit of time. Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could… more »
Average Words per Review
Average Words per Review
Also Known As
Blackduck Hub, Black Duck Protex, Black Duck Security Checker
Veracode SCA, SourceClear
Learn More

Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Veracode Software Composition detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes. It also looks for vulnerabilities in dependencies several layers deep. Veracode SCA is part of a comprehensive DevSecOps solution that covers multiple assessment types, enables developers, and helps organizations achieve AppSec governance.

Learn more about Black Duck
Learn more about Veracode Software Composition Analysis
Sample Customers
Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf
Blue Prism, Advantasure, Automation Anywhere, Cox Automotive
Top Industries
Computer Software Company35%
Comms Service Provider15%
Financial Services Firm10%
Manufacturing Company9%
Computer Software Company34%
Comms Service Provider12%
Financial Services Firm11%
Insurance Company5%
Company Size
Small Business38%
Large Enterprise63%
Small Business16%
Midsize Enterprise12%
Large Enterprise72%
Small Business50%
Midsize Enterprise17%
Large Enterprise33%
Small Business50%
Midsize Enterprise12%
Large Enterprise38%
Find out what your peers are saying about Black Duck vs. Veracode Software Composition Analysis and other solutions. Updated: November 2021.
554,873 professionals have used our research since 2012.

Black Duck is ranked 6th in Software Composition Analysis (SCA) with 7 reviews while Veracode Software Composition Analysis is ranked 7th in Software Composition Analysis (SCA) with 11 reviews. Black Duck is rated 7.6, while Veracode Software Composition Analysis is rated 8.2. The top reviewer of Black Duck writes "Auto analyzes components and supports a range of scales". On the other hand, the top reviewer of Veracode Software Composition Analysis writes "The scanning process helps to significantly improve our standards and best practices". Black Duck is most compared with WhiteSource, Snyk, Fortify Static Code Analyzer, Sonatype Nexus Lifecycle and Checkmarx Software Composition Analysis, whereas Veracode Software Composition Analysis is most compared with Snyk, JFrog Xray, WhiteSource, Sonatype Nexus Lifecycle and FOSSA. See our Black Duck vs. Veracode Software Composition Analysis report.

See our list of best Software Composition Analysis (SCA) vendors.

We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.