We performed a comparison between Black Duck and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The solution is stable."
"The solution works well on Mac products."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
"It is able to drill down to the source level."
"The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately."
"The installation is very easy."
"Policy management is a valuable feature."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
"For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."
"It's comprehensive from a feature standpoint."
"I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"I can have quick results by just uploading compiled components."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"The solution's pricing model and documentation areas of concern where improvement is needed."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."
"They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement."
"It takes a lot of time to scan the applications. They can make them faster and provide an option to scan a specific portion of the app. Such a feature would be very helpful."
"Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it."
"Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."
"I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase... To defend against those it's very important that the good guys use AI in ways that are good instead of bad."
"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."
"There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 16 reviews while Veracode is ranked 3rd in Software Composition Analysis (SCA) with 194 reviews. Black Duck is rated 7.8, while Veracode is rated 8.2. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, Mend.io and Polaris Software Integrity Platform, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, Fortify on Demand and HCL AppScan. See our Black Duck vs. Veracode report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.