Veracode and Black Duck SCA are prominent players in the software security market, excelling in different aspects of application security analysis. Veracode appears to have the advantage due to its robust dynamic analysis and API support.
Features: Veracode offers static and dynamic analysis, integration with development IDEs, and strong API support. Black Duck SCA provides comprehensive software composition analysis, focusing on open source license compliance and dependency tracking.
Room for Improvement: Veracode needs to reduce false positives, enhance reporting capabilities, and improve dynamic scan functions. Black Duck SCA should work on improving scanning accuracy, reducing the false positive rate, and enhancing the user experience with clearer documentation and better UI design.
Ease of Deployment and Customer Service: Veracode mainly operates in the cloud, simplifying deployment and offering a robust support structure, although quicker response times are desired by some. Black Duck SCA offers both on-premises and cloud deployments, providing flexibility but potentially complicating setup, with mixed customer service reviews.
Pricing and ROI: Veracode is viewed as high-priced but offers value through comprehensive features and support, suiting various organizational needs with its app profiles-based pricing model. Black Duck SCA is noted for high licensing costs, requiring careful evaluation against enterprise requirements for ROI. Exact pricing details are variable based on enterprise requirements.
If you're using it on critical external programs where there is regulatory compliance on ensuring that the source code is clean from open-source, there's substantial ROI.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
There are some pain points with the response time and first-level support quality.
Access to the engineering team is crucial for faster feedback on the product fix process.
I have communicated with the technical support of Veracode a couple of times, and this was a really great experience because these professionals know their material.
They share detailed information via email, including screenshots or further clarification about the issue.
I would rate the scalability of Black Duck 8 or 9.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
Implementing these features into our normal CI/CD was good, so I can say that scalability is really good.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
It can improve on the security side of it, specifically vulnerabilities identification.
There are areas for improvement such as false positives and the scanning of containers.
Black Duck does not have the SBOM management part.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
It's not the most expensive solution.
Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.
If there's a security gap, you'll never know the cost or effect.
The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management.
Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks.
The software composition analysis is most effective for security risk management.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
| Product | Market Share (%) |
|---|---|
| Black Duck SCA | 15.7% |
| Veracode | 8.5% |
| Other | 75.8% |
| Company Size | Count |
|---|---|
| Small Business | 6 |
| Large Enterprise | 16 |
| Company Size | Count |
|---|---|
| Small Business | 69 |
| Midsize Enterprise | 43 |
| Large Enterprise | 112 |
Black Duck is an essential tool for software composition analysis and license compliance. It identifies vulnerabilities effectively and supports security management in DevOps environments, offering integration, performance stability, and community support.
Organizations rely on Black Duck for seamless integration in CI/CD pipelines, thorough scanning of source and binary codes, and management of operational risks associated with open-source and commercial licenses. It plays a crucial role in security risk management and delivers a robust policy management framework. Users value its ease of use and reliable community support while benefiting from its comprehensive dependency visualization capabilities. Despite its strengths, there is room for enhancement in integration with other tools, UI friendliness, and reporting features.
What are Black Duck's key features?
What should users look for in ROI?
Enterprise environments use Black Duck extensively for security, compliance, and risk management, ensuring software meets regulatory standards and mitigates vulnerabilities. Its implementation in specific industries aids in controlled and secure software development processes, underlining its role in maintaining rigorous security standards while delivering dependable performance.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.
What are the key features of Veracode?
What benefits should users consider in Veracode reviews?
Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.
Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
