Black Duck vs Fortify Static Code Analyzer comparison


Comparison Buyer's Guide

Executive Summary

Categories and Ranking

Black Duck
Average Rating
Number of Reviews
Ranking in other categories
Software Composition Analysis (SCA) (1st)
Fortify Static Code Analyzer
Average Rating
Number of Reviews
Ranking in other categories
Static Code Analysis (3rd)

Mindshare comparison

As of June 2024, in the Software Composition Analysis (SCA) category, the mindshare of Black Duck is 29.6%, up from 27.1% compared to the previous year. The mindshare of Fortify Static Code Analyzer is 18.8%, down from 20.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA)
Unique Categories:
No other categories found
Static Code Analysis

Featured Reviews

Sagar Mody - PeerSpot reviewer
Apr 12, 2024
Effectively flags operational vulnerabilities and recommendations for fixes are very helpful
It's still a bit inconsistent. For example, sometimes a scan might reveal components or vulnerabilities, and the next day they might not show up. There's a lack of consistency at times. Of course, this could sometimes be due to new vulnerabilities being identified in the public domain after a scan. So, consistent inputs and more streamlined dependency management are needed. It doesn’t clearly show whether vulnerabilities are from direct or transitive dependencies. A clear classification between direct and indirect vulnerabilities is crucial. If I'm looking to improve my product, I need to know out of 'x' vulnerabilities, how many are direct dependencies. With direct dependencies, I can take action, like replacing a component. But with transitive dependencies, we are helpless at times. Often, we have to raise exceptions and work around them. A clear classification between direct and indirect dependencies is something I'd like to see improved.
Oct 17, 2023
Integrates easily with many IDEs, and enables development and security teams to work together
One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved. There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process. During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time. It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier. For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:


"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"The most valuable feature is the vulnerability scanning, and that it's easy to use."
"The solution works well on Mac products."
"I like the fact that the product auto analyzes components."
"The cloud option of the product is always available and a positive aspect of the solution."
"It is able to drill down to the source level."
"The installation is very easy."
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"We've found the documentation to be very good."
"The most valuable features include its ability to detect vulnerabilities accurately and its integration with our CI/CD pipeline."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"We write software, and therefore, the most valuable aspect for us is basically the code analysis part."
"I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
"The reference provided for each issue is extremely helpful."
"You can really see what's happening after you've developed something."
"Automating the Jenkins plugins and the build title is a big plus."


"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"It needs to be more user-friendly for developers and in general, to ensure compliance."
"The solution must provide more open APIs."
"I would like to see improvements in Black Duck's reporting capabilities."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"The initial setup could be simplified. It was somewhat complex."
"The documentation is quite scattered."
"The tool's documentation and support are areas of concern where improvements are required."
"The price can be improved."
"The generation of false positives should be reduced."
"Fortify's software security center needs a design refresh."
"Not all languages are supported in Fortify."
"It comes with a hefty licensing fee."
"The generation of false positives should be reduced."
"Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date."
"Their licensing is expensive."

Pricing and Cost Advice

"Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."
"The price is quite high because the behavior of the software during the scan is similar to competing products."
"It is expensive."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."
"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
"The price charged by Black Duck is exorbitant."
"The price is low. It's not an expensive solution."
"The pricing is a little high."
"It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform."
"There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost. I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use."
"Although I am not responsible for the budget, Fortify SAST is expensive."
"The price of Fortify Static Code Analyzer could be reduced."
"The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements."
"From our standpoint, we are significantly better off with Fortify due to the favorable pricing we secured five years ago."
"The licensing is expensive and is in the 50K range."
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
787,817 professionals have used our research since 2012.

Top Industries

By visitors reading reviews
Financial Services Firm
Manufacturing Company
Computer Software Company
Healthcare Company
Financial Services Firm
Computer Software Company
Manufacturing Company

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business

Questions from the Community

How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
What do you like most about Black Duck?
The cloud option of the product is always available and a positive aspect of the solution.
What is your experience regarding pricing and costs for Black Duck?
The price charged by Black Duck is exorbitant. For the features provided by the product, I would not want to pay a high price. There are many other products in the market that offer better features...
What do you like most about Fortify Static Code Analyzer?
Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like pa...
What needs improvement with Fortify Static Code Analyzer?
The product shows false positives for Python applications.

Also Known As

Blackduck Hub, Black Duck Protex, Black Duck Security Checker
Fortify Static Code Analysis SAST

Learn More




Sample Customers

Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf
Information Not Available
Find out what your peers are saying about Synopsys, Veracode, Snyk and others in Software Composition Analysis (SCA). Updated: May 2024.
787,817 professionals have used our research since 2012.