Veracode and Black Duck are leading products in application security testing. Veracode stands out by providing a well-integrated solution with developer tools and a flexible deployment model. Black Duck excels in open-source vulnerability detection and offers extensive compliance and license management capabilities.
Features: Veracode offers static, dynamic, and manual scanning capabilities and provides APIs for DevOps integration, excellent scalability, and a low false positive rate. Black Duck specializes in open-source software scanning and includes rigorous license management along with potent vulnerability detection for third-party components, supporting various programming languages.
Room for Improvement: Veracode users often report issues with false positives, slower scanning speeds, and complex API integrations. They also express a need for improved UI consistency and reporting enhancements. Black Duck is noted for its high cost and requires better integration with Coverity, along with expanding support for dynamic testing. Both platforms need UI enhancements.
Ease of Deployment and Customer Service: Veracode is adept with public, private, and hybrid cloud deployment, though its feature richness may complicate setup. Its customer service is praised for expertise, albeit occasionally slow. Black Duck supports on-premises and private cloud setups, often deemed complex, with customer service perceived as less responsive and documentation lacking in user-friendliness.
Pricing and ROI: Veracode is perceived as expensive, with a pricing model tailored to specific needs, offering ROI through enhanced security compliance and reduced penetration testing costs. Black Duck's cost is higher, which can outweigh its benefits for some, but its thorough open-source scanning provides value through compliance management, perceived as beneficial despite its high price.
If you're using it on critical external programs where there is regulatory compliance on ensuring that the source code is clean from open-source, there's substantial ROI.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
There are some pain points with the response time and first-level support quality.
Access to the engineering team is crucial for faster feedback on the product fix process.
They are very responsive and quick to help with queries within our scope.
They respond very quickly since security is something critical.
I would rate the scalability of Black Duck 8 or 9.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
It can improve on the security side of it, specifically vulnerabilities identification.
There are areas for improvement such as false positives and the scanning of containers.
Black Duck does not have the SBOM management part.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
It's not the most expensive solution.
If there's a security gap, you'll never know the cost or effect.
Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode.
The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management.
Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks.
The software composition analysis is most effective for security risk management.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
Organizations use Black Duck for compliance, internal audits, license management, and security, scanning software to identify vulnerabilities, non-compliant code, and dependencies in open-source projects.
Black Duck integrates into CI/CD pipelines and DevSecOps processes, helping multiple industries detect and handle risks associated with open-source usage. Users leverage it for source and binary analysis to ensure security and compliance before software release. Automatic component analysis, effective vulnerability scanning, and a comprehensive knowledge base are some of its valuable features. Despite needing improvements in scanning speed, UI, and documentation, Black Duck remains crucial for ensuring open-source security and compliance.
What are Black Duck's most important features?
What benefits or ROI should users look for in reviews?
Black Duck is implemented by industries ranging from finance to healthcare, addressing security and compliance in open-source usage. Financial institutions employ it to manage license risks and ensure audit readiness. Healthcare organizations use it to comply with stringent data protection regulations, ensuring patient data security and privacy. Tech companies integrate Black Duck within CI/CD pipelines to maintain the security and compliance of software products before release. Its deployment varies, tailored to meet the specific risk management and compliance needs dictated by each sector's regulatory environment.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.
What are the key features of Veracode?
What benefits should users consider in Veracode reviews?
Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.
Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
