Black Duck vs Veracode comparison

Cancel
You must select at least 2 products to compare!
Mend.io Logo
10,373 views|6,573 comparisons
Synopsys Logo
15,682 views|11,297 comparisons
Veracode Logo
7,492 views|5,021 comparisons
Comparison Buyer's Guide
Executive Summary

We performed a comparison between Black Duck and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Snyk, Synopsys, Veracode and others in Software Composition Analysis (SCA).
To learn more, read our detailed Software Composition Analysis (SCA) Report (Updated: November 2023).
744,865 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The dashboard view and the management view are most valuable.""What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour.""I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.""We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.""Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production.""WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful.""There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.""WhiteSource helped reduce our mean time to resolution since the adoption of the product."

More Mend.io Pros →

"The solution is very good at scanning and evaluating open source software.""The solution is stable.""The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.""Policy management is a valuable feature.""It is able to drill down to the source level.""We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time.""The UI is the solution's most valuable feature since it allows for easy pipeline integration."

More Black Duck Pros →

"Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes.""Stable and scalable, with good reporting features. Helps in detecting and managing vulnerabilities and risks.""The solution can scan old databases and old code written 20 years back.""I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc.""What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities.""The source composition analysis had very good reporting.""Regarding Software Composition Analysis, an exceptional feature is that during a SAST scan, SCA is seamlessly conducted in the background.""It is a good product for creating secure software. The static code analysis is pretty good and useful."

More Veracode Pros →

Cons
"The only thing that I don't find support for on Mend Prioritize is C++.""At times, the latency of getting items out of the findings after they're remediated is higher than it should be.""WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.""I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.""It should support multiple SBOM formats to be able to integrate with old industry standards.""Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't.""The turnaround time for upgrading databases for this tool as well as the accuracy could be improved.""They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."

More Mend.io Cons →

"The tool needs to improve its pricing. Its configuration is complex and can be improved.""The product's pricing is higher compared to other competitor products.""The documentation is quite scattered.""Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster.""The solution's pricing model and documentation areas of concern where improvement is needed.""They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility.""It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."

More Black Duck Cons →

"If you schedule two parallel scans under the same project, one of them will be a failure.""It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas.""It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline.""It's taking too much time to do a quality scan.""One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users.""Veracode can be improved in terms of software composition analysis and related vulnerabilities.""The interface is too complex.""Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part."

More Veracode Cons →

Pricing and Cost Advice
  • "This is an expensive solution."
  • "When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
  • "Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
  • "We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
  • "Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
  • "Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
  • "Over the last two years, they have tried to add more and more features to their license packages, but the price is a little bit high, comparatively."
  • "It is fairly priced."
  • More Mend.io Pricing and Cost Advice →

  • "It is expensive."
  • "I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."
  • More Black Duck Pricing and Cost Advice →

  • "Users in some forums mentioned that pricing for this solution can be quite high."
  • "The price of Veracode Static Analysis is on the higher side."
  • "It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better."
  • "Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier."
  • "The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."
  • "For our company, the price is reasonable for the benefits that we get."
  • "It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year."
  • "The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    744,865 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
    Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
    Top Answer:The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe… more »
    Top Answer:The UI is the solution's most valuable feature since it allows for easy pipeline integration.
    Top Answer:I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price.
    Top Answer:The only thing I don't like about the product is that it is quite expensive and it is not very feasible as an… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Top Answer:The SAST and DAST modules are great.
    Top Answer:The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and… more »
    Comparisons
    Also Known As
    WhiteSource, Mend SCA
    Blackduck Hub, Black Duck Protex, Black Duck Security Checker
    Crashtest Security , Veracode Detect
    Learn More
    Overview

    Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

    Mend.io Features

    Mend.io has many valuable key features. Some of the most useful ones include:

    • Vulnerability analysis
    • Automated remediation
    • Seamless integration
    • Business prioritization
    • Limitless scalability
    • Intuitive interface
    • Language support
    • Integration
    • Continuous monitoring
    • Remediation suggestions
    • Customization

    Mend.io Benefits

    There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

    • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
    • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
    • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
    • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
    • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
    • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
    • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

    Reviews from Real Users

    Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

    Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

    PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

    An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

    Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

    Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

    Veracode is a leading application security platform that helps organizations to develop and deliver secure software. Veracode's solution provides comprehensive capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing.

    Veracode's static analysis solution scans source code for various security vulnerabilities, including common web application attack vectors, injection flaws, cross-site scripting, and insecure direct object references. Veracode's dynamic analysis solution simulates real-world attacks to identify vulnerabilities that may not be detectable by static analysis alone. Veracode's software composition analysis solution scans open-source and third-party components for known vulnerabilities. Veracode's manual penetration testing service is performed by experienced security professionals who use a variety of techniques to identify vulnerabilities in software applications.

    Many organizations, including Fortune 500 companies, government agencies, and startups, use Veracode's solution. Veracode's customers rely on Veracode to help them to improve the security of their software applications and to reduce the risk of data breaches and other security incidents.

    Here are some of the benefits of using Veracode:

    • Veracode provides capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing to help organizations identify and fix security vulnerabilities in their software applications early in the development process.
    • Veracode helps organizations reduce the risk of data breaches and other security incidents by identifying and fixing security vulnerabilities in their software application. 
    • Veracode helps organizations to comply with industry regulations. Many industries have regulations that require organizations to implement security measures to protect their customers' data. Veracode's solution can help organizations to comply with these regulations by providing them with the tools and resources they need to identify and fix security vulnerabilities in their software applications.
    Offer
    Learn more about Mend.io
    Learn more about Black Duck
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
    Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf
    Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
    Top Industries
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm11%
    Energy/Utilities Company6%
    Consumer Goods Company6%
    VISITORS READING REVIEWS
    Computer Software Company17%
    Financial Services Firm16%
    Manufacturing Company9%
    Insurance Company5%
    REVIEWERS
    Manufacturing Company67%
    Financial Services Firm22%
    Computer Software Company11%
    VISITORS READING REVIEWS
    Financial Services Firm22%
    Computer Software Company16%
    Manufacturing Company14%
    Healthcare Company5%
    REVIEWERS
    Financial Services Firm24%
    Computer Software Company24%
    Insurance Company9%
    Comms Service Provider7%
    VISITORS READING REVIEWS
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company8%
    Government7%
    Company Size
    REVIEWERS
    Small Business36%
    Midsize Enterprise7%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business20%
    Midsize Enterprise14%
    Large Enterprise66%
    REVIEWERS
    Small Business33%
    Large Enterprise67%
    VISITORS READING REVIEWS
    Small Business15%
    Midsize Enterprise10%
    Large Enterprise75%
    REVIEWERS
    Small Business29%
    Midsize Enterprise19%
    Large Enterprise51%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise70%
    Buyer's Guide
    Software Composition Analysis (SCA)
    November 2023
    Find out what your peers are saying about Snyk, Synopsys, Veracode and others in Software Composition Analysis (SCA). Updated: November 2023.
    744,865 professionals have used our research since 2012.

    Black Duck is ranked 2nd in Software Composition Analysis (SCA) with 7 reviews while Veracode is ranked 3rd in Software Composition Analysis (SCA) with 97 reviews. Black Duck is rated 8.2, while Veracode is rated 8.0. The top reviewer of Black Duck writes "A scalable and customizable solution that has a very strong knowledge base ". On the other hand, the top reviewer of Veracode writes "Great SAST, good DAST, and helps save a significant amount of time". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Security Essentials, FOSSA and GitLab, whereas Veracode is most compared with SonarQube, Checkmarx, Snyk, Fortify on Demand and Coverity.

    See our list of best Software Composition Analysis (SCA) vendors.

    We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.