Black Duck Reviews

We use the solution for open-source security management. The product connects the entire customer entity into DevOps and DevSecOps. Solutions like Black Duck and Code Dx enable application testing and onboarding of different applications from entities for security. All the users in different entities have access to the product. They run it by themselves and come to us with their findings. Our security team helps them take action.

The product enables other applications to be secure. We use it to onboard 400 to 500 applications into the DevOps platform, protect them, and have a secure environment. The tool integrates well with different technologies, application stacks, and databases. The APIs are available. We can read the blogs in the community for open-source compliance and security. The community feeds are important. Black Duck is a leader in Gartner. It is a reliable solution.

I recommend Black Duck for teams that need to identify their software components. It provides visibility for software components, their security risks, operational risks, and license compliance.

The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness.

I use Black Duck to detect vulnerabilities in open-source software before integrating it into my project.

The most valuable feature for me in Black Duck is its ability to scan binary files effectively. Many other tools on the market struggle with this, either unable to verify properly or providing inadequate results. With Black Duck, I can compare the data accurately.

As a DevOps engineer, I am supposed to integrate Black Duck in my CI/CD integration and deployment pipeline. The product teams in my company do a vulnerability scan of our products before we make them available in the market. From the product team's perspective, they check the vulnerability according to the scanning process done from pipelines. My company has a YAML script with which we add the stage, and from there, it gets integrated.

The UI is the solution's most valuable feature since it allows for easy pipeline integration.

For scanning purposes, we use Synopsys Black Duck.

Primarily, we use it to ensure all our projects go through Black Duck scans. We do this sometimes via source code analysis and sometimes via binary analysis/Docker analysis. It figures out third-party components, any security vulnerabilities, and more. 

Our primary focus is security – it also flags operational vulnerabilities, like outdated software versions or lack of active maintainers, but we generally don't give those as much weight.

We use Black Duck for open-source compliance in our software projects.

We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it.

For example, one product might use the latest version and be unaffected, while another uses a deprecated version with vulnerabilities. We can then address these vulnerabilities within our SDLC. A rescan confirms the fixes, ensuring we're protected.

Black Duck also tracks historical data, showing which product versions have specific dependencies. If a newer version is released without those dependencies, the history reflects that. This provides a view of vulnerabilities across versions.

Moreover, the integration with our development is pretty straightforward. Since we use more of a SaaS tool, all we need to do is get the right token, and use the detect tools for our initial implementation. 

Black Duck handles all dependency downloads automatically, and you just have to run your script. They provide changes in plugins and everything, so it's really easy to integrate it into our pipeline.

We use Black Duck Hub to discover commercial and open-source licenses and the licensed software used by a company. Whenever a company enters the M&A process, a preliminary step called due diligence is done. A part of it is the technical discovery that includes finding out what software the company is using and whether the software is linked with any open-source software or commercial product for which you have to pay a license.

Our main use case is to discover the license and find out if there is an obligation for the paid license. We also check the exposure of the software to open-source libraries. Open source is great, and it is a preferred solution for many companies. Around 90% of the software is now open source, but it is also exposed to vulnerabilities. So, through the dependencies that we were discovering, we were also working on the security exposure of the software product. For this purpose, we use Black Duck Hub.

The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach. 

In terms of advantages, Black Duck offers a big database.

From a customer satisfaction point of view, I am not satisfied with the product. I am also not satisfied with the documentation part of the product. If you want to use the tool, you will have to indulge in self-learning. In terms of customer interaction, I read the product three out of ten.

If you provide a feature in a product, either you should provide training to customers or provide clear documentation with an example of how to use it. The aforementioned aspect is not covered by the solution. You get no response from Black Duck's end if you ask for support to help you deal with the features provided by the product, which doesn't work even though the documentation claims that its functionalities work. The tool's team provides a reason that doesn't even closely relate to the problems faced by the user. In general, certain features in the product don't work. The tool's documentation and support are areas of concern where improvements are required.

We use the solution to detect non-compliance in third-party applications.

I really like the fact that we can define policies at a group level. Based on the foundation we create on the baseline, we can apply specific policies for specific teams. We can apply the same policy to the entire organization and tailor the policies for different teams. Policy management is a valuable feature.

I also enjoy using the license management feature in which we can add or review the terms of the licenses. The component management feature is also good. Black Duck is quite powerful. It has been in the industry for quite a lot of time, for around 30 years.