Black Duck Reviews

Name: Black Duck
Brand: Black Duck
Rating: 3.8 (20 reviews)

Vendor: Black Duck

3.8 out of 5

20 reviews
83% willing to recommend

783 followers

Post review

What is Black Duck?

Organizations use Black Duck for compliance, internal audits, license management, and security, scanning software to identify vulnerabilities, non-compliant code, and dependencies in open-source projects.

Get the Black Duck Buyer's Guide and find out what your peers are saying about Black Duck, Veracode, GitLab and more!

Black Duck is the #1 ranked solution in top Software Composition Analysis (SCA) solutions. PeerSpot users give Black Duck an average rating of 7.6 out of 10. Based on the analysis of the 20 most recent Black Duck reviews, the overall sentiment is positive, with a sentiment score of 7.2. (Among the highest in the category). Black Duck is most commonly compared to Veracode: Black Duck vs Veracode. Black Duck is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 21% of all views.

Helped 815,690 peers since 2012

Featured reviews

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

We use the solution for open-source security management. The product connects the entire customer entity into DevOps and DevSecOps. Solutions like Black Duck and Code Dx enable application testing and onboarding of different applications from entities for security. All the users in different…

Read full review

Sagar Mody

Solutions Architect at a tech services company with 10,001+ employees

It's still a bit inconsistent. For example, sometimes a scan might reveal components or vulnerabilities, and the next day they might not show up. There's a lack of consistency at times. Of course, this could sometimes be due to new vulnerabilities being identified in the public domain after a scan. So, consistent inputs and more streamlined dependency management are needed. It doesn’t clearly show whether vulnerabilities are from direct or transitive dependencies. A clear classification between direct and indirect vulnerabilities is crucial. If I'm looking to improve my product, I need to know out of 'x' vulnerabilities, how many are direct dependencies. With direct dependencies, I can take action, like replacing a component. But with transitive dependencies, we are helpless at times. Often, we have to raise exceptions and work around them. A clear classification between direct and indirect dependencies is something I'd like to see improved.

Read full review

Aaron P

DevOps Engineer at a manufacturing company with 1,001-5,000 employees

The only thing I don't like about the product is that it is quite expensive and it is not very feasible as an open-source platform. One of the other things that I hate about the product stems from my dislike of contacting the support team of Black Duck to know if there are some issues since debugging some issues can be quite difficult. I don't find reliable or feasible documents to help me debug all those issues. The solution's pricing model and documentation areas of concern where improvement is needed. In our company, we get some issues or errors when we run a pipeline, and debugging those errors can be tedious and time-consuming. To minimize the time for debugging errors, I feel that Black Duck needs to add some documentation or something that will make it easy for users to debug the errors instead of seeking help from Black Duck's support team every time. Black Duck can add features, like viewing the vulnerability, to help users figure out the next step if they detect some vulnerability while also providing them some steps to help them follow some remedial steps, along with an explanation of measures to mitigate such issues. Black Duck's UI or server doesn't provide functionality to help users view the vulnerability, which is a process that needs to be automated. The solution's scalability is an area that needs to improve.

Read full review

Black Duck mindshare

As of November 2024, the mindshare of Black Duck in the Software Composition Analysis (SCA) category stands at 23.0%, down from 23.3% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

Key learnings from peers

Last updated Nov 12, 2024

Valuable Features

Black Duck excels in vulnerability scanning with seamless Docker integration. Users appreciate its automatic component analysis, extensive knowledge base, effective binary file scanning, and open-source compliance checking. Its user-friendly interface facilitates easy pipeline integration, while policy and license management enhance its functionality. Dependency tree visualization aids in pinpointing issues. The platform supports strong security, stability, and integration across technologies and application stacks, boasting a comprehensive database for managing security and compliance risks.

"The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness."
"The software composition analysis is most effective for security risk management."
"We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."

Room for Improvement

Black Duck needs enhanced integration with more tools like IntelliJ IDEA. Users experience issues with large scans, reporting, and user interface limitations. The setup process is complex, documentation is scattered, and pricing is seen as high. Flexibility in the user interface, improved scanning efficiency, reporting clarity, and consistency in identifying vulnerabilities are also needed. Users desire on-premise options, better API access, and streamlined dependency management for improved usability and effectiveness.

"There are areas for improvement such as false positives and the scanning of containers."
"There are areas for improvement such as false positives and the scanning of containers."
"It's still a bit inconsistent. For example, if I scan today, it might not show the same results tomorrow."

ROI

Users report that Black Duck significantly improves their software management by identifying vulnerabilities early, ultimately leading to cost savings. They highlight its effectiveness in ensuring license compliance, which prevents potential legal costs and issues. Black Duck also offers a quick integration with existing workflows, further boosting productivity. Its comprehensive reporting capabilities facilitate better decision-making and risk management. Its robust security features and user-friendly interface contribute to increased efficiency and reduced operational risks.

Pricing

Enterprise buyers evaluating Black Duck find varied pricing models, ranging from $10,000 to $70,000 based on users or code size. Many find the solution expensive, suggesting knowing code size for optimal negotiation. Licensing includes access to the academy with free integrations. Some features carry extra costs, yet high capacity needs elevate overall expenses. While many commend the product’s licensing compliance, some consider alternatives like WhiteSource for smaller organizations due to pricing concerns.

"The price charged by Black Duck is exorbitant."
"The pricing is a little high."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."

Popular Use Cases

Organizations primarily use Black Duck for software composition analysis, vulnerability and operational risk assessment, and license compliance in development and audit processes. It aids in scanning source code, detecting compliance issues, and identifying vulnerabilities in open-source and commercial software components. Common integrations include CI/CD pipelines and DevSecOps environments. Teams leverage it during due diligence in M&A, scanning open-source software, and ensuring security management across multiple sectors such as banking, retail, and energy.

Service and Support

Customers express mixed experiences with Black Duck's customer service. Some find the technical support professional and responsive, while others note significant delays. The response time is generally seen as quick, but some users face challenges due to a complex process. The support team is praised for resolving issues effectively, though overlapping work weeks and priority handling could improve. Training videos and unique features are appreciated, although deeper technical issues might require more expertise.

Deployment

Black Duck's initial setup is generally straightforward, especially on cloud platforms like Azure and Google Cloud. Deployment complexity varies by scale, requiring either on-premises setup or SaaS solutions. Users find it easy to install on the cloud, but on-premises may involve challenges with documentation and integration. Setup times vary from minutes to weeks, and deployment often requires minimal personnel. Users note simplicity if using the cloud but highlight manual efforts for on-premises configurations.

Scalability

Black Duck offers good scalability for both small and large organizations, although its capacity may be influenced by licensing and hardware limitations. Users mention it handles varying user numbers across departments and integrates well with CI/CD tools. Cloud deployment supports flexibility, while pricing policies can pose challenges for temporary resource expansion. Generally, Black Duck adapts well to enterprise needs, but scalability might require additional resource allocation as user numbers increase.

Stability

Black Duck is regarded as stable by many users, showing reliability without crashes, freezes, or significant bugs. While response delays may occur depending on the browser, these are deemed typical for applications. Users suggest consistent performance with effective administrative practices like cleanup and archiving. Transitioning from different tools may present bugs, yet users rate stability highly, often above seven on a scale of ten, reinforcing trust in Black Duck's performance.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Black Duck Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

21%

Manufacturing Company

16%

Computer Software Company

14%

Healthcare Company

Insurance Company

Retailer

Real Estate/Law Firm

Government

Educational Organization

Energy/Utilities Company

University

Comms Service Provider

Construction Company

Media Company

Non Profit

Transportation Company

Logistics Company

Legal Firm

Wholesaler/Distributor

Consumer Goods Company

Outsourcing Company

Recreational Facilities/Services Company

Hospitality Company

Marketing Services Firm

Aerospace/Defense Firm

Performing Arts

Pharma/Biotech Company

Compare Black Duck with alternative products

Learn more about Black Duck

Black Duck integrates into CI/CD pipelines and DevSecOps processes, helping multiple industries detect and handle risks associated with open-source usage. Users leverage it for source and binary analysis to ensure security and compliance before software release. Automatic component analysis, effective vulnerability scanning, and a comprehensive knowledge base are some of its valuable features. Despite needing improvements in scanning speed, UI, and documentation, Black Duck remains crucial for ensuring open-source security and compliance.

What are Black Duck's most important features?

Automatic Component Analysis: Provides automatic identification and analysis of open-source components.
Effective Vulnerability Scanning: Scans for vulnerabilities in both source code and binary files.
Comprehensive Knowledge Base: Offers expansive information on open-source components.
Policy Management: Enables the creation and enforcement of security and compliance policies.
Binary File Scanning: Capable of scanning binary files for in-depth security checks.
Ease of Use: Demonstrates ease of use, particularly on Mac products.
Stability: Known for its stable performance.
Docker Integration: Smooth integration with Docker for enhanced deployment.
Open-source Evaluation: Excellent evaluation capabilities for open-source software.
License Management: Manages open-source licenses effectively.
Easy Installation: Simple installation process.
Secure Onboarding: Ensures secure application onboarding.
API Availability: Provides APIs for custom integrations.
Community Support: Backed by an active community.
Dependency Tree Visualization: Visualizes dependencies for better management.

What benefits or ROI should users look for in reviews?

Improved Compliance: Helps maintain compliance with legal and regulatory requirements.
Risk Mitigation: Reduces risks associated with open-source vulnerabilities.
Enhanced Security: Strengthens software security by identifying and addressing potential issues early.
Time-saving: Automates many aspects of vulnerability scanning and analysis, saving valuable time.
Cost Efficiency: Detects issues early, potentially saving costs related to compliance breaches and security incidents.
Integration Ease: Seamlessly integrates with existing CI/CD pipelines and DevSecOps practices.
Knowledge Resource: Access to comprehensive information aiding better decision-making.

Black Duck is implemented by industries ranging from finance to healthcare, addressing security and compliance in open-source usage. Financial institutions employ it to manage license risks and ensure audit readiness. Healthcare organizations use it to comply with stringent data protection regulations, ensuring patient data security and privacy. Tech companies integrate Black Duck within CI/CD pipelines to maintain the security and compliance of software products before release. Its deployment varies, tailored to meet the specific risk management and compliance needs dictated by each sector's regulatory environment.

Black Duck was previously known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.