We use the solution to detect non-compliance in third-party applications.
Group IT Vendor Management Director at Twoday
A scalable and customizable solution that has a very strong knowledge base
Pros and Cons
- "Policy management is a valuable feature."
- "The documentation is quite scattered."
What is our primary use case?
What is most valuable?
I really like the fact that we can define policies at a group level. Based on the foundation we create on the baseline, we can apply specific policies for specific teams. We can apply the same policy to the entire organization and tailor the policies for different teams. Policy management is a valuable feature.
I also enjoy using the license management feature in which we can add or review the terms of the licenses. The component management feature is also good. Black Duck is quite powerful. It has been in the industry for quite a lot of time, for around 30 years.
What needs improvement?
The documentation is quite scattered. It's really difficult to identify the documentation we need for a specific need. When I was working for an organization, I had to create my own documentation to establish the service for the group. The solution must make it easy for the users to understand what to do when they are getting started.
For how long have I used the solution?
I have been familiar with the solution for a year, including the demo period.
Buyer's Guide
Black Duck
November 2024
Learn what your peers think about Black Duck. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
814,763 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution was pretty stable. We had some issues here and there.
What do I think about the scalability of the solution?
The product is pretty scalable. It depends on the licensing model. We had negotiated a license model that was fit for our needs. Then, we added more applications as we grew. The tool provides both the on-premise and the cloud solution. We chose the cloud solution. We wanted the tool for internal use within our organization. We had more than 250 business units.
How are customer service and support?
We have had a chance to benefit from expert hours with proper engineers who were able to respond to some questions. Some of them were more competent than the others. I'm satisfied with support on average.
How would you rate customer service and support?
Neutral
How was the initial setup?
The initial setup is moderately hard because the documentation is not available. If someone is gathering the documentation and creating custom documentation for the organization, explaining how to connect to the CI/CD pipeline and create an account and everything in between, then it's not difficult. The initial investment in developing the documentation is quite tedious.
We provide an initial onboarding period of two weeks to the deployment team. The team can deploy the solution at its own pace, provided it follows the documentation. The team also has early life support throughout these two to three weeks, in which the team members also get trained and understand how to make the best of the tool’s features.
The deployment time depends on the organization’s application architecture, where they keep their projects, and how they are organized. These variables can extend or decrease the timeline for implementation. We need one or two technical resources to deploy the product.
What's my experience with pricing, setup cost, and licensing?
We paid for the license on a yearly basis.
Which other solutions did I evaluate?
I have evaluated several other solutions, including FOSSA, but we didn't go forward with them. We chose Black Duck because it has a very strong knowledge base with a lot of customization around license management, component management, and policy management.
What other advice do I have?
Organizations that enter a contract with Synopsys must be very careful about the expert hours. We would need support even if we do not have a premium contract. The expert hours are quite pricey. Whoever enters a contract with Synopsys should secure some expert hours because they will need it at least initially when they establish the system.
It wasn't that easy for us to onboard. It was a very steep learning curve. I was expecting more support from the vendor during the onboarding. I expected they would drive the onboarding since it was my first time using the solution. Instead, we had to discover a lot on our own as a customer. They provided some onboarding materials and training, but we were not hand-held through the process.
Overall, I rate the tool a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cloud Solution Architect at IBM
Responsive support, useful vulnerabilities discovery, and high availability
Pros and Cons
- "The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately."
- "Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster."
What is our primary use case?
We use Black Duck mainly for the DevSecOps pipeline. For the microservices-based application, we have to deploy Black Duck into the Kubernetes environment.
I have worked for multiple clients across the world, such as the US and Europe in the banking, retail, and energy sectors.
What is most valuable?
The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.
What needs improvement?
Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster.
For how long have I used the solution?
I have been using Black Duck for a few years.
What do I think about the stability of the solution?
The stability of Black Duck is very good.
What do I think about the scalability of the solution?
Black Duck is scalable.
How are customer service and support?
The technical support from Black Duck is very good.
How was the initial setup?
Black Duck is easy to install. The full implementation took a couple of hours.
What about the implementation team?
I do the implementation of the solution.
What was our ROI?
We have seen a very high return on investment using Black Duck.
What other advice do I have?
I rate Black Duck a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Black Duck
November 2024
Learn what your peers think about Black Duck. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
814,763 professionals have used our research since 2012.
CTO at a computer software company with 11-50 employees
Good knowledge base and management system and helpful for discovering commercial and open-source licenses
Pros and Cons
- "The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach."
- "It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."
What is our primary use case?
We use Black Duck Hub to discover commercial and open-source licenses and the licensed software used by a company. Whenever a company enters the M&A process, a preliminary step called due diligence is done. A part of it is the technical discovery that includes finding out what software the company is using and whether the software is linked with any open-source software or commercial product for which you have to pay a license.
Our main use case is to discover the license and find out if there is an obligation for the paid license. We also check the exposure of the software to open-source libraries. Open source is great, and it is a preferred solution for many companies. Around 90% of the software is now open source, but it is also exposed to vulnerabilities. So, through the dependencies that we were discovering, we were also working on the security exposure of the software product. For this purpose, we use Black Duck Hub.
What is most valuable?
The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach.
What needs improvement?
It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code.
It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.
For how long have I used the solution?
I have been using this solution for two and a half years. I was serving as vice president of engineering and integration in a company in Austin, Texas. I was assigned to acquisitions of companies, more specifically to the technical due diligence that takes place during acquisition. So, we used Black Duck Hub very extensively. We had the biggest ever contract with Synopsys for almost $1 million per year, and we used Black Duck Hub to scan the license for each acquired company. We had a very aggressive acquisition plan of almost one acquisition every 15 days. So, I have accumulated quite a big experience with the Black Duck Hub tool.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
From the company side, it's super scalable, but from the client's side, it's not that scalable. The issue with scalability is that if you have reserved 100 megabytes on Black Duck Hub, and eventually, you like to use 200 or 300 megabytes, the pricing policy requires extending your product permanently. This is really painful because you just need instant access to the higher, bigger space, but you don't want to buy it permanently. They should give the possibility to extend instantly by 50% or 80% more for a week or two weeks. This is quite common, and I have seen many cloud providers that let you pay instantly for a limited time, and you have the possibility to use a little bit more.
I have a team of six users who use Black Duck for the discovery, but the results are forwarded to many more things.
How are customer service and technical support?
In some cases, we have faced delays. We had reported issues, and we got the reply in 15 days or 20 days. Being a big organization, their support is rather slow. They prioritize these issues based on some logic unknown to me. If we have a big problem, we should get priority.
How was the initial setup?
The initial setup is super simple for the user because it is set up on the cloud. You just get an account and upload the code. You don't have to install it. There is no deployment. You just access the service from the cloud.
What's my experience with pricing, setup cost, and licensing?
Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations.
Which other solutions did I evaluate?
I'm also currently testing WhiteSource, Black Duck Hub, FOSSA, Snyk, and a few more solutions. My assignment is to provide an evaluation for a blockchain platform.
What other advice do I have?
I would advise others to be careful with the provisioning of the space that you need. Black Duck has been the key player in the market for many years. It is totally in conjunction with Coverity and forms a suite of security and quality. It is frequently used in M&A or mergers and acquisition cases. It is the top product in the market.
I would rate Black Duck a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Project Lead at a manufacturing company with 10,001+ employees
Is able to drill down to the source level, but instead of providing scripts, they should provide functionalities through the UI
Pros and Cons
- "It is able to drill down to the source level."
- "They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
What is most valuable?
It is able to drill down to the source level.
What needs improvement?
We expect a lot more features. They have to improve it a lot in terms of the way they do the analysis. At the analysis level, more depth is required.
They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility.
For how long have I used the solution?
We have been using this solution for a year. We are using its latest version.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
Because it is on the cloud, it is scalable. We have quite a significant number of users. Our users might be in the hundreds.
How are customer service and support?
Their support is not so strong. It is fine. It is not bad. If we go a little bit deeper on the technical side, they might not know about it.
How was the initial setup?
We didn't do the setup. They did the setup. My guess is that it is not so easy because it's done in the docker environment. For its maintenance, we need two people.
What's my experience with pricing, setup cost, and licensing?
It is expensive.
What other advice do I have?
I would rate it a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head: Open Source Program Office at a financial services firm with 10,001+ employees
Feature-rich, with good security compliance
Pros and Cons
- "Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
- "We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
What is our primary use case?
I am not working with Black Duck. I manage a team that works with Black Duck.
What is most valuable?
We are happy with this solution.
We have not yet explored all of the functionalities of Black Duck.
Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.
What needs improvement?
We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck. I feel that it is just a matter of time and it should be fine.
For how long have I used the solution?
We have been working with Black Duck for a little more than one year.
What do I think about the scalability of the solution?
It is a very small group of people who are using this solution in our organization.
My team is the open-source program office and we have three people who are using Black Duck and the other teams would be in the range of fewer than 20 people.
How are customer service and technical support?
We contacted technical support as we were not able to fix this issue ourselves. We are not the primary contact who has procured the product, they are based out of Paris. We are using the license but we have to go through them to contact Black Duck to get their help.
I am not able to share an opinion on the support because we raised the issue only a few weeks back, and this being the summer vacation period, a lot of people were unavailable. I don't know whether that delay is being caused by our counterparts in Paris or if it is really caused by Black Duck.
Which solution did I use previously and why did I switch?
We have been using other tools, but our IT division acquired Black Duck and we wanted to use it across the organization.
As far as security is concerned, it has always been a priority in our organization. We had different tools that we were using for security, but when it comes to operational risk and compliance and licensing, we didn't have any specific approach before Black Duck.
What's my experience with pricing, setup cost, and licensing?
We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing.
We are only using a few of the licenses because they had acquired several licenses, but I'm not involved in the pricing and the contract negotiations.
What other advice do I have?
I would rate Black Duck an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Project Lead at a manufacturing company with 10,001+ employees
Stable, but the process is very manual and the price should be reduced
Pros and Cons
- "The stability is okay."
- "It needs to be more user-friendly for developers and in general, to ensure compliance."
What is our primary use case?
We use Black Duck to examine our source code for compliance issues.
What needs improvement?
The older version that we are using is very primitive. You have to do every step, right from setting up an application to the user. The code has to sit in a particular folder and all of the open-source dependencies have to be there. With everything in one folder, it starts to scan. As we are using Code Center, we need to ensure that all of the components are there. However, there are thousands of components and for each submission, the components have to be there. There are no bulk submissions or bulk transfers. Essentially, you need to write your own scripts with the APIs to do it more efficiently.
It needs to be more user-friendly for developers and in general, to ensure compliance. The scanning should be quick and easy to use, rather than complex.
The pricing for this solution should definitely be lower.
For how long have I used the solution?
We have been using Black Duck for between five and six years.
What do I think about the stability of the solution?
The stability is okay. We need to keep cleaning up and archiving, which is the standard care by an administrator.
What do I think about the scalability of the solution?
The number of people we have using Black Duck at any time is on a project-by-project basis. We probably have around 500 users, although they do not use it on a continuous basis. The usage is based on the number of requests. For some projects, it will be used just one time, and that's it.
How are customer service and technical support?
We have just started to contact technical support, so it is too early to evaluate them.
Which solution did I use previously and why did I switch?
We did not use another similar solution prior to Black Duck.
How was the initial setup?
The initial setup is complex. It is installed and configured on a Linux-based system, and the on-premises database needs to be updated.
Upgrading our version of Black Duck to the most recent is a tedious process. It is very step-by-step and very manual.
What's my experience with pricing, setup cost, and licensing?
The price is quite high because the behavior of the software during the scan is similar to competing products.
Which other solutions did I evaluate?
We are currently evaluating whether we should continue to work with Black Duck, upgrading to the most recent version, or change to another solution. We are looking at several tools that also include WhiteSource and Checkmarx Composition Software Analysis. Ideally, we want to find a solution that suits our everyday needs.
One thing that we have found is that the price of Black Duck is quite high, compared to other products.
What other advice do I have?
As we are using an older version, and have not yet completed a PoC with the most recent one, I am not sure whether there are newer features that we need or will use. Things that we would like to see may have already been implemented.
I would rate this solution a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Technical Architect at IGT Solutions
Helps to scan Java codes and save time
Pros and Cons
- "We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
- "The tool needs to improve its pricing. Its configuration is complex and can be improved."
What is our primary use case?
We use the solution to scan Java code.
What is most valuable?
We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time.
What needs improvement?
The tool needs to improve its pricing. Its configuration is complex and can be improved.
For how long have I used the solution?
I have been using the tool for five years.
What do I think about the stability of the solution?
Black Duck is stable.
How was the initial setup?
I rate the tool's deployment a seven out of ten.
What other advice do I have?
I rate the product an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Engineer at a manufacturing company with 10,001+ employees
Easy to use with a simple installation process and good stability
Pros and Cons
- "The installation is very easy."
- "Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."
What is most valuable?
It's a well-recognized tool in our industry. We have a lot of requests for the product from clients.
The solution is very easy to use.
The stability has been good over the years.
The installation is very easy.
What needs improvement?
Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive.
For how long have I used the solution?
We've used the solution for about three or four years at this point.
What do I think about the stability of the solution?
The stability is very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.
What do I think about the scalability of the solution?
Not everyone uses the solution at our company. Mainly, just developers use it, and we have about 60 people on it.
Which solution did I use previously and why did I switch?
Right now, we are considering changing to WhiteSource, however, we still might just keep Black Duck.
How was the initial setup?
The initial setup isn't too difficult. It's a pretty straightforward, simple process. We have only installed it once, and I cannot recall how long the deployment actually took. It was a long time ago.
What's my experience with pricing, setup cost, and licensing?
The cost of the solution is very high. We'd prefer if the product offered a monthly subscription.
What other advice do I have?
We are a customer and an end-user.
We are using Black Duck Hub.
I'd rate the solution at an eight out of ten. We're mostly quite happy with the capabilities.
Black Duck is a good, but not an inexpensive tool. If others want stability or a well-respected tool, I would recommend it.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Black Duck Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Software Composition Analysis (SCA)Popular Comparisons
Veracode
GitLab
Mend.io
Sonatype Lifecycle
Fortify Static Code Analyzer
JFrog Xray
FOSSA
CAST Highlight
Checkmarx Software Composition Analysis
ReversingLabs
Polaris Software Integrity Platform
Semgrep
Sonatype Repository Firewall
Apiiro
Buyer's Guide
Download our free Black Duck Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- How does WhiteSource compare with Black Duck?
- What tools do you rely on for building a DevSecOps pipeline?
- What alternatives are there for Fortify WebInspect and Fortify SCA?
- What is the best way to track open-source license compatibility?
- Differences between Black Duck & Veracode
- What SCA solution do you recommend?
- Is there an SCA solution that finds and fixes vulnerabilities?
- Can I get SCA in my IDE?
- How long does SCA scanning take?
- Why is Software Composition Analysis (SCA) important for companies?
Black Duck can be installed in-house. It only communicates with their servers to fetch updated its Knowledge Base, which is used to identify open source components and vulnerabilities. We sometimes send the can results to Synopsys/Black Duck support, but that does not contain any of our code, just the analysis of the scanned files, which we judged to not be a security risk for us.