What is our primary use case?
The product teams use them under supervision from the security department.
I'm not extremely familiar with the details on how the product teams are using it, but I think they have integrated it into their development life cycle.
This is governed and managed from a technical and operational perspective by the security department.
Opinions are split between people that find it useful, but it's also pretty complex. That's why when we're contemplating moving towards Snyk, it is because it's more developer-oriented than Black Duck. It's a tad more complex to integrate and to use. This is some of the feedback I heard about.
What is most valuable?
We have detected security vulnerabilities, which is absolutely one big benefit. It's pretty accurate as far as I remember. It does its job at identifying security vulnerabilities foremostly.
I wouldn't know the exact numbers or explain what kind of potential security issues we have avoided by using the tool. This would be a conversation that would be more appropriate with the security team that's overseeing the tool.
What needs improvement?
I wouldn't recommend it for small and medium customers, both in terms of the complexity and organizational processes and operational processes around it. I wouldn't go with Black Duck.
It's not straightforward as it is with more developer-oriented and plug-and-play versions, so it requires a bit of knowledge and documentation to set it up.
On the support part, in the past, we had some issues regarding the availability of the information on the knowledge portal. That was particularly due to the fact that when they integrated their knowledge hub or knowledge portal different kind of documentation, they have not adapted the text. There were circular references on the documentation that was misleading and confusing our people rather than helping them.
For how long have I used the solution?
How are customer service and support?
On the support part, we had issues regarding the availability of the information on the knowledge portal. That was particularly due to the fact that when they integrated their knowledge hub or knowledge portal different kind of documentation, they have not adapted the text. There were circular references on the documentation that was misleading and confusing our people rather than helping them. When it comes to the actual support, I don't know what kind of experience my colleagues had.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We're actually still working with Black Duck as of now, but we're in the process of moving away from Black Duck, potentially towards Snyk. We work with Polaris Platform, Coverity and the SCA component.
What was our ROI?
That's one of the aspects that we need to take into consideration when we're talking about the maturity of an organization. If you don't have processes that allow you to monitor usage and to quantify the return on investment, then it's pretty difficult to say. We are not there. It was not my decision to go with this tool. I would have recommended something different because our organization is as young as dating three years ago.
What's my experience with pricing, setup cost, and licensing?
In my opinion, I think that it's a very good product for mature companies. It is quite expensive compared with competitors, with other providers of similar services of application security management. It actually requires very good processes and good governance in order to grasp the full benefits and all the features of the product.
It's been quite a while since I have performed a comparison between vendors. The last time I did it was in 2022. Things could have changed, but considering that we had been running an agreement for three years already, so we're stepping into the last year now, I would consider it pretty expensive because we're talking about the overall contract value close to 1 million Euro for three years.
Which other solutions did I evaluate?
That's one of the aspects that we need to take into consideration when we're talking about the maturity of an organization. If you don't have processes that allow you to monitor usage and to quantify the return on investment, then it's pretty difficult to say. We are not there. It was not my decision to go with this tool. I would have recommended something different because our organization is as young as dating three years ago. We have been established as a group in October 2022.
What other advice do I have?
The products that we have are Coverity, Black Duck Pro Edition, subscription services and on-site support for Black Duck Binary Integrated which is hosted. For Polaris Platform, we have the SaaS package with the SCA subscription. We had Premier Onboarding for Coverity and for Black Duck and a Success Package.
It's very hard to quantify it because I can only speak from what I have learned from my colleagues and what my experience is in terms of commercial aspects.
I rate this solution an 8 out of 10.
