Black Duck Software provides application security testing solutions to help organizations manage the security, quality, and compliance risks associated with their software. The company’s mission is to enable customers to build trust in their software, which empowers them to innovate and transform their businesses with new technologies like AI. Black Duck aims to provide a comprehensive and powerful portfolio of application security products and services that allow for the safe and secure adoption of open-source technology.
As the former Synopsys Software Integrity Group, Black Duck is recognized as a market leader in the application security industry. Its flagship software composition analysis (SCA) solution is a key part of its reputation, helping thousands of organizations manage open-source technology securely for nearly two decades. The company’s portfolio has been consistently recognized as a Leader in the Gartner® Magic Quadrant™ for Application Security Testing.
Offerings, Capabilities, and Integrations
Black Duck Software provides a comprehensive suite of application security (AppSec) solutions designed to help organizations manage the security, quality, and compliance risks associated with open source and third-party code. Its core capability is Software Composition Analysis (SCA), which identifies open source components in applications and containers, detects known security vulnerabilities, and manages license compliance. Black Duck gives organizations visibility into their software supply chain, allowing them to control third-party code throughout the application lifecycle. The company’s competitive edge lies in its multi-factor detection technology, which provides a more accurate and complete Bill of Materials (BOM) by identifying declared components, file signatures, dependencies, and code snippets. This comprehensive approach to open source management, combined with deep binary inspection, helps to minimize risks. Black Duck integrates with a wide range of development tools, CI/CD pipelines, and vulnerability management solutions to automate security testing and policy enforcement without hindering development speed.
Products and Services
Black Duck’s offerings are centered around managing the risks of open source software. Its flagship product is Black Duck Software Composition Analysis (SCA), which helps teams manage security, quality, and license compliance risks. A newer offering is the Black Duck Supply Chain Edition, which expands on the core SCA capabilities to provide a more comprehensive view of software supply chain risks, including those from open source, third-party, and AI-generated code. Key products and services in the Black Duck portfolio include:
- Black Duck SCA: Identifies open source in code, binaries, and containers, maps vulnerabilities, and ensures license compliance. It uses multiple scanning techniques to create a comprehensive software bill of materials (SBOM).
- Black Duck Supply Chain Edition: An enhanced offering that includes automated third-party SBOM analysis and malware detection to mitigate upstream risks in the software supply chain.
- Polaris SaaS Platform: A platform that helps automate security testing.
- Coverity Static Analysis: Identifies defects and security vulnerabilities in proprietary code.
- WhiteHat Continuous Dynamic Analysis: Provides continuous dynamic application security testing.
- Seeker Interactive Analysis: An interactive application security testing (IAST) tool.
- Defensics Protocol Fuzzing: A fuzz testing tool to uncover unknown vulnerabilities.
- Security Testing, Consulting, and Audit Services: Offers expert services to help organizations with their application security programs, including for mergers and acquisitions.
Target Customers
Black Duck Software targets a broad range of customers, from development and security teams to legal and procurement departments within various industries. Its solutions are particularly beneficial for organizations that develop and use software extensively, including those in the public sector, heavy industry, manufacturing, and technology sectors. The primary users are development, security, and operations (DevSecOps) teams who need to build secure, high-quality software quickly. These customers benefit from Black Duck’s ability to find and fix security vulnerabilities early in the development lifecycle, ensure compliance with open source licenses to avoid legal issues, and improve overall code quality. By integrating with existing development tools and automating security processes, Black Duck helps these organizations to manage risk without sacrificing development speed and productivity.
Cloud Integrations and Marketplaces
Black Duck Software provides multiple cloud integrations and maintains a presence on major cloud marketplaces, enabling deployment and integration of its application security testing solutions within cloud environments. The company’s products can be deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.
- Amazon Web Services (AWS): Black Duck Software is available on the AWS Marketplace. Offerings include “Black Duck Application Security Testing (AST) for AWS” and “Cloud Security Services”. The primary offering, Black Duck SCA, is provided as an Amazon Machine Image (AMI) under a “bring-your-own-license” (BYOL) model. This allows customers with existing licenses to deploy Black Duck on AWS infrastructure. Black Duck’s solutions integrate with AWS Developer Tools, such as AWS CodeBuild and CodePipeline, to incorporate security testing into the CI/CD pipeline.
- Microsoft Azure: Black Duck Software offers integrations for Microsoft Azure, primarily through the Visual Studio Marketplace. The “Black Duck Security Scan” extension for Azure DevOps allows for the integration of Black Duck’s security testing capabilities directly into Azure pipelines. This extension utilizes the Bridge CLI to run scans for various Black Duck products. There are multiple deployment options for Black Duck within Azure, including through the Azure Marketplace, on Azure Kubernetes Service (AKS), and by using GitHub and Docker Hub.
- Google Cloud Platform (GCP): Black Duck Software can be deployed on the Google Cloud Platform through the GCP Marketplace. Similar to its AWS offering, Black Duck is available as a “bring-your-own-license” (BYOL) deployment into a Compute Engine Virtual Machine. For more scalable deployments, Black Duck can also be deployed to the Google Kubernetes Engine (GKE). Additionally, Black Duck supports Single Sign-On (SSO) integration with Google Cloud credentials via SAML.
Key People
- Chief Executive Officer: Jason Schmitt.
- Chief Financial Officer: Rafe Brown.
- Chief Product & Technology Officer: Dipto Chakravarty.
- Chief Revenue Officer: Sean Forkan.
- Chief Marketing Officer: Jim Ivers.
- Chief Customer Officer: Girish Janardhanudu.
- Chief Human Resources Officer and General Counsel: Joy Meier.
- Global Chief Information Officer: Ishpreet Singh.
- Chief Information Security Officer: Bruce Jenkins.
- Vice President, Engineering: Jeff Delaney.
- Vice President of SaaS R&D: Chris Leffel.
Key Facts
- Headquarters Location: Burlington, Massachusetts.
- Number of Employees: Approximately 400.
- Annual Revenue: Over $500 million.
- Parent Company: Clearlake Capital Group and Francisco Partners.
- Subsidiary Companies: None.
- Publicly Listed: No.
Analyst Recognition
Analyst groups recognize Black Duck Software, formerly the Synopsys Software Integrity Group, in the application security testing space. The company has been acknowledged for its capabilities in both software composition analysis (SCA) and static application security testing (SAST).
- Gartner has named Black Duck a Leader in its Magic Quadrant for Application Security Testing. This recognition was for seven consecutive years as of 2023. In the 2023 report, Gartner positioned Synopsys, which included Black Duck at the time, highest for its “Ability to Execute” and furthest for its “Completeness of Vision”.
- Forrester has identified Black Duck as a Leader in The Forrester Wave™ for Software Composition Analysis (SCA). This recognition occurred most recently in the fourth quarter of 2024. Forrester has also named Black Duck a Leader in The Forrester Wave™ for Static Application Security Testing (SAST) in the third quarter of 2023.
There is no information in the provided search results indicating recognition of Black Duck Software by IDC or Everest Group.
