Black Duck Software Composition Analysis (SCA) vs. CAST Highlight

If you are using a lot of open-source libraries, which is most likely, this is a must-have to ensure no known vulnerabilities slip into production

Incentivized

I think CAST is a great tool to give insight into your applications. The tool can be met with resistance from team members as the tool is going to expose defects that should be addressed. Out of the box, it may need some tailoring to focus on certain areas so that you are not overwhelmed with defects the first time you scan your code. But ultimately, you will want to eliminate all defects in the code and have all violations turned on.

Incentivized

• Quick inventory scan: Black Duck helps us scan the code repositories in no time. And quickly list the components and I now really know what is in my code.
• Security and License risk management: Black Duck being rich in its knowledge base about the vulnerabilities and license issues of open source components, quickly compares the identified inventory to the Black Duck knowledge base and lists all the vulnerabilities and license issues in the code.
• Integration for automatic scanning: Black Duck is part of devops which provides us automatic scanning. Black Duck is not just for devops but also SecOps.

Incentivized

• Identifies common coding vulnerabilities.
• Compares code to industry best practices.
• Assesses the code for data privacy compliance.

Incentivized

• License model based on usage is costly.
• Documentation is extensive, but often confusing.
• Black Duck Hub could use some feature improvements for more robust governance capabilities

Incentivized

• Code scans could be faster. A large application may need to be broken down into smaller sub-applications in order to facilitate faster code scans.
• We spent a lot of time trying to figure out how to best structure our code base in the application for ultimate performance.

Incentivized

If you don’t know how to scan for the language, it isn’t entirely user friendly

Incentivized

Support seems very responsive.

Incentivized

Tech support and pro services are top-notch.

Incentivized

Black Duck is an obvious choice, with its versatility, integration, best enterprise support and on top of the list the knowledge base Black Duck has. Vega or Grabber also scans the application and tells about vulnerabilities. But it can never be compared with the feature set of Black Duck. Black Duck can also generate reports.

Incentivized

These other tools only do a part of what CAST does. CAST gives a comprehensive view into the code looking at all aspects, code quality, security, maintainability, vulnerability, privacy, reuse, etc. These other tools only focus on one or two dimensions.

Incentivized

• It is hard to measure ROI since Black Duck Hub saves us from costly legal battles that have thankfully never had to happen.

Incentivized

• I believe once we had the tool working for our code base, we immediately saw positive ROI.
• We spent some time getting to where our code code be scanned efficiently but some of that was trying to do things ourselves instead of fully utilizing Cast Professional Services. I highly recommend to do an engagement with CAST to have them help setup the tool in your environment or to run it in the cloud for you.

Incentivized