Black Duck is the leader in application security testing, offering True Scale Application Security that empowers organizations to build trust in their software. We provide a comprehensive suite of automated application security solutions, including agentic AI AppSec, static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and software composition analysis (SCA), to identify, manage, and remediate security vulnerabilities, license compliance risks, and code quality issues across the entire software development life cycle.

By integrating seamlessly into developer workflows and CI/CD pipelines, Black Duck solutions enable teams to secure proprietary and open source components as well as AI-generated code, accelerate secure software delivery, and ensure compliance with industry regulations. Black Duck provides the visibility, automation, and expert guidance necessary to manage software security risks at the speed modern businesses demand.

Black Duck offers comprehensive software composition analysis (SCA) tools that provide complete visibility into every open source and third-party component in your applications. Our advanced detection methods can also generate and manage accurate Software Bills of Materials (SBOMs), meticulously tracking components and their versions, licenses, and security status to ensure transparency and compliance with supply chain regulations. Black Duck continuously monitors these components against vulnerability databases, including our proprietary KnowledgeBase™, and automatically alerts your teams to new threats without requiring new scans. By integrating directly into CI/CD pipelines, Black Duck solutions prevent vulnerable or noncompliant code from advancing, ensuring ongoing supply chain security and enabling rapid response to emerging threats and attacks.

Black Duck provides a comprehensive and complementary portfolio of application security testing (AST) solutions designed to secure both proprietary code and third-party components, including AI-generated code, across the entire software development life cycle. Our offerings include

• Agentic AI application security. Black Duck Signal™ combines 20+ years of software security expertise and intellectual property with LLM-powered software analysis to autonomously detect and remediate vulnerabilities in business-critical applications.
• Static application security testing (SAST). Black Duck SAST tools provide fast, scalable, and comprehensive static code analysis in the cloud (Polaris fAST Static), on premises (Coverity^® Static Analysis), and at the developer desktop (CodeSight™ IDE Plug-in).
• Software composition analysis (SCA). Black Duck SCA tools provide visibility into your software and give you the information you need to fix issues fast. They also provide complete visibility into all dependencies in your source code, containers, and binaries.
• Dynamic application security testing (DAST). Black Duck DAST tools identify vulnerabilities in APIs and web applications before and after deployment, so you can find security issues before hackers do. Polaris fAST Dynamic allows you to run quick, self-serve scans with minimal setup. Black Duck^® Continuous Dynamic automatically scans new functionalities and runs deeper on-demand tests when you need them.
• Interactive application security testing (IAST). Seeker^® Interactive Analysis provides unparalleled visibility into your web application security posture and identifies vulnerability trends against compliance standards.

Black Duck delivers unparalleled flexibility in deploying our market-leading application security solutions, so our customers can secure their software wherever it resides and however they operate. We understand that infrastructure and compliance needs are unique, which is why we support a full spectrum of deployment models.

• Cloud-native SaaS. Black Duck Polaris™ Platform is a robust, scalable software-as-a-service (SaaS) solution. Polaris’s cloud-native deployment provides immediate access, continuous updates, elastic scalability, and reduced operational overhead. Customers benefit from rapid deployment, minimal maintenance, and the ability to scale their application security programs effortlessly without managing underlying infrastructure, making it ideal for agile and distributed teams.
• On premises. For customers with stringent data residency requirements, highly sensitive intellectual property, or specific regulatory mandates, Black Duck provides comprehensive on-premises deployment options. This model gives customers complete control over their security data and infrastructure, allowing for deep integration within their private data centers and security ecosystems.
• Hybrid environments. Recognizing that many enterprises operate in complex hybrid environments, Black Duck solutions are designed to seamlessly integrate across both on-premises systems and cloud-based applications. This hybrid approach enables customers to standardize their application security testing while optimizing for performance, cost, and compliance across their diverse IT landscapes.
• Developer-integrated. Beyond core platform deployments, Black Duck Code Sight™ IDE Plug-in integrates directly into developers’ local environments, regardless of where the central platform is hosted. This provides real-time security feedback, empowering developers to identify and fix vulnerabilities as they write code, irrespective of the broader deployment strategy.

Black Duck is committed to providing customers with the deployment model that best fits their operational strategy, ensuring our solutions integrate effortlessly into existing DevSecOps pipelines and security architectures. We empower you to choose the approach that maximizes efficiency, maintains compliance, and accelerates secure software delivery, without compromise.

Black Duck Polaris™ Platform is our cutting-edge, cloud-native, unified application security platform designed to transform and accelerate secure software delivery across your enterprise. Polaris consolidates industry-leading static application security testing (SAST), software composition analysis (SCA), and dynamic application security testing (DAST) into a single, cohesive SaaS solution.

By centralizing application security testing, policy enforcement, and vulnerability management, Polaris gives teams a unified view of issues and overall risk posture, increasing efficiency and decreasing overhead. This comprehensive platform integrates seamlessly into existing developer workflows and CI/CD pipelines, and it provides unparalleled scalability and actionable insights to developers for faster, more efficient remediation. Polaris is a developer-first platform that significantly reduces application security complexity, lowers operational costs, and helps Black Duck customers deliver consistently high-quality, secure software with confidence and speed.

Black Duck detects a comprehensive range of security vulnerabilities and code quality defects across both proprietary and third-party components, including AI-generated code. Our solutions identify critical flaws such as

• Injection vulnerabilities including SQL injection, cross-site scripting, and command injection
• Authentication and authorization issues such as weak password policies, broken authentication mechanisms, and authorization bypasses
• Insecure cryptographic implementations like weak algorithms or improper certificate validation
• Memory safety errors like buffer overflows and use-after-free conditions
• Runtime vulnerabilities discovered in applications, including cross-site request forgery and security misconfigurations
• Known CVEs in open source components such as Log4Shell, as well as license compliance risks, outdated components, and malicious packages that threaten your software supply chain

Black Duck assigns industry-standard severity scores, maps findings to frameworks like OWASP Top 10 and CWE Top 25, and provides actionable remediation guidance, enabling you to efficiently prioritize and resolve the most critical threats.

Black Duck helps organizations meet an extensive range of critical regulatory requirements and industry compliance frameworks across diverse sectors. We provide robust support for

• Information security standards including ISO 27001/27002 and NIST frameworks (e.g., SP 800-53, CSF)
• Data protection regulations such as GDPR and HIPAA, by identifying vulnerabilities that could expose sensitive personal and health information
• Financial and service industry mandates like PCI DSS for credit card data and SOC 2 for secure customer data management 
• Government and supply chain security that aligns with U.S. Executive Order 14028 (including SBOM generation), the EU Cyber Resilience Act, and FedRAMP for federal cloud systems
• Secure development best practices by detecting OWASP Top 10 vulnerabilities and enforcing secure coding guidelines

Additionally, Black Duck supports sector-specific regulations across aerospace, defense, automotive (ISO/SAE 21434), manufacturing, financial services, and critical infrastructure. Black Duck Polaris™ Platform provides automated policy enforcement, customizable compliance reporting, and audit-ready documentation to demonstrate adherence to each framework’s specific controls and requirements, ensuring your software is not only secure but compliant.

Black Duck integrates seamlessly into existing DevSecOps pipelines, enabling automated security across your entire software development life cycle. We leverage native plug-ins, command-line tools, REST APIs, and webhooks to connect with popular CI/CD platforms like Jenkins, Azure DevOps, GitHub Actions, and GitLab CI.

Integration typically begins with Black Duck Detect or Black Duck Bridge CLI, which can be configured to automatically trigger comprehensive SAST, DAST, IAST, or SCA scans on code commits, pull requests, or scheduled builds.

Black Duck Code Sight™ IDE Plug-in brings real-time security analysis directly into developer workflows (e.g., Visual Studio, IntelliJ IDEA, VS Code), embodying a true “shift left” approach.

Black Duck Polaris™ Platform integrates directly with SCMs (including GitHub, GitLab, Bitbucket, and Azure DevOps) to enable event-driven automation for intelligent onboarding of projects, continuous discovery of new branches and repos, and natural workflow integrations. It can automatically trigger scans, so developers can integrate security seamlessly and at speed and scale.

Black Duck’s API-first architecture facilitates custom integrations with issue-tracking systems like Jira, container registries, and infrastructure-as-code platforms, creating a cohesive security ecosystem. This ensures continuous monitoring, portfolio-wide visibility, and adaptive security testing that scales with your organization while maintaining the velocity and automation that is essential for modern DevOps teams.

Black Duck was formerly a Synopsys business unit called the Synopsys Software Integrity Group (SIG). Formed in 2015, SIG quickly emerged as the market leader in application security testing solutions. In October 2024, Synopsys sold SIG to two private equity firms, Clearlake Capital Group and Francisco Partners. This transaction established Black Duck as an independent company.

Black Duck retains the full suite of market-leading application security testing solutions previously offered by SIG. As an independent entity, Black Duck is exclusively dedicated to application security, enabling faster innovation (such as the development of our transformational agentic AI solution, Signal™), enhanced customer service, and the agility to drive secure software development for our customers with greater focus. We continue to serve the same global customer base, honor existing contracts, and deliver the robust capabilities that define our legacy.

Black Duck is uniquely equipped to secure AI-generated code and address the inherent security risks it introduces. Our approach integrates specialized capabilities to protect applications developed with tools such as GitHub Copilot, Amazon CodeWhisperer, and ChatGPT.

Key to this is Black Duck Assist™, an AI-powered application security assistant integrated directly into Code Sight™ IDE Plug-in. Assist provides an issue summary and an analysis of the code, so developers can see what went wrong and make a suggested fix. It flags vulnerabilities, potential IP infringements, license compliance issues, and insecure coding patterns before they are committed. This enables immediate remediation within the developer’s environment, preventing AI-introduced flaws from entering the codebase.

Our AI Model Risk Insights feature within Black Duck^® SCA identifies and analyzes AI models embedded within applications, providing crucial visibility into their versions, licenses, and associated security risks, even when obfuscated. We also ensure that comprehensive Software Bills of Materials include AI models.

Black Duck Signal™ goes beyond traditional scanning by leveraging advanced AI to proactively identify, analyze, and mitigate complex vulnerabilities and compliance risks specifically pertinent to AI-generated code. Signal provides deeper contextual awareness and intelligent enforcement, ensuring end-to-end security and maintaining compliance standards in the new era of AI-driven software development.

By harnessing these advanced tools, Black Duck empowers our customers to harness the productivity benefits of AI-assisted software development while maintaining the highest security, quality, and compliance standards.

Coverity^® Static Analysis, our market-leading SAST solution, performs deep source code examination across more than 20 programming languages and 70+ frameworks. Coverity is designed to detect a wide range of critical quality defects that impact software reliability, maintainability, and performance.

Coverity identifies issues such as

• Memory safety problems like buffer overflows and memory leaks
• Resource management defects such as file handle and database connection leaks
• Null pointer dereferences and uninitialized variables
• Concurrency issues including race conditions and deadlocks
• Error handling defects and code complexity issues

Coverity provides built-in rule sets aligned with industry coding standards like MISRA, CERT, OWASP, and CWE, enabling Black Duck customers to enforce strict quality and security policies. With detailed, actionable reports, Coverity offers developers clear explanations and prioritized remediation guidance.