Unlocking the full potential of application security: Key findings from the Black Duck customer value study

Jason Schmitt

Authored by Jason Schmitt

Jul 24, 2025 / 4 min read

Table of Contents

As we continue to navigate the complex landscape of application security (AppSec), it’s clear that everyone faces a critical challenge: how to implement effective AppSec practices without hindering development velocity. Black Duck works tirelessly with our customers to overcome this challenge every day.

A recent customer value study, conducted by UserEvidence, provides valuable insights into how Black Duck’s solutions help our customers around the world bridge the gap between development and security teams.

 

AppSec’s big challenge

It’s no secret that development teams are under relentless pressure to release code faster than ever, but manual or poorly integrated AppSec practices create significant roadblocks. The study highlighted that many organizations have traditionally performed AppSec processes at the end of the software development life cycle (SDLC), leading to long-term inefficiency, resource waste, and risk exposure. This is where "shifting AppSec everywhere" comes into play—embedding testing and security processes not just earlier but throughout the SDLC.

Black Duck offers a better way: Test early and test often

The study surveyed over 100 Black Duck customers across various industries, including software companies, hardware manufacturers, and government agencies. I’m extremely proud to report that the results are quantifiable and transformative.

  • Integrating AppSec throughout the SDLC helps organizations improve productivity by reducing the time developers spend on manual tasks and triage.
  • Earlier and more frequent testing enables more complete security coverage, decreasing overall software risk.
  • Black Duck's solutions help decrease costs by ensuring software releases are on time, secure, and high-quality.

The survey focused on three core areas: productivity, risk, and cost. By understanding how Black Duck impacts these areas, we can better appreciate the value our solutions bring to customers.

Black Duck drives development productivity

Developers overwhelmingly want security tools to transparently integrate into their existing tools. Black Duck solutions integrate seamlessly with code repos, integrated development environments (IDEs), build servers, and defect repositories, reducing friction and making it easier for developers to work efficiently at scale. This improves development productivity in three crucial ways.

Black Duck reduces manual work by 42%

Thanks to Black Duck’s automated scans and integrated results, developers spend less time manually starting security processes or triaging issues that come from outside their normal tools. The study found that Black Duck users spend 42% less time per week on manual reviews after implementation.

Black Duck decreases remediation times by 66%

While waiting until the end of the SDLC to perform security tests may satisfy the need for development velocity, it stalls delivery of applications when a pile of defects is uncovered.

To bridge this gap, Black Duck solutions integrate with every step of the SDLC and provide remediation guidance to expedite developers’ efforts. This abbreviates risk investigation and triage, accelerates fixes, and reduces the opportunity for an attack or a missed deadline.

The study found that these efficiency gains weren’t just anecdotal. Black Duck customers enjoyed a 66% decrease in remediation times after implementing our solutions.

Black Duck increases time spent on revenue-generating work by 22%

Developers’ primary focus is on writing new code, but they don’t have time to do that if they must also triage issues, scramble to perform late-stage fixes, and undertake costly security audits. Black Duck gives them that time back.

Black Duck solutions eliminate manual tasks, automate time-consuming rework, suggest quick fixes, and reduce the need to backtrack patch releases. The result is an extra 4.23 hours per week per developer that they can spend writing new code. That equates to 22% more time on revenue-generating work instead of reproducing defects, rewriting code, or investigating issues in code they’ve moved on from.

 

Black Duck decreases software risk

The study also shed light on how Black Duck helps organizations mitigate software risk. By seamlessly integrating AppSec throughout the SDLC, organizations can significantly reduce their risk exposure without introducing friction. Earlier testing enables more complete security coverage, ensuring that potential vulnerabilities are identified and addressed before they become major issues. This proactive approach to AppSec is crucial in today's fast-paced development environment, where security threats are constantly evolving.

The study highlighted three key findings that show how Black Duck lowers risk for our customers.

Black Duck increases security coverage by 40%

Black Duck continuously scans across all major AppSec testing categories throughout the SDLC, allowing customers to find and fix security, quality, and IP issues quickly. We also facilitate comprehensive Software Bill of Materials (SBOM) generation for complete and continued software visibility.

Black Duck minimizes high-severity defects in production by 48%

Not only did fewer high-severity security defects make it into production, but Black Duck customers saw a 24% reduction in overall security defects on average.

Black Duck streamlines risk reporting by 75%

Before implementing Black Duck solutions, the average time it took our customers to prepare risk reports or perform security audits was five days. After implementing Black Duck solutions, that number dropped to just 1.24 days—a 75% decrease. When multiplied across dozens of audits and teams, the potential time savings compounds significantly.

 

Black Duck reduces costs

By focusing on true positives and optimizing risk triage, our solutions not only improve developer productivity, they also make a tangible impact on our customers’ bottom lines. Nearly 40% of customers in the study reported that the average cost of a delayed release for major projects exceeded $100,000. Almost a quarter of those reported losses greater than $500,000.

One of our large software customers estimated that before implementing Black Duck, more than 75% of its software releases were delayed due to security. Each delay cost the company more than $500,000. Since implementing Black Duck solutions, only 10%–25% of releases are delayed, saving the company millions of dollars each year.

Black Duck delivers AppSec without compromise

Development speed and security don’t have to be mutually exclusive. Security, velocity, and delivery don’t have to compete. The highest-performing teams check all three boxes—but not by cutting corners.

Black Duck’s seamless integration and automation of AppSec solutions throughout the SDLC empowers our customers to

  • Accelerate time to market
  • Avoid costly release delays
  • Increase developer capacity for revenue-generating projects
  • Reduce risk exposure
  • Improve overall risk posture

I’m extremely proud of the transformative impact Black Duck has on our customers’ businesses and this quantifiable validation of the value our customers receive. Ninety-five percent of them report a decrease in overall software risk since implementing our solutions.

I look forward to working together to create a more secure future for software development.

 

Continue Reading
Explore Topics
Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security