After Cybersecurity Shift, Black Duck Is Growing Fast & Eyeing Deals

Transforming a well-established company is a tricky feat. It looks like Black Duck Software has figured out how to pull it off.

Xconomy recently checked in with the Burlington, MA-based company, which has been around since 2003. Under founding CEO Doug Levin, Black Duck made a name for itself by providing tools to help software developers vet all of the open-source code they’re using and make sure they comply with licenses. Later, under the leadership of Tim Yeaton, Black Duck recast itself as a resource for developers seeking open-source components that could speed up their projects. The company says it has accumulated one of the most comprehensive databases of open-source assets.

By its 10th anniversary, Black Duck saw the need for another leadership change and new direction. The company was losing money at the time, says Brian Carter, Black Duck’s director of strategic communications. In late 2013, Lou Shipley was brought in to replace Yeaton, who had held the CEO position for nearly five years. Shipley previously led VMTurbo (now known as Turbonomic), and he was a vice president at Citrix Systems before that.

Shipley opted to expand Black Duck’s offerings and focus more on cybersecurity—helping companies find and fix vulnerabilities in the open-source components they use. Black Duck’s open-source licensing compliance products remain “valuable” for a lot of customers, Shipley (pictured above) says. But as the use of open-source code in companies’ software products has grown, so too has the risk of cyber breaches. The company saw an opportunity there, he says.

The cybersecurity shift seems to be paying off. Black Duck projects it will generate around $75 million in annual revenue in 2017, up from about $58 million last year and $25 million in 2013, according to figures shared with Xconomy by the privately held company. Black Duck has been cash-flow positive for the past two years, Shipley says. (It launched its first cybersecurity product in early 2015.)

“Now the company’s really growing nicely,” Shipley says.

When Shipley joined the company, he saw the need to give Black Duck a jolt—despite it having a “dominant” and “well-known” brand, especially in license compliance, he says. “I think it’s easy for companies to get complacent,” he adds.

So, over the first year or so of his tenure, Shipley says, he replaced nearly the entire senior management team, revamped the company’s approach to selling its products, took steps to “revive” its office culture, and prepared to roll out the new security tools.

“2014 was sort of our rebuilding year,” he says.

Black Duck has raised $74 million from investors, Shipley says. He says the company intends to raise a new round of venture capital to fund acquisitions in areas like cloud security and “DevOps”—the tools and services for software development and IT operations.

Meanwhile, he says, Black Duck is investing in research and development of technologies such as natural language processing and machine learning (of course). The company’s competitors include Sonatype and Flexera, Shipley says, both of which offer tools for open-source software development and security.

Black Duck has grown to more than 350 employees worldwide, up from 281 people in January, according to an August press release.

Now that Black Duck has its head above water, it seems like a good time to ask about exit plans. Shipley says the company could go public or try to get acquired, although in the latter case it would have to be “a really good deal” for Black Duck to pull the trigger, he says.

“There isn’t a specific end game,” Shipley says. “It’s taken a long time to get here. But a lot of companies take a long time to get to the size and scale that we’re at now.”

Trending on Xconomy