We performed a comparison between Mend and Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison results: Based on the parameters we compared, Mend comes out ahead of Veracode. While both solutions offer fast vulnerability resolutions, Veracode’s higher licensing and delayed tech support leave room for improvement.
"The dashboard view and the management view are most valuable."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"We can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"The solution is scalable."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
"It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results."
"The security team can track the remediation and risk acceptance statistics."
"The most valuable feature is the dynamic application security testing."
"The SAST and DAST modules are great."
"The article scanning is excellent."
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
"It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines."
"The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"The solution lacks the code snippet part."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."
"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."
"The current version of the application does not support testing for API."
"The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives."
"When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
"Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year."
"The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way."
"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."
"The technical support service has room for improvement."
Mend.io is ranked 5th in Application Security Tools with 29 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Mend.io is rated 8.4, while Veracode is rated 8.2. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Mend.io is most compared with SonarQube, Black Duck, Snyk, Checkmarx One and JFrog Xray, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and HCL AppScan. See our Mend.io vs. Veracode report.
See our list of best Application Security Tools vendors and best Software Composition Analysis (SCA) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.