Try our new research platform with insights from 80,000+ expert users

Black Duck vs Mend.io vs Veracode comparison

Black Duck and Mend.io are both solutions in the Software Composition Analysis (SCA) category. Black Duck is ranked #1 with an average rating of 7.5, while Mend.io is ranked #7 with an average rating of 9.3. Black Duck holds a 19.7% mindshare in SCA, compared to Mend.io’s 8.0% mindshare. Additionally, 84% of Black Duck users are willing to recommend the solution, compared to 96% of Mend.io users who would recommend it.
Black Duck
Read 21 Black Duck reviews
  • 11,362 Views
  • 7,170 Comparison Views
84% willing to recommend
Mend.io
Read 30 Mend.io reviews
  • 4,218 Views
  • 2,795 Comparison Views
96% willing to recommend
Veracode
Read 197 Veracode reviews
  • 4,884 Views
  • 3,368 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Black Duck, Mend.io, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Black Duck, Veracode, Snyk and others in Software Composition Analysis (SCA).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Software Composition Analysis (SCA) Report (Updated: March 2025).
Buyer's Guide
Software Composition Analysis (SCA)
March 2025
Download the complete report
Helped 848,989 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of April 2025, in the Software Composition Analysis (SCA) category, the mindshare of Black Duck is 19.7%, down from 22.6% compared to the previous year. The mindshare of Mend.io is 8.0%, down from 8.9% compared to the previous year. The mindshare of Veracode is 9.8%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA)
 

Featured Reviews

Saravanan_Radhakrishnan - PeerSpot reviewer
Enables applications to be secure, but it must provide more open APIs
The product enables other applications to be secure. We use it to onboard 400 to 500 applications into the DevOps platform, protect them, and have a secure environment. The tool integrates well with different technologies, application stacks, and databases. The APIs are available. We can read the blogs in the community for open-source compliance and security. The community feeds are important. Black Duck is a leader in Gartner. It is a reliable solution.
Read full review
meetharoon - PeerSpot reviewer
Enables smooth management of vulnerabilities and promotes a shift towards a culture of security
We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions. We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions. Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions. Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience. In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.
Read full review
AkashKhurana - PeerSpot reviewer
Easy to configure, stable, and good vulnerability detection
Veracode's ability to prevent vulnerable code from being deployed into production is crucial. Typically, if a dependency we use has security issues or concerns, Veracode suggests upgrading to a more secure version. For example, if we're using a PayPal dependency with version 1.3 and it has a security bug, Veracode suggests upgrading to version 1.4 which fixes the issue. We usually make our project compatible with version 1.4, but sometimes Veracode recommends removing the dependent code altogether and adding the updated dependency from another repository. Veracode provides suggestions for resolving security issues and we implement them in our code after resolving any conflicts. We run the Veracode scan again and if it fails, we do not deploy the code to production. This is critical as it ensures that security issues such as bugs and fixes are addressed. Veracode consistently assists us in identifying security issues in third-party dependencies, while also ensuring the maintenance of code quality. Preventing security bugs and threats in our code improves the overall code quality of our company, which is essential given the significant concerns surrounding security today. Veracode's policy reporting is helpful for ensuring compliance with industry standards and regulations. Veracode's solution plays a major role in achieving compliance, including HIPAA compliance. Without Veracode scans, identifying security threats and third-party dependencies would be a tedious task for DevOps professionals. Veracode provides visibility into the status of our application during every phase of development, including continuous integration and continuous development CI/CD pipeline stages. This includes builds, package creation for deployment, and various enrollment stages such as develop, queue, stage, above, and production enrollment. Prior to each stage, a Veracode scan is run. This can be accessed through Jenkins or the CI/CD pipeline by clicking on the Veracode scan option, which provides a detailed report highlighting any security issues and concerns. Veracode performs statistical analysis, dynamic analysis, software composition analysis, and manual penetration tests throughout our software development life cycle. Veracode scans not only for third-party security issues but also for possible issues in our own code. This occurs in every phase of development, including the SDLC. For example, if we use an encryption algorithm with a private or public key that is easy to decode, Veracode will identify this as an error or warning in the report and suggest using multiple layers of encryption for the keys. The entire CI/CD process is part of DevOps. Therefore, the responsibility of configuring the Veracode tool usually falls on the DevOps professional. It is essential to integrate Veracode with the CI/CD pipeline within the project to ensure it is always incorporated. Whenever there is a priority or mandatory check required before deployment, Veracode should run beforehand. This integration is carried out by our DevSecOps team. Veracode's false positive rate is good, as it helps us identify possible security concerns in our code. In my opinion, it is advisable to run a Veracode scan on all codes. I have worked in the IT industry for five years, and I have observed that Veracode has been implemented in every project I have worked on. If a tool is improving our code quality and providing us with insights into potential security issues, it is always beneficial to use it. The false positive rate boosts our developers' confidence in Veracode when addressing vulnerabilities. Veracode also provides suggestions when there is a security issue with a dependency in version 1.7, prompting us to consider using version 1.8, which does not have security issues. This process involves the developers, and it leaves a positive impression on our managers and clients, demonstrating our commitment to security. We can show them that we were previously using version 1.7 but updated to version 1.8 after identifying the security issue with Veracode's help. Unfortunately, there is no centralized platform to check for network issues or problems with dependencies and versions. Veracode provides a centralized solution where we can scan our project and receive results. Veracode has helped our organization address flaws in our software and automation processes. Its positive impact has been reflected in our ROI, which increased when we started using Veracode. Without Veracode, we would be susceptible to security issues and potential hacking. However, after implementing Veracode scans, we have not encountered any such problems. It is critical for us to use Veracode because we capture sensitive data such as pharmacy information for real-time users, including patient prescriptions and refill schedules. This sensitive data could pose a significant problem if our code or software has security vulnerabilities. Fortunately, Veracode scans allow us to prevent such issues. Veracode has helped our developers save time by providing a solution that eliminates the need to manually check for dependencies or search the internet for information on which dependencies have issues. Instead, Veracode provides a detailed report that identifies the issues and recommends the appropriate version to use. Using Veracode ensures the quality of our code and also saves time for our developers. In my career of five years, Veracode has helped me resolve code issues eight times. Veracode has reduced our SecOps costs by identifying security vulnerabilities in our code. Without Veracode, if we were to go live with these issues, it could result in a breach of our encrypted data, potentially causing significant harm to our organization. This would require significant time and cost to resolve the issue and restore the data. Veracode has improved the quality of our code and reduced the risk of such incidents occurring, thereby minimizing their impact on our organization.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The solution works well on Mac products."
"The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness."
"It is able to drill down to the source level."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"The solution is stable."
"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
"Policy management is a valuable feature."
"The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management."
More Black Duck pros
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"The results and the dashboard they provide are good."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"For us, the most valuable tool was open-source licensing analysis."
"Enables scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
More Mend.io pros
"From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode."
"One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."
"What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred."
"I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"The most valuable feature is the efficiency of the tool in finding vulnerabilities."
More Veracode pros
 

Cons

"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"There are areas for improvement such as false positives and the scanning of containers."
"The documentation is quite scattered."
"Black Duck does not have the SBOM management part. I would like to see this feature added in the future."
"The product's pricing is higher compared to other competitor products."
"There are areas for improvement such as false positives and the scanning of containers."
"They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
More Black Duck cons
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"The initial setup could be simplified."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
More Mend.io cons
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"Straightforward to set up, but the configuration of the rules engine is difficult and complicated."
"The solution should include monthly guidelines, a calendar, or a newsletter highlighting the top vulnerabilities and how to resolve them using Veracode. Its policies should be up-to-date with NIST standards and OWASP policies."
"I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."
"The solution does not support Dynamic Application Security Testing."
"It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period."
"It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
"It is not as fast as Snyk."
More Veracode cons
 

Pricing and Cost Advice

"It is expensive."
"Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."
"The price is quite high because the behavior of the software during the scan is similar to competing products."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."
"The price is low. It's not an expensive solution."
"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
"The pricing is a little high."
"The price charged by Black Duck is exorbitant."
"WhiteSource is much more affordable than Veracode."
"Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
"We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
"The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."
"It is fairly priced."
"We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​"
"Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
More Mend.io pricing and cost advice
"The pricing is a bit high."
"For our company, the price is reasonable for the benefits that we get."
"The pricing depends on the functionality each client desires."
"The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements."
"The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune."
"Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode."
"The pricing is pretty high."
"Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
See recommendations
848,989 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Manufacturing Company
16%
Computer Software Company
14%
Healthcare Company
4%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
12%
Energy/Utilities Company
5%
Computer Software Company
17%
Financial Services Firm
17%
Manufacturing Company
8%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource ...
See all answers
What do you like most about Black Duck?
The cloud option of the product is always available and a positive aspect of the solution.
See all answers
What is your experience regarding pricing and costs for Black Duck?
The price charged by Black Duck is exorbitant. For the features provided by the product, I would not want to pay a hi...
See all answers
How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This ...
See all answers
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they obs...
See all answers
What is your experience regarding pricing and costs for Mend.io?
Mend.io SCA offers a competitive pricing structure that is relatively affordable compared to similar solutions in the...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...
See all answers
 

Comparisons

Fortify Static Code Analyzer vs Black Duck Logo
Fortify Static Code Analyzer vs Black Duck
Compared 19% of the time
Snyk vs Black Duck Logo
Snyk vs Black Duck
Compared 16% of the time
JFrog Xray vs Black Duck Logo
JFrog Xray vs Black Duck
Compared 15% of the time
FOSSA vs Black Duck Logo
FOSSA vs Black Duck
Compared 6% of the time
Sonatype Lifecycle vs Black Duck Logo
Sonatype Lifecycle vs Black Duck
Compared 6% of the time
More Black Duck Competitors
SonarQube Server (formerly SonarQube) vs Mend.io Logo
SonarQube Server (formerly SonarQube) vs Mend.io
Compared 25% of the time
Snyk vs Mend.io Logo
Snyk vs Mend.io
Compared 9% of the time
GitHub Dependabot vs Mend.io Logo
GitHub Dependabot vs Mend.io
Compared 7% of the time
JFrog Xray vs Mend.io Logo
JFrog Xray vs Mend.io
Compared 6% of the time
GitHub Advanced Security vs Mend.io Logo
GitHub Advanced Security vs Mend.io
Compared 4% of the time
More Mend.io Competitors
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Compared 20% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 10% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 6% of the time
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Compared 5% of the time
HCL AppScan vs Veracode Logo
HCL AppScan vs Veracode
Compared 2% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Black Duck
April 2025
Black Duck reportDownload Black Duck product report
Buyer's Guide
Mend.io
April 2025
Mend.io reportDownload Mend.io product report
Buyer's Guide
Veracode
March 2025
Veracode reportDownload Veracode product report
 

Also Known As

Blackduck Hub, Black Duck Protex, Black Duck Security Checker
WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
Crashtest Security , Veracode Detect
 

Overview

Organizations use Black Duck for compliance, internal audits, license management, and security, scanning software to identify vulnerabilities, non-compliant code, and dependencies in open-source projects.

Black Duck integrates into CI/CD pipelines and DevSecOps processes, helping multiple industries detect and handle risks associated with open-source usage. Users leverage it for source and binary analysis to ensure security and compliance before software release. Automatic component analysis, effective vulnerability scanning, and a comprehensive knowledge base are some of its valuable features. Despite needing improvements in scanning speed, UI, and documentation, Black Duck remains crucial for ensuring open-source security and compliance.

What are Black Duck's most important features?

  • Automatic Component Analysis: Provides automatic identification and analysis of open-source components.
  • Effective Vulnerability Scanning: Scans for vulnerabilities in both source code and binary files.
  • Comprehensive Knowledge Base: Offers expansive information on open-source components.
  • Policy Management: Enables the creation and enforcement of security and compliance policies.
  • Binary File Scanning: Capable of scanning binary files for in-depth security checks.
  • Ease of Use: Demonstrates ease of use, particularly on Mac products.
  • Stability: Known for its stable performance.
  • Docker Integration: Smooth integration with Docker for enhanced deployment.
  • Open-source Evaluation: Excellent evaluation capabilities for open-source software.
  • License Management: Manages open-source licenses effectively.
  • Easy Installation: Simple installation process.
  • Secure Onboarding: Ensures secure application onboarding.
  • API Availability: Provides APIs for custom integrations.
  • Community Support: Backed by an active community.
  • Dependency Tree Visualization: Visualizes dependencies for better management.

What benefits or ROI should users look for in reviews?

  • Improved Compliance: Helps maintain compliance with legal and regulatory requirements.
  • Risk Mitigation: Reduces risks associated with open-source vulnerabilities.
  • Enhanced Security: Strengthens software security by identifying and addressing potential issues early.
  • Time-saving: Automates many aspects of vulnerability scanning and analysis, saving valuable time.
  • Cost Efficiency: Detects issues early, potentially saving costs related to compliance breaches and security incidents.
  • Integration Ease: Seamlessly integrates with existing CI/CD pipelines and DevSecOps practices.
  • Knowledge Resource: Access to comprehensive information aiding better decision-making.

Black Duck is implemented by industries ranging from finance to healthcare, addressing security and compliance in open-source usage. Financial institutions employ it to manage license risks and ensure audit readiness. Healthcare organizations use it to comply with stringent data protection regulations, ensuring patient data security and privacy. Tech companies integrate Black Duck within CI/CD pipelines to maintain the security and compliance of software products before release. Its deployment varies, tailored to meet the specific risk management and compliance needs dictated by each sector's regulatory environment.

Black Duck

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend.io Features

Mend.io has many valuable key features. Some of the most useful ones include:

  • Vulnerability analysis
  • Automated remediation
  • Seamless integration
  • Business prioritization
  • Limitless scalability
  • Intuitive interface
  • Language support
  • Integration
  • Continuous monitoring
  • Remediation suggestions
  • Customization

Mend.io Benefits

There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

  • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
  • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
  • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
  • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
  • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
  • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
  • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

Mend.io

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Samsung, Siemens, ScienceLogic, BryterCX, Dynatrace
Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Software Composition Analysis (SCA)
March 2025
Download Free Report
Find out what your peers are saying about Black Duck, Veracode, Snyk and others in Software Composition Analysis (SCA). Updated: March 2025.
DOWNLOAD NOW
848,989 professionals have used our research since 2012.