Mend.io Reviews

We have started the trial version of WhiteSource last week. We concluded the trial this week and we are beginning to use the full licensed solution later on in the week.

We use WhiteSource for automating open-source vulnerability, by finding the open-source libraries that were used and fixing them. Additionally, we set up policies to disallow some of the risky open sources to be used in our solutions by developers. We are able to scan and fix vulnerabilities in our containers, to ensure that if there are any licenses that violate the open source usage or put our product at risk, we make sure that either we remove or remediate the open sources with risky licenses. Those are the main three use cases.

We did not have much security compliance implemented in our solutions. Whatever we did, we had to use the AWS built-in OWASP scanning, and we had to manually find out the versions of the open sources that fixed the issues of vulnerability. We then had to make sure that that updated version is sent in and code merged for a test. We found sometimes it took a lot of research to make sure that the version that we are upgrading to did fix the issue, et cetera. However, this is all manual research and is dependent on the knowledge of the developer or the engineer who did this work. It took time and did not ensure a high percentage of security compliance. With WhiteSource in place, we are going to be able to do the whole process automatically and it will be confident that we removed the vulnerabilities and license violations.

We are saving time that we spent on resources because we no longer have to do it manually. We will now have confidence that there are not many errors made.  We are able to do much more vulnerability fixing than we did manually, there are cost-savings, and less work involved.

We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.

I have been using WhiteSource for approximately one week.

We have not used the solution very long to give us a full picture of the stability. However, from what we have seen from the trials it is impressive.

The solution only required a few hours of work from one DevOps engineer in a week.

WhiteSource's scalability is extremely good. We can add more repositories, projects, and people as we need. There's no problem with the scalability. We did not find any slowness, performance stress, or load-related issues when we did the trials. WhiteSource can handle up to a few thousand concurrent users without any issues.

Once we have the solution fully licensed we will have approximately 50 people using it.

Ou usage of WhiteSource will increase as we add more people, but it's going to be the same code base. The number of users will increase, but the scope of the solution usage in terms of the number of solutions will remain the same.

Their pricing is different for many of the solutions we have tried. In Sonatype, especially, the agents are extremely technically knowledgeable. The sales team and the sales engineering we spoke to are extremely knowledgeable. They had 100 percent of all the answers to the questions that we asked. In the case of Snyk, their support had to go and come back to us and their support pricing is very expensive. Even with the trials that we did, we did not try the paid version of their software that included dedicated customer support.

WhiteSource agents are knowledgeable. In a couple of cases, they had to go back and work with the engineering for a resolution. However, the support that is included in the plan that we bought is good. In the other two options, the pricing did not include the ongoing SLA-based support. With WhiteSource, they include SLA-based support, 24/7, in their enterprise plan, which is comparable to the plans with Sonatype and Snyk where they don't include the support.

I rate the support of WhiteSource a seven out of ten.

I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.

We use trials of many solutions, such as Snyk and Sonatype.

WhiteSource's initial setup is very straightforward. In all three use cases, it was very straightforward. With Sonatype, we used the on-premise version, but with Snyk and WhiteSource, we used their cloud version. It did take a little time to set up Sonatype, but it was straightforward. We had people helping and guiding us on a Zoom call in all three use cases. It did not take long or was it complicated in either of the use cases. Overall all it took was under an hour.

We did the implementation ourselves with the sales engineers.

We haven't calculated our return on investment in terms of resource savings. While we were doing everything manually, but still we were not able to do everything. Now we have a solution, we can save the human resources that are being paid for. Our return on investment, in terms of our ability to showcase our solutions as secure and sell them, is going to be multifold. I'm expecting, at least, the return on investment of new sales and cross-sales will be at least six times higher.

When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually.

We evaluated many solutions, such as Snyk, Sonatype, SonarQube, Checkmarx, and a couple of others.

When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering.

In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices.

I rate WhiteSource an eight out of ten.

We have two primary use cases. One use case is to find the vulnerabilities related to the open-source libraries that are included in multiple products in our company.

The second use case is to find out whether the licenses associated are for general use or not, or whether there are any license-related restrictions. Sometimes, when you use open-source components, depending on the type of licenses, they may be applicable only for internal use. We use it to check whether we are violating any licensing or not.

Using Mend SCA, it is easy to identify open-source vulnerabilities, but it is not easy to remediate because there are multiple moving components or moving parts in a build frame or a small library, so the impact of one component can be different on different products. To identify open-source vulnerabilities, you just run a scan in your pipeline, but to fix them, you need to do multiple regression tests and check whether your application or product is getting affected by that upgrade or not.

Mend SCA has helped reduce our mean time to resolution (MTTR). Knowing a risk does not necessarily help us in remediating or fixing that vulnerability, but it helps at least in deploying certain compensatory controls so that we can take on the upgrade part later on. Our protection is deployed at the parameter level, at the system level, or at the network level. It has reduced our MTTR roughly by 20%.

Mend SCA has definitely helped us reduce the number of open-source software vulnerabilities running in our production at any given point in time. We have now started to break the build in case there are any high-level or critical vulnerabilities. Certain teams, not all, are now forced to fix them, which is why the vulnerability count is going down. There is about a 20% reduction in vulnerabilities.

The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.

I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.

I have been using Mend SCA for more than three years, and we started with Mend SAST this year in January.

It is stable.

It is a SaaS solution, so scalability is something that their teams need to handle on their side. Scalability is in their control, and we are just sending those results over there.

We have about 450 users. We only use the portal. We scan via a unified agent or a CLI component, and we have two extra components. We have the Chrome plug-in and the IDE plug-in. The best thing is that on the CI/CD pipeline that we are using, we only need to call a unified agent that does the scan and then posts the results on the dashboard or the portal. It is deployed at multiple locations and at multiple levels of our pipeline. We are using Gitlab Cloud, Bitbucket and Jenkins. We are using many different tools at different locations.

All levels of their support have very good technical knowledge. They know their tool better than us, so when we cannot find a solution, they give us that in 15 minutes. I would rate them a 10 out of 10.

Positive

I did not use any other solution previously.

It is a SaaS solution. I was not involved in its deployment. It was already in the company for six months when I got my hands on it.

In terms of maintenance, we just need to check which users have left the organization so that we can maintain the number of users under the license that we have purchased. That is a small thing required on our side even though we have SSO integrated.

We have seen an ROI. We were able to find vulnerabilities. If our products were not attacked by an external entity, we consider that as an ROI, but it is difficult to put a dollar value on that.

It is fairly priced.

Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website.

Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult. 

We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives.

Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.

It is used to manage open-source associated risks. I'm a consultant, and I provide consultancy and management services in the domain of open-source risk management. I use this product as a part of the services to my customers. I'm not using it in my company because my company is not developing anything.

Its deployment is hybrid where scans are on-premise and the knowledge base is on the cloud.

It saves a lot of money with early fixing. If you can figure out an open-source bug earlier, rather than in production, it can save a lot of, almost 100 times, cost.

It also helps with post-production management because it gives alerts on new vulnerabilities.

The dashboard view and the management view are most valuable.

The pricing model needs some changes. It is being offered in bulks of a minimum of 20 developers, which means that small startups with less than 20 developers cannot afford to buy the minimum bulk. There is no flexible pricing model to choose a plan with partial functionality and for less than 20.

The GUI should support the export of multiple SBOM formats, today this is the transparency expected by federal agencies from companies that write software. 
There is no one standard yet in the industry for SBOM, so leading tools like WhiteSource should be able to support multiple formats.

I have been using this solution for years.

It is very stable.

There are hundreds of users who use this solution.

I have used their support, and they were excellent.

I use multiple solutions, such as Snyk, Black Duck, and Sonatype.

It is quite simple. Its implementation takes days, and its implementation strategy is a part of our management plan.

I'm a consultant, and I help with its implementation. It requires very few people.

There is definitely an ROI.

Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible.

I evaluated other options, but some of those, such as Protecode, do not exist today. They used to be tools based on the actual reading of the content. They were snippet-based.

My advice would be to get ready for implementation by preparing the right structure. Before implementing this tool, you should define the company policy and processes and get accurate training. This creates trust between the developer and the newly-implemented tool. For instance, when there is a violation of a policy, you need to understand why it happened. You should not try to bypass that just because it would fail the build. Developers' trust is the most important thing. So, you should plan ahead with a clear management program for open-source involving all key holders. Implementation of such a tool requires collaboration. It is not the job of just the development team or the head of security. It is supposed to be a joint effort of the entire development group in a company.

I would rate WhiteSource a nine out of ten.

The integration with Azure DevOps was good.

The results and the dashboard they provide are good.

It was pretty straightforward for me.

I would like to see the static analysis included with the open-source version. That would be good.

I used the trial version of WhiteSource for a month. We chose to work with Veracode instead.

It's was pretty stable. I don't have any complaints about the stability of WhiteSource.

I did not have any contact with the technical support. I did not have any issues in the time that I used this solution.

It was approximately $2,000 per year or per month, I don't recall exactly.

When compared with Veracode, Veracode was very very expensive. It was approximately $200,000.00 per year for the whole Suite.

WhiteSource is much more affordable than Veracode.

We are evaluating Veracode.

It was pretty good. I would rate WhiteSource an eight out of ten.

Our primary use for WhiteSource is security and license risk detection in open-source, third-party libraries and components. We run scans from multiple source control and build systems (TFS, ADO, Jenkins, ...). Some of our scans are automated, while others are done manually with the unified file agent in offline mode scan, and then the resulting "wsjson" file is uploaded to the WS SaaS portal.

We moved from Black Duck to WhiteSource as it was a more modern and scalable solution, with better integration support to various build and source environments. The ease of running scans and getting results quickly enables our developers to address issues quicker. 

The most valuable features of this solution are:

1. The vulnerability and license alerts are the main purposes of us utilizing this tool. We don't want to ship software and mistakenly include a GPL component. Similarly, we want to stay up to date on all vulnerabilities in third-party libraries so we can take action if our software solutions are impacted.
2. Implementing policies is helpful because it's great when certain "no-nos" can be codified as policies and auto-rejected.
3. Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.

Places in need of improvement are:

1. Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.
2. Manual uploads of "wsjson" files can only be done by a global admin. Product administrators should be given this right for uploading files to their products/projects.
   
3. Better support for proxies is needed when running the unified file agent behind a proxy. It can be made to work, but the Java proxy config and cert trust for MitM traffic inspection are very painful to set up.

We have been using WhiteSource for two years.

In our two years of usage, there has been a negligible amount of downtime. We have, however, experienced occasional issues with certain features of the offer that created some friction and grumblings from our devs using the portal, but those have typically been resolved fairly quickly. 

This is a SaaS offering that has so far taken everything we have thrown at it (150+ products, with multiple projects in each). Certain reports that aggregate data globally could take a while to churn, but well within acceptable time-frames.

Responses are quick; TS works hard to resolve issues quickly. 

Prior to this solution, we used Black Duck. As of two years ago, when we made the switch, WhiteSource's UI was more modern, the SaaS solution more scalable, and the integration capabilities far superior. The detection accuracy between the two was quite similar. 

Setting up the tool for automated usage is very straightforward. Follow the documentation carefully and you will likely be fully up and running in between 15 and 60 mins.

We implemented this solution using our in-house team.

Pricing is competitive.

We also use NPM Audit and Snyk, but as an augmentation; not as competitors. 

We use WhiteSource for scanning open source libraries called SCA and both the vulnerabilities and open source licenses. We deployed WhiteSource with Azure DevOps.

WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful.

WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.

I have been using WhiteSource for a few years.

WhiteSource is a stable solution.

We have approximately 20 people using this solution in my organization.

I have not used technical support.

I have previously used other solutions, such as OWASP Dependency-Check, Snyk open-source, and CheckMark

The initial setup of WhiteSource is straightforward.

We did the deployment of the solution ourselves. We used one person for the deployment.

We have received a return on investment.

WhiteSource is a free solution to use.

We evaluated other solutions before choosing WhiteSource. We ended up choosing WhiteSource because of some of its unique features.

I rate WhiteSource a seven out of ten.

We needed a tool to ensure that we are not using vulnerable libraries or open-source libraries with a copyleft license. We integrated WhiteSource with our repositories and CI server and set up automated policies to reject copyleft licensed libraries because our legal department doesn't allow them. We also have it open Jira issues automatically when a vulnerable library is detected and assign it to an engineer so we can shorten our response time to vulnerabilities detected in our applications. It integrates nicely with our existing workflow.

The best thing is that it changed the mindset of our developers. They are now more aware and proactive when it comes to the security risks in open source vulnerabilities and the need to update packages from time to time.

It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions.

The WhiteSource prioritization feature provides us with the greatest value as it has cut down the number of security alerts by about 90%. It is only relevant for Java and JS for now, but we understand more is yet to come. This has saved us a lot of time.

WhiteSource is very accurate and covers all of our languages (including C++).

WhiteSource Prioritize is amazing. If we are using a vulnerable library, it shows us if we are actually using the vulnerable method or not. This saves us a lot of time that we can instead invest in other projects.

It also does a great job of automating many activities we used to do manually. Now the system does it for us and it generates a great security dashboard that shows us whether our remediation velocity is improving or not.

WhiteSource Prioritize should be expanded to cover more than Java and JavaScript.
We are currently using WhiteSource Prioritize for Java and it cuts our vulnerability alerts by almost 90%. However, Prioritize doesn't cover python or other languages at this point and our developers are required to deal with many open source security alerts. The problem is that now our developers are aware that most open source security alerts are not impacting the security of their applications and it's harder to get their cooperation. We are waiting for WhiteSource to announce support ifor Python and other languages.

We have been using WhiteSource for almost a year.

From my experience, WhiteSource is pretty solid.

We had a problem with a new library that their engine didn't process. I wrote them an email and got a response within an hour. Two days later they added it to their system.

They provide accurate results and our customer success manager is great.

No complaints so far.

We tested Black Duck as well but detected quite a lot of false positives.

The good thing is that their product just keeps getting better. They are very attentive to their customers.

All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.

Our primary use is to find all the third-party libraries and open source libraries which are hidden in the software, such that no third-party libraries are forgotten.

1. To get an overview of all these third-party components.
2. To get some information from WhiteSource about which licenses are behind the third-party tool, and what implications these might have for us.

We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds. Then, we can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs, etc.

Several dashboards. The licenses dashboard, which gives me an overview of all the licenses used in our software. For example, right at the moment, there are several hundreds of licenses used. The licenses dashboard and release management dashboard along with reports (like risk, vulnerabilities, high severity, bug alerts, etc.).

Every product has room for improvement, including WhiteSource. The stability of the product is web-based. We are obliged to use the Internet Explorer, and from time-to-time I get messages which tells me that I do not have the rights to use WhiteSource, which is obviously wrong. I also suggested it to WhiteSource, and they told me that WhiteSource only works reliably for Firefox and Chrome. This has some room for improvement for me. Make the product available in a very stable way for other web browsers. 

From time to time, the dashboards don't display the full content that I expect. It seems that licenses are not shown nor are products are shown in full detail. I am just missing things at times. This might be due to the Internet Explorer issue, and if I am not using the right web browser, then maybe it does not work correctly. 

From time-to-time, it seems in Internet Explorer, which we use here in our company, the product is not stable in all cases. I get wrong error messages, and it seems that WhiteSource does not display all the contents that should be there. 

It is good enough. We can live with it in this situation. Though maybe it would be much better if we used Chrome or Firefox.

The picture that I have of it is that it is not yet a fully 100% stable software. This is the impression that I have. It is not 100% stable and reliable, but it is good enough that we can work with it.

We have only six software projects included right now. Altogether, we have several hundred third-party open source components. With this amount of objects displayed in the dashboards, it is working pretty well. I cannot say anything which goes beyond that amount. 

From time-to-time, I have the impression that if it is a long list (e.g., if I have several hundreds of entries in a list), that this list might somehow get a little bit difficult to handle with the scroll bar in finding things. This could be improved, in regards to handling a lot of data. It seems a little bit limited.

We have tech calls with WhiteSource on a regular basis, about every four weeks. 

The customer success manager, who is responsible for us, works with us pretty well. Every several weeks, we have a phone call, then we try to move one step forward to improve things, and so on. 

The overall support that we receive is pretty good. 

We did not use anything before WhiteSource. 

It was not that easy, but easy enough to go ahead. 

From time-to-time, we get some hints from the support on how to work with it. The dashboard is pretty good, so one can easily find things that they are looking for. However, the topic search, it is very complex and complicated to get a qualified picture of all these licenses. I know that there are online resources for us which we can take into account, but taking everything together, it still remains quite complicated for us to work with it.

Up until now, we were convinced that the return of investment was not really the case. However, we will see if maybe we get enough benefit out of the tool that we can argue internally that it is really worth using it.

When using WhiteSource, you cannot really be sure what the ROI is. It is an indication, a hint, that maybe you should look at these licenses or those licenses. However, maybe it has not found everything. Nobody can guarantee that we now have the complete picture. It is maybe an improved picture on all this third-party open-source stuff, but maybe it is also not the complete picture.

We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. 

We did evaluate another tool along with WhiteSource, but we decided to take WhiteSource. There was this other tool, Black Duck, but we decided to work with WhiteSource.

However, we have not fully evaluated this tool. It seemed too complicated for us, so at a certain point, we just decided to work with WhiteSource further on.

I recommend using WhiteSource to other companies if they are in a similar situation that we are. If they are having real problems in dealing with all these open source licenses, then it is a good approach to use WhiteSource and get a handle of the whole topic. 

I do recommend it.