What is our primary use case?
We have started the trial version of WhiteSource last week. We concluded the trial this week and we are beginning to use the full licensed solution later on in the week.
We use WhiteSource for automating open-source vulnerability, by finding the open-source libraries that were used and fixing them. Additionally, we set up policies to disallow some of the risky open sources to be used in our solutions by developers. We are able to scan and fix vulnerabilities in our containers, to ensure that if there are any licenses that violate the open source usage or put our product at risk, we make sure that either we remove or remediate the open sources with risky licenses. Those are the main three use cases.
How has it helped my organization?
We did not have much security compliance implemented in our solutions. Whatever we did, we had to use the AWS built-in OWASP scanning, and we had to manually find out the versions of the open sources that fixed the issues of vulnerability. We then had to make sure that that updated version is sent in and code merged for a test. We found sometimes it took a lot of research to make sure that the version that we are upgrading to did fix the issue, et cetera. However, this is all manual research and is dependent on the knowledge of the developer or the engineer who did this work. It took time and did not ensure a high percentage of security compliance. With WhiteSource in place, we are going to be able to do the whole process automatically and it will be confident that we removed the vulnerabilities and license violations.
We are saving time that we spent on resources because we no longer have to do it manually. We will now have confidence that there are not many errors made. We are able to do much more vulnerability fixing than we did manually, there are cost-savings, and less work involved.
What is most valuable?
We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.
For how long have I used the solution?
I have been using WhiteSource for approximately one week.
Buyer's Guide
Mend.io
March 2025
Learn what your peers think about Mend.io. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
What do I think about the stability of the solution?
We have not used the solution very long to give us a full picture of the stability. However, from what we have seen from the trials it is impressive.
The solution only required a few hours of work from one DevOps engineer in a week.
What do I think about the scalability of the solution?
WhiteSource's scalability is extremely good. We can add more repositories, projects, and people as we need. There's no problem with the scalability. We did not find any slowness, performance stress, or load-related issues when we did the trials. WhiteSource can handle up to a few thousand concurrent users without any issues.
Once we have the solution fully licensed we will have approximately 50 people using it.
Ou usage of WhiteSource will increase as we add more people, but it's going to be the same code base. The number of users will increase, but the scope of the solution usage in terms of the number of solutions will remain the same.
How are customer service and support?
Their pricing is different for many of the solutions we have tried. In Sonatype, especially, the agents are extremely technically knowledgeable. The sales team and the sales engineering we spoke to are extremely knowledgeable. They had 100 percent of all the answers to the questions that we asked. In the case of Snyk, their support had to go and come back to us and their support pricing is very expensive. Even with the trials that we did, we did not try the paid version of their software that included dedicated customer support.
WhiteSource agents are knowledgeable. In a couple of cases, they had to go back and work with the engineering for a resolution. However, the support that is included in the plan that we bought is good. In the other two options, the pricing did not include the ongoing SLA-based support. With WhiteSource, they include SLA-based support, 24/7, in their enterprise plan, which is comparable to the plans with Sonatype and Snyk where they don't include the support.
I rate the support of WhiteSource a seven out of ten.
I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.
Which solution did I use previously and why did I switch?
We use trials of many solutions, such as Snyk and Sonatype.
How was the initial setup?
WhiteSource's initial setup is very straightforward. In all three use cases, it was very straightforward. With Sonatype, we used the on-premise version, but with Snyk and WhiteSource, we used their cloud version. It did take a little time to set up Sonatype, but it was straightforward. We had people helping and guiding us on a Zoom call in all three use cases. It did not take long or was it complicated in either of the use cases. Overall all it took was under an hour.
What about the implementation team?
We did the implementation ourselves with the sales engineers.
What was our ROI?
We haven't calculated our return on investment in terms of resource savings. While we were doing everything manually, but still we were not able to do everything. Now we have a solution, we can save the human resources that are being paid for. Our return on investment, in terms of our ability to showcase our solutions as secure and sell them, is going to be multifold. I'm expecting, at least, the return on investment of new sales and cross-sales will be at least six times higher.
What's my experience with pricing, setup cost, and licensing?
When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually.
Which other solutions did I evaluate?
We evaluated many solutions, such as Snyk, Sonatype, SonarQube, Checkmarx, and a couple of others.
What other advice do I have?
When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering.
In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices.
I rate WhiteSource an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.