We performed a comparison between Mend and Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison results: Based on the parameters we compared, Mend comes out ahead of Veracode. While both solutions offer fast vulnerability resolutions, Veracode’s higher licensing and delayed tech support leave room for improvement.
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"We can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"The vulnerability analysis is the best aspect of the solution."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"The capability to identify vulnerable code is the most valuable feature of Veracode."
"The source composition analysis component is great because it gives our developers some comfort in using new libraries."
"I like the way the flaws are reported in the system."
"The most valuable feature is the static scan that checks for security issues."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"The time savings has been tremendous. We saw ROI in the first six months."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"The solution lacks the code snippet part."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"The dashboard UI and UX are problematic."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"Veracode should include the feature to run multiple scales at a time."
"Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them."
"It does nearly everything, but penetration testing."
"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
"It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas."
"The Greenlight product that integrates into the IDE is not available for PHP, which is our primary language."
"I'd like to see more development tools and platforms integrated together with Veracode to amplify the solution's effectiveness."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
Mend.io is ranked 5th in Application Security Tools with 29 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Mend.io is rated 8.4, while Veracode is rated 8.2. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Mend.io is most compared with SonarQube, Black Duck, Snyk, Checkmarx One and JFrog Xray, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and HCL AppScan. See our Mend.io vs. Veracode report.
See our list of best Application Security Tools vendors and best Software Composition Analysis (SCA) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.