Checkmarx vs Mend Comparison 2023

Read 27 Veracode reviews

41,100 views|24,342 comparisons

Checkmarx

Read 21 Checkmarx reviews

42,190 views|30,811 comparisons

Mend

Read 13 Mend reviews

19,920 views|14,073 comparisons

Comparison Buyer's Guide

Download the complete report

Buyer's Guide

Checkmarx vs. Mend

March 2023

Executive Summary

We performed a comparison between Checkmarx and Mend based on real PeerSpot user reviews.

Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

To learn more, read our detailed Checkmarx vs. Mend Report (Updated: March 2023).

Download the complete report

685,707 professionals have used our research since 2012.

Featured Review

Anonymous User

IT security architect at a consumer goods company

Researched Checkmarx but chose Veracode: Effective static analysis, plenty of tools, but needs better support for languages

Rahul Mane

Head of DevOps at Tpconnects technologies

Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production.... Read more →

Kevin Dsouza

Intramural OfficialIntramural at Northeastern University

Easy to set up with vulnerability analysis and is reliable

Quotes From Members

We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:

Pros

"Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful.""The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly.""Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.""It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well.""Good static analysis and dynamic analysis.""Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.""Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode.""The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed."

More Veracode Pros →

"One of the most valuable features is it is flexible.""The solution is scalable, but other solutions are better.""The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera.""The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools.""I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy.""It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx.""The solution has good performance, it is able to compute in 10 to 15 minutes.""It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."

More Checkmarx Pros →

"The dashboard view and the management view are most valuable.""The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business.""There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.""I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.""The results and the dashboard they provide are good.""WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful.""The solution is scalable.""The vulnerability analysis is the best aspect of the solution."

More Mend Pros →

Cons

"One of the most important areas that need improvement for Veracode is its DaaS. Veracode's DAST engines are primitive.""There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking.""The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.""Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry.""I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.""Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode.""I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase... To defend against those it's very important that the good guys use AI in ways that are good instead of bad.""The solution could improve the Dynamic Analysis Security Testing(DAST)."

More Veracode Cons →

"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.""Checkmarx could improve the REST APIs by including automation.""Its user interface could be improved and made more friendly.""The solution sometimes reports a false auditable code or false positive.""We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level.""Checkmarx could improve by reducing the price.""As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.""I would like to see the tool’s pricing improved."

More Checkmarx Cons →

"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't.""At times, the latency of getting items out of the findings after they're remediated is higher than it should be.""I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.""The turnaround time for upgrading databases for this tool as well as the accuracy could be improved.""They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application.""We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap.""The initial setup could be simplified.""WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."

More Mend Cons →

Pricing and Cost Advice

"From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."

"The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."

"It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year."

"The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."

"There is a fee to scale up the solution which I consider expensive."

"I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."

"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."

"There are no setup or implementation charges. They offer a free trial and free consulting services... The price depends on your requirements, your source code sizes, and how complicated your source code is."

More Veracode Pricing and Cost Advice →

"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."

"Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."

"We have purchased an annual license to use this solution. The price is reasonable."

"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."

"The price of Checkmarx could be reduced to match their competitors, it is expensive."

"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."

"If you want more, you have to pay more. You have to pay for additional modules or functionalities."

"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products."

More Checkmarx Pricing and Cost Advice →

"The solution involves a yearly licensing fee."

"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."

"WhiteSource is much more affordable than Veracode."

"This is an expensive solution."

"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."

"Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."

"We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."

"Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."

More Mend Pricing and Cost Advice →

See Which Vendors Are Best For You

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See Recommendations

685,707 professionals have used our research since 2012.

Questions from the Community

Which gives you more for your money - SonarQube or Veracode?

Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »

Read all 6 answers →

What do you like most about Veracode?

Top Answer:The user interface is excellent, the code review process is quick and provides great analytics to understand our code… more »

Read all 72 answers →

What is your experience regarding pricing and costs for Veracode?

Top Answer:It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as… more »

Read all 42 answers →

What alternatives are there for Fortify WebInspect and Fortify SCA?

Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as… more »

Read all 4 answers →

What is the biggest difference between Veracode and Checkmarx?

Top Answer:JaeLee, check out our comparison page hereof Veracode vs Checkmarx: https://www.itcentralstation.c... Checkmarx is… more »

Read all 6 answers →

What is the biggest difference between Checkmarx and SonarQube?

Top Answer:SonarQube historically was focused on Code Quality and Best Practices. Recently the enterprise and data center versions… more »

Read all 3 answers →

How does WhiteSource compare with SonarQube?

Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »

How does WhiteSource compare with Black Duck?

Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »

What do you like most about WhiteSource?

Top Answer:The license management of WhiteSource was at a good level. As compared to other tools that I have used, its… more »

Read all 11 answers →

Comparisons

SonarQube vs. Veracode

Compared 37% of the time.

Micro Focus Fortify on Demand vs. Veracode

Compared 7% of the time.

OWASP Zap vs. Veracode

Compared 5% of the time.

SonarCloud vs. Veracode

Compared 5% of the time.

HCL AppScan vs. Veracode

Compared 4% of the time.

More Veracode Competitors →

+ Add more products to compare

SonarQube vs. Checkmarx

Compared 54% of the time.

Snyk vs. Checkmarx

Compared 6% of the time.

Micro Focus Fortify on Demand vs. Checkmarx

Compared 6% of the time.

Coverity vs. Checkmarx

Compared 3% of the time.

SonarCloud vs. Checkmarx

Compared 2% of the time.

More Checkmarx Competitors →

+ Add more products to compare

SonarQube vs. Mend

Compared 20% of the time.

Black Duck vs. Mend

Compared 19% of the time.

Snyk vs. Mend

Compared 16% of the time.

Sonatype Nexus Lifecycle vs. Mend

Compared 5% of the time.

JFrog Xray vs. Mend

Compared 4% of the time.

More Mend Competitors →

+ Add more products to compare

Also Known As

WhiteSource

Learn More

Veracode

Checkmarx

Mend

Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

Checkmarx Features

Some of Checkmarx’s features include:

Source code scanning: Detect and repair more vulnerabilities before you release your code.
Open-source scanning: Find and eliminate the risks in your open-source code.
Interactive code scanning: Scan for vulnerabilities and runtime threats.
Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

Reviews from Real Users

Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

Mend is a software composition analysis tool that secures what developers create. The solution provides automated reduction of software attack surface, reduces developer burdens, and accelerates app delivery. Mend provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violations alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend Features

Mend has many valuable key features. Some of the most useful ones include:

Vulnerability analysis
Automated remediation
Seamless integration
Business prioritization
Limitless scalability
Intuitive interface
Language support
Integration
Continuous monitoring
Remediation suggestions
Customization

Mend Benefits

There are many benefits to implementing Mend. Some of the biggest advantages the solution offers include:

Easy to use: The Mend platform is very user friendly and easy to set up.

Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.

Static code analysis: With Mend’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.

Broad support: Mend provides 27 different programming languages and various programming frameworks.

Easy integration: Mend makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.

Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.

Unified developer experience: Mend has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

Offer

Keep your software secure

Find out more

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about Checkmarx

Learn More

Learn more about Mend

Learn More

Sample Customers

State of Missouri, Rekner

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

Microsoft, Autodesk, NCR, Forgerock, The Home Depot, Bosch, IBM, GE digital, KPMG, LivePerson, Jack Henry and Associates

Top Industries

REVIEWERS

Financial Services Firm31%

Computer Software Company11%

Insurance Company9%

Comms Service Provider6%

VISITORS READING REVIEWS

Computer Software Company19%

Financial Services Firm16%

Comms Service Provider8%

Manufacturing Company7%

REVIEWERS

Computer Software Company35%

Financial Services Firm23%

Manufacturing Company12%

Pharma/Biotech Company8%

VISITORS READING REVIEWS

Financial Services Firm22%

Computer Software Company18%

Manufacturing Company7%

Insurance Company6%

REVIEWERS

Computer Software Company33%

Financial Services Firm11%

Wholesaler/Distributor6%

University6%

VISITORS READING REVIEWS

Computer Software Company22%

Financial Services Firm13%

Comms Service Provider8%

Manufacturing Company7%

Company Size

REVIEWERS

Small Business25%

Midsize Enterprise22%

Large Enterprise52%

VISITORS READING REVIEWS

Small Business17%

Midsize Enterprise12%

Large Enterprise71%

REVIEWERS

Small Business36%

Midsize Enterprise16%

Large Enterprise48%

VISITORS READING REVIEWS

Small Business14%

Midsize Enterprise11%

Large Enterprise75%

REVIEWERS

Small Business35%

Midsize Enterprise8%

Large Enterprise58%

VISITORS READING REVIEWS

Small Business19%

Midsize Enterprise13%

Large Enterprise68%

Buyer's Guide

Checkmarx vs. Mend

March 2023

Free Report: Checkmarx vs. Mend

Find out what your peers are saying about Checkmarx vs. Mend and other solutions. Updated: March 2023.

DOWNLOAD NOW

685,707 professionals have used our research since 2012.

Checkmarx is ranked 9th in Application Security Tools with 21 reviews while Mend is ranked 4th in Application Security Tools with 13 reviews. Checkmarx is rated 7.6, while Mend is rated 8.2. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of Mend writes "Easy to use, great for finding vulnerabilities, and simple to set up". Checkmarx is most compared with SonarQube, Snyk, Micro Focus Fortify on Demand, Coverity and SonarCloud, whereas Mend is most compared with SonarQube, Black Duck, Snyk, Sonatype Nexus Lifecycle and JFrog Xray. See our Checkmarx vs. Mend report.

See our list of best Application Security Tools vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.

Checkmarx vs Mend comparison

Veracode

Checkmarx

Mend