We performed a comparison between Mend and Qualys Web Application Scanning based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production."
"It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
"I like the sandbox, the ability to upload compiled code, and how easy it is."
"The most valuable feature is the static scan that checks for security issues."
"Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful."
"It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs."
"We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
"The results and the dashboard they provide are good."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"The solution is scalable."
"The dashboard view and the management view are most valuable."
"Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers."
"I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
"It works with many different products."
"Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile)."
"The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
"The product has issues with scanning."
"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."
"The zip file scanning has room for improvement."
"Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part."
"One of the most important areas that need improvement for Veracode is its DaaS. Veracode's DAST engines are primitive."
"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."
"We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git"
"Sometimes we get a lot of false positives even after configuring our policies, so that could be improved."
"The solution lacks the code snippet part."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"The only thing that I don't find support for on Mend Prioritize is C++."
"I would like to see the static analysis included with the open-source version."
"The initial setup could be simplified."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
"Sometimes the response time is low because the handshake fails, and then you have to re-login and start again."
"There could be better management and faster scanning."
"We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
"When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."
More Qualys Web Application Scanning Pricing and Cost Advice →
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Mend is ranked 4th in Application Security Tools with 13 reviews while Qualys Web Application Scanning is ranked 22nd in Application Security Tools with 5 reviews. Mend is rated 8.2, while Qualys Web Application Scanning is rated 7.6. The top reviewer of Mend writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of Qualys Web Application Scanning writes "We like its process of updating signatures, and it's way ahead of its industry peers. ". Mend is most compared with SonarQube, Black Duck, Snyk, Checkmarx and FOSSA, whereas Qualys Web Application Scanning is most compared with OWASP Zap, Tenable.io Web Application Scanning, SonarQube, Fortify WebInspect and GitLab. See our Mend vs. Qualys Web Application Scanning report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
