We performed a comparison between Mend and Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison results: Based on the parameters we compared, Mend comes out ahead of Veracode. While both solutions offer fast vulnerability resolutions, Veracode’s higher licensing and delayed tech support leave room for improvement.
"The vulnerability analysis is the best aspect of the solution."
"The solution is scalable."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode."
"We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."
"Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
"I can have quick results by just uploading compiled components."
"It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
"The findings of their security analysis are wonderful. You can easily go through all the analyses done by Veracode. You can see what are the flaws and what could be the best possible resolution to minimize those flaws in the application. When an application is being used by the public, security is a challenge. Veracode helps us to analyze all the security flaws, discrepancies, and vulnerabilities inside the application. It provides good reports."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"The dashboard UI and UX are problematic."
"The UI is not that friendly and you need to learn how to navigate easily."
"We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."
"I'd like to see more development tools and platforms integrated together with Veracode to amplify the solution's effectiveness."
"The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."
"I would like Veracode to also have the ability to fix these flaws in a future release."
"Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
"The pricing for qualified startups such as Neo4j could be improved."
"Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement."
"I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of stuff; more hand-holding in the sense of understanding our environment."
Mend.io is ranked 5th in Application Security Tools with 29 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Mend.io is rated 8.4, while Veracode is rated 8.2. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Mend.io is most compared with SonarQube, Black Duck, Snyk, Checkmarx One and JFrog Xray, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, Fortify on Demand and GitLab. See our Mend.io vs. Veracode report.
See our list of best Application Security Tools vendors and best Software Composition Analysis (SCA) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.