IT Central Station is now PeerSpot: Here's why

Mend vs Veracode Software Composition Analysis comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Buyer's Guide
Mend vs. Veracode Software Composition Analysis
July 2022
Find out what your peers are saying about Mend vs. Veracode Software Composition Analysis and other solutions. Updated: July 2022.
622,063 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful.""I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.""WhiteSource helped reduce our mean time to resolution since the adoption of the product.""We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""Its ease of use and good results are the most valuable.""The solution boasts a broad range of features and covers much of what an ideal SCA tool should.""The dashboard view and the management view are most valuable."

More Mend Pros →

"Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code.""Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.""For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool.""We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier.""It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things.""It is a good product for creating secure software. The static code analysis is pretty good and useful.""There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.""The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development."

More Veracode Software Composition Analysis Pros →

Cons
"The initial setup could be simplified.""The turnaround time for upgrading databases for this tool as well as the accuracy could be improved.""WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.""It should support multiple SBOM formats to be able to integrate with old industry standards.""The solution lacks the code snippet part.""The only thing that I don't find support for on Mend Prioritize is C++.""I would like to see the static analysis included with the open-source version.""They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."

More Mend Cons →

"The scanning could be improved, because some scans take a bit of time.""Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode.""It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture.""From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.""The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way.""Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues.""The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.""There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it."

More Veracode Software Composition Analysis Cons →

Pricing and Cost Advice
  • "The solution involves a yearly licensing fee."
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • "WhiteSource is much more affordable than Veracode."
  • "This is an expensive solution."
  • "When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
  • "Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
  • "We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
  • More Mend Pricing and Cost Advice →

  • "The Veracode price model is based on application profiles, which is how you package your components for scanning."
  • "Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."
  • "It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
  • "It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better."
  • "Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier."
  • "For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it."
  • "For our company, the price is reasonable for the benefits that we get."
  • More Veracode Software Composition Analysis Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    622,063 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy… more »
    Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »
    Top Answer:The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.
    Top Answer:There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go… more »
    Top Answer:Checkmarx is a very good solution and probably a better solution than Veracode, but it costs four times as much as Veracode. You need an entire team to maintain Checkmarx. You also need on-premise… more »
    Top Answer:The scanning could be improved, because some scans take a bit of time. Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could… more »
    Ranking
    Views
    19,714
    Comparisons
    15,728
    Reviews
    12
    Average Words per Review
    820
    Rating
    7.8
    Views
    4,185
    Comparisons
    2,943
    Reviews
    10
    Average Words per Review
    1,563
    Rating
    8.2
    Comparisons
    Also Known As
    WhiteSource
    Veracode SCA, SourceClear
    Learn More
    Overview

    Mend, formerly known as WhiteSource, effortlessly secures what developers create. Mend uniquely removes the burden of application security, allowing development teams to deliver quality, secure code faster. With a proven track record of successfully meeting complex and large-scale application security needs, the world’s most demanding software developers rely on Mend. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io.

    Veracode Software Composition detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes. It also looks for vulnerabilities in dependencies several layers deep. Veracode SCA is part of a comprehensive DevSecOps solution that covers multiple assessment types, enables developers, and helps organizations achieve AppSec governance.

    Offer
    Learn more about Mend
    Learn more about Veracode Software Composition Analysis
    Sample Customers
    Microsoft, Autodesk, NCR, Forgerock, The Home Depot, Bosch, IBM, GE digital, KPMG, LivePerson, Jack Henry and Associates
    Blue Prism, Advantasure, Automation Anywhere, Cox Automotive
    Top Industries
    REVIEWERS
    Computer Software Company29%
    Financial Services Firm12%
    Energy/Utilities Company6%
    Wholesaler/Distributor6%
    VISITORS READING REVIEWS
    Computer Software Company31%
    Comms Service Provider15%
    Financial Services Firm8%
    Manufacturing Company6%
    REVIEWERS
    Computer Software Company40%
    Comms Service Provider10%
    Non Profit10%
    Financial Services Firm10%
    VISITORS READING REVIEWS
    Computer Software Company30%
    Financial Services Firm13%
    Comms Service Provider10%
    Insurance Company6%
    Company Size
    REVIEWERS
    Small Business29%
    Midsize Enterprise8%
    Large Enterprise63%
    VISITORS READING REVIEWS
    Small Business18%
    Midsize Enterprise15%
    Large Enterprise66%
    REVIEWERS
    Small Business44%
    Midsize Enterprise19%
    Large Enterprise38%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise17%
    Large Enterprise67%
    Buyer's Guide
    Mend vs. Veracode Software Composition Analysis
    July 2022
    Find out what your peers are saying about Mend vs. Veracode Software Composition Analysis and other solutions. Updated: July 2022.
    622,063 professionals have used our research since 2012.

    Mend is ranked 3rd in Software Composition Analysis (SCA) with 13 reviews while Veracode Software Composition Analysis is ranked 5th in Software Composition Analysis (SCA) with 10 reviews. Mend is rated 8.0, while Veracode Software Composition Analysis is rated 8.2. The top reviewer of Mend writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of Veracode Software Composition Analysis writes "The scanning process helps to significantly improve our standards and best practices". Mend is most compared with SonarQube, Black Duck, Snyk, Veracode and Micro Focus Fortify on Demand, whereas Veracode Software Composition Analysis is most compared with Black Duck, Snyk, JFrog Xray, Sonatype Nexus Lifecycle and Fortify Static Code Analyzer. See our Mend vs. Veracode Software Composition Analysis report.

    See our list of best Software Composition Analysis (SCA) vendors.

    We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.