What is our primary use case?
WhiteSource stood out mainly for the way it approached scanning code. Some of these solutions often send the code somewhere else to be scanned, whereas WhiteSource allows us to scan wherever our tenant is. The reason we chose this solution was to look at the security analysis of these third-party libraries.
What is most valuable?
The way WhiteSource scans the code is great. Being a legal firm, we're a bit more sensitive around our data, and we didn't want that going to different regions. With WhiteSource we can keep our data in the same data sovereignty as it was. That is a big deal for us. In terms of the analysis it can do, it is really useful. This was new to us as an organization, as not only can we find vulnerabilities, but we can also look at the license distribution.
We can understand the open-source licenses, which come with some constraints. That's something we wanted to avoid. Recently, there was a log4j vulnerability that was very prominent in the security community, and we were quickly able to see if we were using it and where. That's the inventory side. It was really useful in that respect.
It’s easy to identify and remediate open source vulnerabilities using this solution. There were a couple of times when something was reported as a vulnerability. When we looked into it a bit more and we talked with the WhiteSource support staff, we found that it was caused by something else. That's pretty rare. Most of the time, it's fairly clear. It says you need to go from one version of the library to another version of the library. It's pretty plain and works well. There have been just a couple of occasions where we needed to dig a little deeper.
Tech support has been very swift and helps us understand false vulnerabilities and they make sure that they don’t happen again in the future. They've got a good support system.
We can detect the vulnerabilities in the SaaS tool itself. We can go to our particular project and see them, or we can see them when we run the code. We can run the tool locally. Even before we scan the code, we can perform a local scan and that's been pretty useful for our developers. It is certainly useful that the vulnerability is displayed both in the WhiteSource platform and our CI/CD tool of choice. We use it as DevOps, and we can see the results with that tool as well. This means that we don't have to use another tool.
WhiteSource helped reduce our mean time to resolution since we adopted the product. More than anything else, it's just shining a light on the work we need to do. We had a lot of legacy code that no one had really explored the software composition analysis on it. The main value is that it showed us what we needed to fix, and with the dashboard security trends feature, we can see over time if we made progress. We had a way to report upward and show our progress. From that respect, it's been very valuable.
The product has helped reduce the number of open-source software vulnerabilities running in our production. It would probably be quite a high number as we didn't really have anything before. I would probably say that we're about 70% through remediating all of the vulnerabilities. This is a good number since nothing existed before.
We've introduced policies as well. If we just rely on good intentions, often people don't follow through. If we have a policy set that makes developers have to stop and fix something, it breaks their workflow in a positive way as it's saying that these are high vulnerabilities. It allows us to set up quite nuanced policies. That has been really useful. Without that, it'd be less effective as a tool.
WhiteSource's portability to integrate with our developers' existing workflows including their IDE, repository, and CI/CD pipelines, is good. It's improving all the time. In terms of integration, it's pretty easy.
What needs improvement?
If I had to choose one area of improvement, it would be to have the support system in one place. At the moment, all matters regarding support run through Salesforce SaaS solutions.
I'm sure there are more improvements that can happen with WhiteSource’s IDE tool, however, it's still useful. We still have an open ticket regarding some slow scans since we have some fairly complex projects that take a long time to scan. That's been the only slightly negative experience with the tool and we work hard to try to fix it.
WhiteSource is working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application. Although we are used to it, when filtering lists, we feel like we are using an application from the 1990s. It's my understanding that they have some improvements coming and I hope to take part in a trial for that.
I've also recently looked at their SaaS tool. I've done a trial with it and at the moment it’s a separate product. I'd like to see all of the products merged into one, so that there would be one place to go for everything and all of the support, FaaS, SCA, and more.
For how long have I used the solution?
We had a trial and then bought the product around 18 months ago.
What do I think about the stability of the solution?
There was a little hiccup with the Azure DevOps extension. Three or four months ago there was a release that caused a problem, and since then they fixed it. At the time, there was a week or so where we had some issues regarding not being able to scan properly, however, that was fixed reasonably swiftly.
What do I think about the scalability of the solution?
Once, we had a very large codebase that took very long to scan, so much so that it climbed out completely. In addition, we have a codebase that we can't scan effectively as it's either too large or there are some subtle mishaps around it. This is an ongoing investigation with the WhiteSource team.
That ticket has been around for quite a while due to the combination of us being a bit slow and the problem being complex. The problem is still not close to being fixed.
We have forty contributing developers. They do not necessarily interact with the product every day, however, that's the licensing we have, and they are a mixture of internal teams and third-party contractors.
How are customer service and support?
Technical support is good. They're very friendly and want to solve your problems. When they don't know enough information, they'll go and find some more technical information from their engineering teams.
The knowledge-based articles are useful. Occasionally, they answer questions that you were going to ask anyway, and that saves some time. Overall, their service is good. They're knowledgeable, friendly, and timely.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
This solution is the first of its kind for us.
As part of our security certification 27001, we looked at going to ISO 27017, and that had a few more constraints around software security analysis, mainly the secure development life cycle. We recognized that it was high time. That was the first catalyst, and then we went through an inspection of various products on the market, and that's what led us to WhiteSource. The fact that Microsoft is a big investor and speaks highly of them made a difference.
How was the initial setup?
I was involved in the initial setup of the solution. I worked with the customer success manager and we got it set up pretty quickly. Then, we had a number of follow-up calls where we asked "Is this set up right?" That was six months down the line. The customer success manager had a few points that he pointed out to us and they were useful.
The SSO integration is normally something that can be tricky, however, it was okay. It worked pretty quickly. Everything went okay.
Once we got the administration set up, we introduced it to the various engineering leads in the company, and then they introduced it to their team. That was a fairly painless process. Everyone was on board with wanting to introduce this product and wanted to reap the benefits.
What's my experience with pricing, setup cost, and licensing?
The pricing is good. One of the differentiators between them and their competitors is how they priced the product. Some companies price per run and some price per developer or per language. One thing that was nice about WhiteSource is that they didn't have that. They have a fixed cost for contributing developers, but the number of languages is irrelevant. The number of runs is irrelevant, and that's great. That way, you've got a fixed cost and you know it's not going to get any bigger if you start doing more work unless you add more developers. The pricing is clear and useful.
Which other solutions did I evaluate?
We didn't do any trials with other products. We mainly researched and understood how the different solutions work.
What other advice do I have?
We do not use the Merge Confidence feature. We also don't use WhiteSource Smart Fix. We might use it in the future, however, it depends on how our teams are doing their co-branching as I would need to give it a try first to see if it works in all scenarios. It's similar to GitHub's Dependabot and it would be interesting to explore.
In terms of using WhiteSource products in conjunction with their SCA product, we've just signed an order on their FaaS one. That will add forty contributing developers. I did a trial with it and I'm looking forward to using that. The FaaS is very timely. We used a tool that Microsoft deprecated, and we were without a SaaS solution, and even the solution we had with Microsoft wasn't really the best one. It was great that this came along at the right time. While we could have gone to another manufacturer for that, it made sense to stick with WhiteSource due to the promise of that integration with SCA and SaaS.
I have not looked at the IAC, or the infrastructure as a code. I suspect it may not cover our use case. We use Bicep, so we do not use Terraform or anything similar. From what I've seen on the market, very few support Bicep at the moment, and Bicep is Microsoft's more elaborate version of their arm templates. It's fairly new. That's why there are not many products on the market. However, if this was something they were to support, I’d be interested.
I'd rate the solution seven out of ten. I know there are more improvements coming, however, there are more improvements needed in terms of the usability of the product. Even items like a mobile-friendly version of it. At the moment it's a fairly old-fashioned website that doesn't work well on other devices and it's generally a bit clunky to use. That said, in terms of reporting vulnerabilities, it's very good.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.