Mend.io Reviews

Name: Mend.io
Brand: Mend.io
Rating: 4 (29 reviews)

Vendor: Mend.io

4.2 out of 5

29 reviews
96% willing to recommend

769 followers

Post review

What is Mend.io?

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

Get the Mend.io Buyer's Guide and find out what your peers are saying about Mend.io, SonarQube, Veracode and more!

Mend.io is the #1 ranked solution in top Software Supply Chain Security solutions, #4 ranked solution in top Software Composition Analysis (SCA) solutions, #4 ranked solution in top Static Code Analysis solutions, and #13 ranked solution in application security solutions. PeerSpot users give Mend.io an average rating of 8.4 out of 10. Mend.io is most commonly compared to SonarQube: Mend.io vs SonarQube. Mend.io is popular among the large enterprise segment, accounting for 68% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 18% of all views.

Helped 793,295 peers since 2012

Featured reviews

Jeffrey Harker

System Manager of Cloud Engineering at Common Spirit

Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Governance up until that time had been manual and when we tried to do manual governance of a large codebase, our chances of success were pretty minimal. Mend (formerly WhiteSource) does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release. We use Mend (formerly WhiteSource) Smart Fix. I’d say pretty much everything in Mend (formerly WhiteSource) is easy to use. We really don't have too much difficulty using the product at all. I've implemented other scanners and tools and had much more trouble with those products than we've ever had with Mend (formerly WhiteSource). That’s extremely important. It's hard to sell to some of these teams to put any level of overhead on top of their product development efforts and the fact that Mend (formerly WhiteSource) is as easy as it is to use is a critical aspect of adoption here. It scores very highly on that scale. Mend (formerly WhiteSource) Smart Fix helps our developers fix vulnerable transitive dependencies. It's all very helpful to our development community. First of all, we're able to find that there are issues. Second of all, we're able to figure out very quickly what needs to be done to remediate the issues. Mend (formerly WhiteSource) helped reduce our mean time to resolution since adopting it. A lot of it is process improvement and technical aspects that can tell us how to go about remediating the issues. We get that out of Mend (formerly WhiteSource). Making the developers aware that these issues are there and insisting they be corrected and making the effort to do that visibly is very valuable to us. Overall, Mend (formerly WhiteSource) helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time. I won't give metrics, however, it's fair to say that our state before and after Mend (formerly WhiteSource) is dramatically different and moved in a positive direction. Mend's ability to integrate our developer's existing workflows, including their IDE repository and CI is good. Azure DevOps is really important. That's what the pipelines are. That's a very important piece of the entire puzzle. If this was just an external scanner where periodically we'd go through and scan our repos and give them a report, we’d do that with pen testing products, for example, for security testing. The problem is, by the time they get those reports, they've already shipped the code to multiple environments and it's too late to stop the train. With these features being baked into the pipelines like this, they know immediately. As a result, we're able to quickly take action to remediate findings.

Read full review

Kevin Dsouza

Intramural OfficialIntramural at Northeastern University

All applications in the world that are created have room for improvement. Within Mend itself, there’s Mend Prioritize, which prioritizes the vulnerability automatically by itself with relevance to our application. Mend Prioritize has support for five or six languages right now, including JavaScript, C, and C#. The only thing that I don't find support for on Mend Prioritize is C++, which they'll be working on since the product is under development. Once that's done, we can also add it into Mend Prioritize for our weekly scans, which will help us with our analysis and efforts for remediation. It's everything we need right now. There's nothing as such that’s out of the world that they should do. We use it just for one thing and focus on that. Therefore, they should not do anything else. We're fine with it as it is.

Read full review

Shashidhar Gowda

Program and Portfolio Management at Acceldata

We did not have much security compliance implemented in our solutions. Whatever we did, we had to use the AWS built-in OWASP scanning, and we had to manually find out the versions of the open sources that fixed the issues of vulnerability. We then had to make sure that that updated version is sent in and code merged for a test. We found sometimes it took a lot of research to make sure that the version that we are upgrading to did fix the issue, et cetera. However, this is all manual research and is dependent on the knowledge of the developer or the engineer who did this work. It took time and did not ensure a high percentage of security compliance. With WhiteSource in place, we are going to be able to do the whole process automatically and it will be confident that we removed the vulnerabilities and license violations. We are saving time that we spent on resources because we no longer have to do it manually. We will now have confidence that there are not many errors made. We are able to do much more vulnerability fixing than we did manually, there are cost-savings, and less work involved.

Read full review

Mend.io mindshare

Product category:

As of July 2024, the mindshare of Mend.io in the Software Composition Analysis (SCA) category stands at 7.1%, down from 9.9% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

Key learnings from peers

Valuable Features

M.io is valued for its ease of setup and integration with Git providers and IDEs. Its command line tool and plug-ins automate scans and allow for continuous integration. Mend.io's ability to identify and remediate open-source vulnerabilities and its integration with developer workflows are highly appreciated. Mend.io's UI and scanning for security threats fit well into workflows, making it valuable to Intellectual Property Councils. Its vulnerability analysis and license distribution analysis are useful features for legal firms. Mend.io's Smart Fix helps developers fix vulnerable transitive dependencies and reduces mean time to resolution. Its ability to integrate with existing workflows, including IDEs, repositories, and CI/CD pipelines, is good. The dashboard view and the management view are also highly valued. Overall, Mend.io helps reduce the number of open-source software vulnerabilities running in production and streamlines around 60% of the software development life cycle via automation, while the remaining 40% requires human intervention.

"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."

Room for Improvement

Improvements needed on Mend.io include better reporting with customizable reports, implementing a version number between product and projects, improving the UI, adding preconfigured policies, reducing visibility on the dashboard, supporting more package managers, improving automation to human involvement ratio, improving user management, adding support for C++ in Mend Prioritize, having a central support system, improving latency for remediated findings, changing the pricing model, supporting multiple SBOM formats, having builds fail if important vulnerabilities are found, improving database upgrading turnaround time and accuracy, including static analysis in the open-source version, providing on-premises service, simplifying the initial setup, and adding a code snippet part.

"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't."

ROI

Mend.io has resulted in various returns on investment for different companies. One company is saving 15 percent of their time and achieving a big financial gain, while also delivering safer products for their customers. Another company has seen an improvement in code quality and incident reaction. Some companies have seen a terrific ROI and rate the solution highly. However, there are also competitors in the space, and pricing may become a problem for Mend.io in the future. Additionally, the tool helps remove manual processes, which speeds up delivery and reduces costs in terms of compliance and risk avoidance. Overall, companies have seen a return on investment and expect to see it increase in the future through new sales and cross-sales.

Pricing

Mend.io's pricing is seen as high by some, but others find it comparable to other tools or negotiable. Some customers feel that they are getting good value for what they pay, while others feel that the pricing could be improved. The licensing model for Mend.io requires a minimum of 20 developers.

"It is fairly priced."
"Over the last two years, they have tried to add more and more features to their license packages, but the price is a little bit high, comparatively."
"Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."

Popular Use Cases

Mend is primarily used for detecting and fixing vulnerabilities in products and delivering security reports during product releases. It covers license usage, license type, and CVE vulnerabilities. Mend is deployed on the AWS cloud and has multi-region enabled. It is used to automate software composition analysis, particularly for third-party and open-source software. Mend is also used for code analysis and management of open-source associated risks. It allows for scanning open-source libraries and checking for vulnerabilities and open-source licenses. Policies can be set to disallow risky open sources from being used in solutions. Mend's deployment is hybrid, with scans on-premise and the knowledge base on the cloud.

Service and Support

Customers generally have positive feedback about Mend's customer service and support. They highlight the efficiency, responsiveness, and knowledgeability of the support team. Some customers also appreciate the option of having a dedicated customer support manager. However, some customers note that there may be room for improvement in terms of customer-friendliness and pricing compared to other solutions. Overall, customers rate Mend's support between seven and nine out of ten.

Deployment

The initial setup for Mend.io was generally straightforward and easy, with some minor configuration needed to meet specific company requirements. Deployment and maintenance are low, with only a few key staff involved in the process. Implementation takes a few days, with minimal maintenance needed afterward. Overall, it was considered a simple and efficient process.

Scalability

The Mend.io solution is highly scalable, with users from multiple departments and locations, and the ability to handle increased usage without performance issues. One user had some difficulties with a large codebase but is working with the vendor to resolve the issue. The solution is used by a range of organizations, from those with only a few users to those with hundreds. Scalability is crucial for this type of software and is a prerequisite for a SaaS-based solution.

Stability

Overall, Mend.io is considered to be a highly stable solution with very few reported issues or downtime. While there have been a few minor hiccups in the past, these were swiftly resolved and did not impact the overall stability of the product. Users rate the stability of Mend.io very highly and consider it to be a dependable and reliable solution. Additionally, the solution is also scalable, meaning it can adapt to meet the changing needs of users over time.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Mend.io Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

18%

Computer Software Company

17%

Manufacturing Company

11%

Insurance Company

Energy/Utilities Company

Healthcare Company

Educational Organization

Retailer

Government

Comms Service Provider

Real Estate/Law Firm

Construction Company

University

Media Company

Legal Firm

Non Profit

Wholesaler/Distributor

Transportation Company

Recreational Facilities/Services Company

Pharma/Biotech Company

Outsourcing Company

Consumer Goods Company

Hospitality Company

Logistics Company

Engineering Company

Performing Arts

Aerospace/Defense Firm

Compare Mend.io with alternative products

Learn more about Mend.io

Mend.io Features

Mend.io has many valuable key features. Some of the most useful ones include:

Vulnerability analysis
Automated remediation
Seamless integration
Business prioritization
Limitless scalability
Intuitive interface
Language support
Integration
Continuous monitoring
Remediation suggestions
Customization

Mend.io Benefits

There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

Easy to use: The Mend.io platform is very user-friendly and easy to set up.

Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.

Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.

Broad support: Mend.io provides 27 different programming languages and various programming frameworks.

Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.

Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.

Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

Mend.io was previously known as WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST.