What is our primary use case?
We have quite a bit of open-source in our various products and what we went to Mend (formerly WhiteSource) for was to help us with OSS visibility and OSS governance. First, it's able to discover with a very good degree of accuracy what OSS we have in our products. Second, if any of the versions of that OSS are either out of date or have open security CVEs against them, the product will surface that and it will enable us to do remediation and track trends over time.
How has it helped my organization?
A lot of these functions are development muscles that need to be baked into the actual SDLC process. We can put this on our pipelines and ensure that all builds go through it. If anything is introduced, the central team is aware and we can go back to the product teams and hold them accountable to make sure they remove it. If there are areas that they're not considering in their plan and we see multiple releases go out and the numbers don't move in terms of potential vulnerabilities, we can go back to them and strongly encourage them to adjust their roadmaps and take security more seriously. It helps our organization improve as it makes those issues transparent.
What is most valuable?
Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Governance up until that time had been manual and when we tried to do manual governance of a large codebase, our chances of success were pretty minimal. Mend (formerly WhiteSource) does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release. We use Mend (formerly WhiteSource) Smart Fix. I’d say pretty much everything in Mend (formerly WhiteSource) is easy to use. We really don't have too much difficulty using the product at all. I've implemented other scanners and tools and had much more trouble with those products than we've ever had with Mend (formerly WhiteSource). That’s extremely important. It's hard to sell to some of these teams to put any level of overhead on top of their product development efforts and the fact that Mend (formerly WhiteSource) is as easy as it is to use is a critical aspect of adoption here. It scores very highly on that scale. Mend (formerly WhiteSource) Smart Fix helps our developers fix vulnerable transitive dependencies. It's all very helpful to our development community. First of all, we're able to find that there are issues. Second of all, we're able to figure out very quickly what needs to be done to remediate the issues. Mend (formerly WhiteSource) helped reduce our mean time to resolution since adopting it. A lot of it is process improvement and technical aspects that can tell us how to go about remediating the issues. We get that out of Mend (formerly WhiteSource). Making the developers aware that these issues are there and insisting they be corrected and making the effort to do that visibly is very valuable to us. Overall, Mend (formerly WhiteSource) helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time. I won't give metrics, however, it's fair to say that our state before and after Mend (formerly WhiteSource) is dramatically different and moved in a positive direction. Mend's ability to integrate our developer's existing workflows, including their IDE repository and CI is good. Azure DevOps is really important. That's what the pipelines are. That's a very important piece of the entire puzzle. If this was just an external scanner where periodically we'd go through and scan our repos and give them a report, we’d do that with pen testing products, for example, for security testing. The problem is, by the time they get those reports, they've already shipped the code to multiple environments and it's too late to stop the train. With these features being baked into the pipelines like this, they know immediately. As a result, we're able to quickly take action to remediate findings.
What needs improvement?
At times, the latency of getting items out of the findings after they're remediated is higher than it should be.
Buyer's Guide
Mend
June 2022
Learn what your peers think about Mend. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
610,812 professionals have used our research since 2012.
For how long have I used the solution?
I've been using the solution for about four years.
What do I think about the stability of the solution?
It's been completely stable since we put it in place. I really have never had a problem with them in terms of throughput and I'm not getting complaints from other teams.
What do I think about the scalability of the solution?
With the exception of license capacity, which arguably is a point of negotiation, it's scalable. It's very scalable performance-wise. I don't know how many lines of code we had when we started, however, we easily have three times the code in this division than we had when we put this in place. I haven't had a meaningful amount of slow down even given all that increase in capacity.
How are customer service and support?
Technical support is absolutely stellar. They meet with us regularly. I do get complaints about some of my other scanning tools, but I don't get complaints about Mend (formerly WhiteSource) most of the time. When there are complaints, we go back to technical support and we discover that usually, it's our fault in one way or the other. They're pretty good at telling us what we did. There's been a few times that we asked questions and had a little bit of latency, however, their technical support is very good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
When we bought Mend (formerly WhiteSource), we did a POC of several competing products. We compared Mend (formerly WhiteSource), Black Duck, and a few other solutions that weren't nearly as good as those two products. Those two are the main competitors in this space. We felt Mend (formerly WhiteSource) was easier to use and we also felt that Black Duck found a few issues that Mend (formerly WhiteSource) wouldn't. Overall, it was much harder to use and we found more false positives in Black Duck. Mend (formerly WhiteSource) is more accurate and it also is easier to use. The status reporting in it is really solid. Particularly, there's some legal guidance here in terms of what licenses we can use and what we can't and Mend (formerly WhiteSource) is really good at finding license types we don't want.
How was the initial setup?
We set the solution up and enabled it. We had everything running pretty quickly. This is not a difficult product to implement. Some of the competing products are harder to implement. I was involved in the selection of the solution and I supervised the people who installed it. I didn't personally sit down at the keyboard and do it myself. That said, it was simple to set up. A single person set it up. The contractor who did it worked for me and I was in very close contact with him the entire time, both through the POC effort and the actual turning it on after we had a license. At no time did we struggle enough that we needed to delay the project. It went very well. There are more people than that involved in using the solution. I have a security hardening program and this is one of their core tools. The technical program manager who runs that for me uses the dashboards out of Mend (formerly WhiteSource) and a few other tools as his core information collection system. We have all the technical team leads and each is responsible for their own code. We don't go in there independently and update their code. We hold them to account for the metrics that come out of their code. That's what my team does. We've actually brought it in to support mobile development. Open-source is fundamental in mobile and we had a lot of it. That was where we were initially trying to get everything going as well as they needed to. We also have a bunch of web application development here. Our ecosystem is both web and mobile. We also have backend web services that are written in. I have teams running in .NET. Most of our teams are .NET, however, we also have code in Java and we're scanning all of that with Mend (formerly WhiteSource) to find OSS components and evaluate security. The solution recently required maintenance. They did an upgrade which changed our numbers a little bit as they changed the way they do evaluations. With that one exception, which was more or less transparent, they got most of the projects the first time through. The assisted migration they did on the back end didn't work correctly and we had to go back to them and have them do some additional work. With that one exception, we haven't had to do any serious maintenance on it in quite a long time. The maintenance we did was related to an internal change they made inside the product and we had to upgrade some items.
What was our ROI?
The return on investment is there. They need to realize that there are other competitors in the space. GitHub now has GitHub Advanced Security, for example. They don't yet have parity with Mend (formerly WhiteSource), however, they're getting close. Within six months to a year, they'll be there. Their pricing is also quite a bit less. At some point, Mend (formerly WhiteSource) is going to have a pricing problem. We've seen ROI in terms of the removal of manual processes and accelerated delivery. We were spending a lot of time having to try and track OSS libraries manually. That was frankly a hopeless exercise. In that sense, removing that bureaucracy removed costs from our organization and sped up delivery. There's also a risk avoidance aspect to Mend (formerly WhiteSource). If there are CVEs against any of these components that we don't know about, it's very hard with manual records to go back and guarantee that all these components are clean. We needed a powerful tool to do it and so the risk avoidance definitely does reduce our costs simply in terms of compliance.
What's my experience with pricing, setup cost, and licensing?
In terms of pricing, I'm not so happy. First of all, some of it is our fault. We were scanning more than our license allowed for and we had to true up. However, the pricing was a little bit aggressive, and to have something like that come out of the sky, admittedly, was our fault as we went over the number of lines of code we were scanning. That said, pricing could be improved. Honestly, it's a SaaS. I understand they need to make money, however, there's a point beyond which they're taking quite a bite out of my development budget.
What other advice do I have?
We use their Cloud SaaS version. We do not use the Merge Confidence feature. That's not how we interact with the product. We also do not use other Mend (formerly WhiteSource) products in conjunction with SCA products. We only use the OSS scanning capabilities. I'd rate the solution a nine out of ten. I would advise others to look at the industry and try competing products. All of them were very willing to let us do a POC. We had five that we evaluated, three of them immediately fell off and it really was down to a horse race between Black Duck and Mend (formerly WhiteSource). At that time, GitHub Advanced Security was not available. If it had been available, we would've put that in the evaluation also. If I did the same evaluation today, I still think Mend (formerly WhiteSource) would win. However, it might be a tough call. If any organization doing serious development or is trying to do OSS governance manually and does not have a tool like this, they're being very foolish at some point in time to both security problems and potentially licensing problems depending on their retail model. I feel very strongly that automated OSS governance is absolutely necessary. I consider automated OSS governance absolutely essential in a serious dev shop. At some point, teams trying to do this manually will be exposed to security and compliance problems if they don't have a tool like this. I consider Mend (formerly WhiteSource) to be one of the very best and a strong competitor, really for any shop.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.