Mend OverviewUNIXBusinessApplication

Mend is the #3 ranked solution in top Software Composition Analysis (SCA) tools and #6 ranked solution in application security solutions. PeerSpot users give Mend an average rating of 7.8 out of 10. Mend is most commonly compared to SonarQube: Mend vs SonarQube. Mend is popular among the large enterprise segment, accounting for 68% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
Mend Buyer's Guide

Download the Mend Buyer's Guide including reviews and more. Updated: January 2023

What is Mend?

Mend is a software composition analysis tool that secures what developers create. The solution provides automated reduction of software attack surface, reduces developer burdens, and accelerates app delivery. Mend provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violations alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend Features

Mend has many valuable key features. Some of the most useful ones include:

  • Vulnerability analysis
  • Automated remediation
  • Seamless integration
  • Business prioritization
  • Limitless scalability
  • Intuitive interface
  • Language support
  • Integration
  • Continuous monitoring
  • Remediation suggestions
  • Customization

Mend Benefits

There are many benefits to implementing Mend. Some of the biggest advantages the solution offers include:

  • Easy to use: The Mend platform is very user friendly and easy to set up.
  • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
  • Static code analysis: With Mend’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
  • Broad support: Mend provides 27 different programming languages and various programming frameworks.
  • Easy integration: Mend makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
  • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
  • Unified developer experience: Mend has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

Mend was previously known as WhiteSource.

Mend Customers

Microsoft, Autodesk, NCR, Forgerock, The Home Depot, Bosch, IBM, GE digital, KPMG, LivePerson, Jack Henry and Associates

Mend Video

Mend Pricing Advice

What users are saying about Mend pricing:
  • "We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
  • "When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
  • "Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
  • "Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • Mend Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Jeffrey Harker - PeerSpot reviewer
    System Manager of Cloud Engineering at Common Spirit
    Real User
    Easy to use, great for finding vulnerabilities, and simple to set up
    Pros and Cons
    • "We set the solution up and enabled it and we had everything running pretty quickly."
    • "At times, the latency of getting items out of the findings after they're remediated is higher than it should be."

    What is our primary use case?

    We have quite a bit of open-source in our various products and what we went to Mend (formerly WhiteSource) for was to help us with OSS visibility and OSS governance. 

    First, it's able to discover with a very good degree of accuracy what OSS we have in our products. Second, if any of the versions of that OSS are either out of date or have open security CVEs against them, the product will surface that and it will enable us to do remediation and track trends over time.

    How has it helped my organization?

    A lot of these functions are development muscles that need to be baked into the actual SDLC process. We can put this on our pipelines and ensure that all builds go through it. If anything is introduced, the central team is aware and we can go back to the product teams and hold them accountable to make sure they remove it. 

    If there are areas that they're not considering in their plan and we see multiple releases go out and the numbers don't move in terms of potential vulnerabilities, we can go back to them and strongly encourage them to adjust their roadmaps and take security more seriously. It helps our organization improve as it makes those issues transparent.

    What is most valuable?

    Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Governance up until that time had been manual and when we tried to do manual governance of a large codebase, our chances of success were pretty minimal. Mend (formerly WhiteSource) does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.

    We use Mend (formerly WhiteSource) Smart Fix. I’d say pretty much everything in Mend (formerly WhiteSource) is easy to use. We really don't have too much difficulty using the product at all. I've implemented other scanners and tools and had much more trouble with those products than we've ever had with Mend (formerly WhiteSource). That’s extremely important. It's hard to sell to some of these teams to put any level of overhead on top of their product development efforts and the fact that Mend (formerly WhiteSource) is as easy as it is to use is a critical aspect of adoption here. It scores very highly on that scale.

    Mend (formerly WhiteSource) Smart Fix helps our developers fix vulnerable transitive dependencies. It's all very helpful to our development community. First of all, we're able to find that there are issues. Second of all, we're able to figure out very quickly what needs to be done to remediate the issues. 

    Mend (formerly WhiteSource) helped reduce our mean time to resolution since adopting it. A lot of it is process improvement and technical aspects that can tell us how to go about remediating the issues. We get that out of Mend (formerly WhiteSource). Making the developers aware that these issues are there and insisting they be corrected and making the effort to do that visibly is very valuable to us.

    Overall, Mend (formerly WhiteSource) helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time. I won't give metrics, however, it's fair to say that our state before and after Mend (formerly WhiteSource) is dramatically different and moved in a positive direction.

    Mend's ability to integrate our developer's existing workflows, including their IDE repository and CI is good. Azure DevOps is really important. That's what the pipelines are. That's a very important piece of the entire puzzle. If this was just an external scanner where periodically we'd go through and scan our repos and give them a report, we’d do that with pen testing products, for example, for security testing. The problem is, by the time they get those reports, they've already shipped the code to multiple environments and it's too late to stop the train. With these features being baked into the pipelines like this, they know immediately. As a result, we're able to quickly take action to remediate findings.

    What needs improvement?

    At times, the latency of getting items out of the findings after they're remediated is higher than it should be.

    Buyer's Guide
    Mend
    January 2023
    Learn what your peers think about Mend. Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
    670,523 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using the solution for about four years.

    What do I think about the stability of the solution?

    It's been completely stable since we put it in place. I really have never had a problem with them in terms of throughput and I'm not getting complaints from other teams.

    What do I think about the scalability of the solution?

    With the exception of license capacity, which arguably is a point of negotiation, it's scalable. It's very scalable performance-wise. I don't know how many lines of code we had when we started, however, we easily have three times the code in this division than we had when we put this in place. I haven't had a meaningful amount of slow down even given all that increase in capacity.

    How are customer service and support?

    Technical support is absolutely stellar. They meet with us regularly. I do get complaints about some of my other scanning tools, but I don't get complaints about Mend (formerly WhiteSource) most of the time. When there are complaints, we go back to technical support and we discover that usually, it's our fault in one way or the other. They're pretty good at telling us what we did.

    There's been a few times that we asked questions and had a little bit of latency, however, their technical support is very good.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    When we bought Mend (formerly WhiteSource), we did a POC of several competing products. We compared Mend (formerly WhiteSource), Black Duck, and a few other solutions that weren't nearly as good as those two products. Those two are the main competitors in this space. We felt Mend (formerly WhiteSource) was easier to use and we also felt that Black Duck found a few issues that Mend (formerly WhiteSource) wouldn't. Overall, it was much harder to use and we found more false positives in Black Duck. Mend (formerly WhiteSource) is more accurate and it also is easier to use. The status reporting in it is really solid. Particularly, there's some legal guidance here in terms of what licenses we can use and what we can't and Mend (formerly WhiteSource) is really good at finding license types we don't want.

    How was the initial setup?

    We set the solution up and enabled it. We had everything running pretty quickly. This is not a difficult product to implement. Some of the competing products are harder to implement.

    I was involved in the selection of the solution and I supervised the people who installed it. I didn't personally sit down at the keyboard and do it myself.

    That said, it was simple to set up. A single person set it up. The contractor who did it worked for me and I was in very close contact with him the entire time, both through the POC effort and the actual turning it on after we had a license. At no time did we struggle enough that we needed to delay the project. It went very well.

    There are more people than that involved in using the solution. I have a security hardening program and this is one of their core tools. The technical program manager who runs that for me uses the dashboards out of Mend (formerly WhiteSource) and a few other tools as his core information collection system. We have all the technical team leads and each is responsible for their own code. We don't go in there independently and update their code. We hold them to account for the metrics that come out of their code. That's what my team does.

    We've actually brought it in to support mobile development. Open-source is fundamental in mobile and we had a lot of it. That was where we were initially trying to get everything going as well as they needed to. We also have a bunch of web application development here. Our ecosystem is both web and mobile. We also have backend web services that are written in. I have teams running in .NET. Most of our teams are .NET, however, we also have code in Java and we're scanning all of that with Mend (formerly WhiteSource) to find OSS components and evaluate security.

    The solution recently required maintenance. They did an upgrade which changed our numbers a little bit as they changed the way they do evaluations. With that one exception, which was more or less transparent, they got most of the projects the first time through. The assisted migration they did on the back end didn't work correctly and we had to go back to them and have them do some additional work. With that one exception, we haven't had to do any serious maintenance on it in quite a long time. The maintenance we did was related to an internal change they made inside the product and we had to upgrade some items.

    What was our ROI?

    The return on investment is there. They need to realize that there are other competitors in the space. GitHub now has GitHub Advanced Security, for example. They don't yet have parity with Mend (formerly WhiteSource), however, they're getting close. Within six months to a year, they'll be there. Their pricing is also quite a bit less. At some point, Mend (formerly WhiteSource) is going to have a pricing problem.

    We've seen ROI in terms of the removal of manual processes and accelerated delivery. We were spending a lot of time having to try and track OSS libraries manually. That was frankly a hopeless exercise. In that sense, removing that bureaucracy removed costs from our organization and sped up delivery. 

    There's also a risk avoidance aspect to Mend (formerly WhiteSource). If there are CVEs against any of these components that we don't know about, it's very hard with manual records to go back and guarantee that all these components are clean. We needed a powerful tool to do it and so the risk avoidance definitely does reduce our costs simply in terms of compliance.

    What's my experience with pricing, setup cost, and licensing?

    In terms of pricing, I'm not so happy. First of all, some of it is our fault. We were scanning more than our license allowed for and we had to true up. However, the pricing was a little bit aggressive, and to have something like that come out of the sky, admittedly, was our fault as we went over the number of lines of code we were scanning. That said, pricing could be improved. Honestly, it's a SaaS. I understand they need to make money, however, there's a point beyond which they're taking quite a bite out of my development budget.

    What other advice do I have?

    We use their Cloud SaaS version. We do not use the Merge Confidence feature. That's not how we interact with the product. We also do not use other Mend (formerly WhiteSource) products in conjunction with SCA products. We only use the OSS scanning capabilities.

    I'd rate the solution a nine out of ten. I would advise others to look at the industry and try competing products. All of them were very willing to let us do a POC. We had five that we evaluated, three of them immediately fell off and it really was down to a horse race between Black Duck and Mend (formerly WhiteSource). At that time, GitHub Advanced Security was not available. If it had been available, we would've put that in the evaluation also. If I did the same evaluation today, I still think Mend (formerly WhiteSource) would win. However, it might be a tough call.

    If any organization doing serious development or is trying to do OSS governance manually and does not have a tool like this, they're being very foolish at some point in time to both security problems and potentially licensing problems depending on their retail model. I feel very strongly that automated OSS governance is absolutely necessary. 

    I consider automated OSS governance absolutely essential in a serious dev shop. At some point, teams trying to do this manually will be exposed to security and compliance problems if they don't have a tool like this. I consider Mend (formerly WhiteSource) to be one of the very best and a strong competitor, really for any shop.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Ben Dyer - PeerSpot reviewer
    Head of Software Engineering at a legal firm with 1,001-5,000 employees
    Real User
    Top 10
    Good for reporting vulnerabilities and helpful support services but the website is very old fashioned
    Pros and Cons
    • "WhiteSource helped reduce our mean time to resolution since the adoption of the product."
    • "They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."

    What is our primary use case?

    We are a law firm, however, we do write some of our own software. Sometimes that software is integrated with our systems and sometimes it's bespoke software for clients. We write code with C#, JavaScript, and more, and we use a lot of third-party libraries. We need to check these third-party open-source libraries for vulnerabilities and go through a process of looking at various tools in the market.

    WhiteSource stood out mainly for the way it approached scanning code. Some of these solutions often send the code somewhere else to be scanned, whereas WhiteSource allows us to scan wherever our tenant is. The reason we chose this solution was to look at the security analysis of these third-party libraries.

    What is most valuable?

    The way WhiteSource scans the code is great. Being a legal firm, we're a bit more sensitive around our data, and we didn't want that going to different regions. With WhiteSource we can keep our data in the same data sovereignty as it was. That is a big deal for us. In terms of the analysis it can do, it is really useful. This was new to us as an organization, as not only can we find vulnerabilities, but we can also look at the license distribution.

    We can understand the open-source licenses, which come with some constraints. That's something we wanted to avoid. Recently, there was a log4j vulnerability that was very prominent in the security community, and we were quickly able to see if we were using it and where. That's the inventory side. It was really useful in that respect.

    It’s easy to identify and remediate open source vulnerabilities using this solution. There were a couple of times when something was reported as a vulnerability. When we looked into it a bit more and we talked with the WhiteSource support staff, we found that it was caused by something else. That's pretty rare. Most of the time, it's fairly clear. It says you need to go from one version of the library to another version of the library. It's pretty plain and works well. There have been just a couple of occasions where we needed to dig a little deeper.

    Tech support has been very swift and helps us understand false vulnerabilities and they make sure that they don’t happen again in the future. They've got a good support system.

    We can detect the vulnerabilities in the SaaS tool itself. We can go to our particular project and see them, or we can see them when we run the code. We can run the tool locally. Even before we scan the code, we can perform a local scan and that's been pretty useful for our developers. It is certainly useful that the vulnerability is displayed both in the WhiteSource platform and our CI/CD tool of choice. We use it as DevOps, and we can see the results with that tool as well. This means that we don't have to use another tool.

    WhiteSource helped reduce our mean time to resolution since we adopted the product. More than anything else, it's just shining a light on the work we need to do. We had a lot of legacy code that no one had really explored the software composition analysis on it. The main value is that it showed us what we needed to fix, and with the dashboard security trends feature, we can see over time if we made progress. We had a way to report upward and show our progress. From that respect, it's been very valuable.

    The product has helped reduce the number of open-source software vulnerabilities running in our production. It would probably be quite a high number as we didn't really have anything before. I would probably say that we're about 70% through remediating all of the vulnerabilities. This is a good number since nothing existed before.

    We've introduced policies as well. If we just rely on good intentions, often people don't follow through. If we have a policy set that makes developers have to stop and fix something, it breaks their workflow in a positive way as it's saying that these are high vulnerabilities. It allows us to set up quite nuanced policies. That has been really useful. Without that, it'd be less effective as a tool.

    WhiteSource's portability to integrate with our developers' existing workflows including their IDE, repository, and CI/CD pipelines, is good. It's improving all the time. In terms of integration, it's pretty easy.

    What needs improvement?

    If I had to choose one area of improvement, it would be to have the support system in one place. At the moment, all matters regarding support run through Salesforce SaaS solutions.

    I'm sure there are more improvements that can happen with WhiteSource’s IDE tool, however, it's still useful. We still have an open ticket regarding some slow scans since we have some fairly complex projects that take a long time to scan. That's been the only slightly negative experience with the tool and we work hard to try to fix it.

    WhiteSource is working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application. Although we are used to it, when filtering lists, we feel like we are using an application from the 1990s. It's my understanding that they have some improvements coming and I hope to take part in a trial for that.

    I've also recently looked at their SaaS tool. I've done a trial with it and at the moment it’s a separate product. I'd like to see all of the products merged into one, so that there would be one place to go for everything and all of the support, FaaS, SCA, and more.

    For how long have I used the solution?

    We had a trial and then bought the product around 18 months ago.

    What do I think about the stability of the solution?

    There was a little hiccup with the Azure DevOps extension. Three or four months ago there was a release that caused a problem, and since then they fixed it. At the time, there was a week or so where we had some issues regarding not being able to scan properly, however, that was fixed reasonably swiftly.

    What do I think about the scalability of the solution?

    Once, we had a very large codebase that took very long to scan, so much so that it climbed out completely. In addition, we have a codebase that we can't scan effectively as it's either too large or there are some subtle mishaps around it. This is an ongoing investigation with the WhiteSource team.

    That ticket has been around for quite a while due to the combination of us being a bit slow and the problem being complex. The problem is still not close to being fixed. 

    We have forty contributing developers. They do not necessarily interact with the product every day, however, that's the licensing we have, and they are a mixture of internal teams and third-party contractors.

    How are customer service and support?

    Technical support is good. They're very friendly and want to solve your problems. When they don't know enough information, they'll go and find some more technical information from their engineering teams.

    The knowledge-based articles are useful. Occasionally, they answer questions that you were going to ask anyway, and that saves some time. Overall, their service is good. They're knowledgeable, friendly, and timely.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    This solution is the first of its kind for us.

    As part of our security certification 27001, we looked at going to ISO 27017, and that had a few more constraints around software security analysis, mainly the secure development life cycle. We recognized that it was high time. That was the first catalyst, and then we went through an inspection of various products on the market, and that's what led us to WhiteSource. The fact that Microsoft is a big investor and speaks highly of them made a difference.

    How was the initial setup?

    I was involved in the initial setup of the solution. I worked with the customer success manager and we got it set up pretty quickly. Then, we had a number of follow-up calls where we asked "Is this set up right?" That was six months down the line. The customer success manager had a few points that he pointed out to us and they were useful.

    The SSO integration is normally something that can be tricky, however, it was okay. It worked pretty quickly. Everything went okay.

    Once we got the administration set up, we introduced it to the various engineering leads in the company, and then they introduced it to their team. That was a fairly painless process. Everyone was on board with wanting to introduce this product and wanted to reap the benefits.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is good. One of the differentiators between them and their competitors is how they priced the product. Some companies price per run and some price per developer or per language. One thing that was nice about WhiteSource is that they didn't have that. They have a fixed cost for contributing developers, but the number of languages is irrelevant. The number of runs is irrelevant, and that's great. That way, you've got a fixed cost and you know it's not going to get any bigger if you start doing more work unless you add more developers. The pricing is clear and useful.

    Which other solutions did I evaluate?

    We didn't do any trials with other products. We mainly researched and understood how the different solutions work.

    What other advice do I have?

    We do not use the Merge Confidence feature. We also don't use WhiteSource Smart Fix. We might use it in the future, however, it depends on how our teams are doing their co-branching as I would need to give it a try first to see if it works in all scenarios. It's similar to GitHub's Dependabot and it would be interesting to explore.

    In terms of using WhiteSource products in conjunction with their SCA product, we've just signed an order on their FaaS one. That will add forty contributing developers. I did a trial with it and I'm looking forward to using that. The FaaS is very timely. We used a tool that Microsoft deprecated, and we were without a SaaS solution, and even the solution we had with Microsoft wasn't really the best one. It was great that this came along at the right time. While we could have gone to another manufacturer for that, it made sense to stick with WhiteSource due to the promise of that integration with SCA and SaaS.

    I have not looked at the IAC, or the infrastructure as a code. I suspect it may not cover our use case. We use Bicep, so we do not use Terraform or anything similar. From what I've seen on the market, very few support Bicep at the moment, and Bicep is Microsoft's more elaborate version of their arm templates. It's fairly new. That's why there are not many products on the market. However, if this was something they were to support, I’d be interested.

    I'd rate the solution seven out of ten. I know there are more improvements coming, however, there are more improvements needed in terms of the usability of the product. Even items like a mobile-friendly version of it. At the moment it's a fairly old-fashioned website that doesn't work well on other devices and it's generally a bit clunky to use. That said, in terms of reporting vulnerabilities, it's very good.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Mend
    January 2023
    Learn what your peers think about Mend. Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
    670,523 professionals have used our research since 2012.
    IT Service Manager at a wholesaler/distributor with 51-200 employees
    Real User
    Top 20
    Provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support
    Pros and Cons
    • "I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
    • "We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."

    What is our primary use case?

    We use open-source libraries or software in projects across our company. We conducted an internal study regarding the legalities, security, vulnerabilities, and license compliance, which is when we decided to implement and deploy Mend. It automates the software composition analysis, which is vital when we want to use third-party and open-source software. 

    We have a total of around 1000 projects running in Mend; some of those are being trialed and may be withdrawn, and others will go on to the production stage. We have between 300 and 400 end users, primarily integrators and fewer admins and approvers.

    How has it helped my organization?

    The tool is now a mandatory part of our organization to use as a benchmark, giving us a technical advantage. When we acquire other companies, we look to determine if Mend is applicable to them and bring them into our culture of using the solution where possible. We can leverage it for financial benefits when implemented and used to scan on the technical front. We consider Mend a permanent integration with our company for the foreseeable future, so we decided to reinvest in the solution by renewing our contract twice up to this point.

    What is most valuable?

    I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.

    The solution is also highly valuable to our Intellectual Property Councils, because as a company that uses open-source software, we need to be aware of intellectual properties, code violations, and adherence to our regulations when we include such software. There are, of course, areas for improvement, but it has become mandatory within our organization to run scans using Mend as part of our workflows.

    We don't always use WhiteSource SmartFix, and that depends on the recommendations provided by the solution's analysis. On occasion, we have challenged those recommendations, so for us, the software is not entirely a decision-making tool but a tool that assists us in making decisions. Therefore, there is still a human component in the process, and there is always an admin or approver to accept or reject the recommendation. There have been instances where smart fixes were challenged due to a lack of compatibility with project requirements. For example, the solution recommends a version of PostgreSQL, but the decision is made on the product level to go with a different version because it has better integration with the specific product requirements. However, I would say that SmartFix increases our decision-making effectiveness and successfully alerts us. As a leading lighting company, some product decisions must adhere to strict requirements, which require human involvement in the decision-making process.

    Initially, the product didn't save us time but required us to spend more time. Many of our processes require a manual component, so we can't entirely rely on automated processes. Therefore, when we run Mend scans on our projects, around 60% of the software development life cycle is sped up, while the remaining 40% requires human intervention. Per our IP Councils, automation does not help us beyond a certain point, and manual intervention is required. If 60% of a project can be streamlined via automation, that certainly saves us time. 

    I would say that Mend certainly helps us detect and reduce vulnerabilities. We bring in the solution at the very beginning of a project, so we build early and often and detect vulnerabilities early. This is a significant contributor to our projects' success. 

    Integration using the unified agent and other methodologies has been at the forefront of our deployment. The plugins have been merged into the unified agent approach. The integration methodologies have worked wonders for our CICD pipelines and workflows, and each project team can decide whether to run scans pre or post-build.  

    What needs improvement?

    We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap.

    I consider scan reports to be another area for improvement, but this is also an area of improvement for user management on our end. We need to train end users on how to deal with alerts and the best approach to take for new projects.

    We have weekly meetings with Mend and encourage all users who integrate the solution into their product life cycle to attend. This has been very useful, as these technical meetings assist our staff in the best use practices and improving their interpretation of reports, which allows us to leverage the product to our greatest advantage. We are also able to ask for solutions adaptations to suit our requirements, as we produce hardware as a company, not virtual products. 

    For how long have I used the solution?

    We have been using the solution for almost five years. 

    What do I think about the stability of the solution?

    The solution is highly stable; we had downtime on one occasion for two hours, which was scheduled. Aside from that, I haven't seen any downtime or performance issues, so in terms of stability, I rate the product very highly because we can depend on it.

    What do I think about the scalability of the solution?

    The solution is scalable, and scalability is vital for such an integral piece of software. Software development scenarios can change fast, requiring support for new languages and apps, so we constantly learn and communicate with Mend to fulfil our fluid requirements and adapt to changes within our environment.

    How are customer service and support?

    I'm delighted with the technical support, especially as someone involved in the deployment. Technical support has been highly responsive to bugs or errors, helping us mitigate or fix them quickly. It was easy to interpret their technical guidance, which made my job much more manageable. I'm very satisfied and would rate them highly.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not use any other solution.

    How was the initial setup?

    The deployment was mixed; there's always a window in which we are required to adapt to a tool. This solution isn't an out-of-the-box kind of model. There was some fine-tuning involved in the deployment according to our needs and specific projects, which is expected but somewhat challenging nonetheless. 

    The key staff involved in the deployment included me as the deployment manager, a customer success manager from Mend, a leading member of our IP Council, and the security advisers for each product. Once the deployment strategy is decided, the IP Council and security team take a back seat, and I work closely with the product architects moving forward. Deployment, fine-tuning, and getting the scans up and running takes two to two and a half days maximum per product. Ultimately, five or six key staff are involved in the solution's deployment, configuration, and maintenance. 

    What was our ROI?

    We have seen an ROI for our projects, and our project managers are happy. This could still be improved, however.

    What's my experience with pricing, setup cost, and licensing?

    We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals.

    Which other solutions did I evaluate?

    We evaluated Black Duck, but it has several limitations that drove us toward choosing Mend. Black Duck is very expensive, and we require a SaaS solution to ensure the privacy of our source code, and they couldn't provide that. Therefore, our team decided to choose the more affordable and secure product.

    What other advice do I have?

    I would rate the solution a nine out of ten. 

    As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment.

    Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements. 

    I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence.

    We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them.

    We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Shashidhar Gowda - PeerSpot reviewer
    Program and Portfolio Management at Acceldata
    Real User
    Top 20
    Highly scalable, reliable, and knowledgeable support
    Pros and Cons
    • "We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
    • "I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."

    What is our primary use case?

    We have started the trial version of WhiteSource last week. We concluded the trial this week and we are beginning to use the full licensed solution later on in the week.

    We use WhiteSource for automating open-source vulnerability, by finding the open-source libraries that were used and fixing them. Additionally, we set up policies to disallow some of the risky open sources to be used in our solutions by developers. We are able to scan and fix vulnerabilities in our containers, to ensure that if there are any licenses that violate the open source usage or put our product at risk, we make sure that either we remove or remediate the open sources with risky licenses. Those are the main three use cases.

    How has it helped my organization?

    We did not have much security compliance implemented in our solutions. Whatever we did, we had to use the AWS built-in OWASP scanning, and we had to manually find out the versions of the open sources that fixed the issues of vulnerability. We then had to make sure that that updated version is sent in and code merged for a test. We found sometimes it took a lot of research to make sure that the version that we are upgrading to did fix the issue, et cetera. However, this is all manual research and is dependent on the knowledge of the developer or the engineer who did this work. It took time and did not ensure a high percentage of security compliance. With WhiteSource in place, we are going to be able to do the whole process automatically and it will be confident that we removed the vulnerabilities and license violations.

    We are saving time that we spent on resources because we no longer have to do it manually. We will now have confidence that there are not many errors made.  We are able to do much more vulnerability fixing than we did manually, there are cost-savings, and less work involved.

    What is most valuable?

    We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.

    For how long have I used the solution?

    I have been using WhiteSource for approximately one week.

    What do I think about the stability of the solution?

    We have not used the solution very long to give us a full picture of the stability. However, from what we have seen from the trials it is impressive.

    The solution only required a few hours of work from one DevOps engineer in a week.

    What do I think about the scalability of the solution?

    WhiteSource's scalability is extremely good. We can add more repositories, projects, and people as we need. There's no problem with the scalability. We did not find any slowness, performance stress, or load-related issues when we did the trials. WhiteSource can handle up to a few thousand concurrent users without any issues.

    Once we have the solution fully licensed we will have approximately 50 people using it.

    Ou usage of WhiteSource will increase as we add more people, but it's going to be the same code base. The number of users will increase, but the scope of the solution usage in terms of the number of solutions will remain the same.

    How are customer service and support?

    Their pricing is different for many of the solutions we have tried. In Sonatype, especially, the agents are extremely technically knowledgeable. The sales team and the sales engineering we spoke to are extremely knowledgeable. They had 100 percent of all the answers to the questions that we asked. In the case of Snyk, their support had to go and come back to us and their support pricing is very expensive. Even with the trials that we did, we did not try the paid version of their software that included dedicated customer support.

    WhiteSource agents are knowledgeable. In a couple of cases, they had to go back and work with the engineering for a resolution. However, the support that is included in the plan that we bought is good. In the other two options, the pricing did not include the ongoing SLA-based support. With WhiteSource, they include SLA-based support, 24/7, in their enterprise plan, which is comparable to the plans with Sonatype and Snyk where they don't include the support.

    I rate the support of WhiteSource a seven out of ten.

    I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.

    Which solution did I use previously and why did I switch?

    We use trials of many solutions, such as Snyk and Sonatype.

    How was the initial setup?

    WhiteSource's initial setup is very straightforward. In all three use cases, it was very straightforward. With Sonatype, we used the on-premise version, but with Snyk and WhiteSource, we used their cloud version. It did take a little time to set up Sonatype, but it was straightforward. We had people helping and guiding us on a Zoom call in all three use cases. It did not take long or was it complicated in either of the use cases. Overall all it took was under an hour.

    What about the implementation team?

    We did the implementation ourselves with the sales engineers.

    What was our ROI?

    We haven't calculated our return on investment in terms of resource savings. While we were doing everything manually, but still we were not able to do everything. Now we have a solution, we can save the human resources that are being paid for. Our return on investment, in terms of our ability to showcase our solutions as secure and sell them, is going to be multifold. I'm expecting, at least, the return on investment of new sales and cross-sales will be at least six times higher.

    What's my experience with pricing, setup cost, and licensing?

    When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually.

    Which other solutions did I evaluate?

    We evaluated many solutions, such as Snyk, Sonatype, SonarQube, Checkmarx, and a couple of others.

    What other advice do I have?

    When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering.

    In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices.

    I rate WhiteSource an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Kevin Dsouza - PeerSpot reviewer
    Intramural OfficialIntramural at Northeastern University
    Real User
    Top 20
    Easy to set up with vulnerability analysis and is reliable
    Pros and Cons
    • "The vulnerability analysis is the best aspect of the solution."
    • "The only thing that I don't find support for on Mend Prioritize is C++."

    What is our primary use case?

    We use Mend especially for code analysis. I work in the application security part of my company. Developers will build and push the code to the GitHub repository. We have a build server that pulls in the code, and we are using Jenkins to automate that to do the DevOps stuff.

    Once the code is built, we create a product for that particular version on Mend. We are currently working with three different versions for our particular product. We have the products created on Mend via White Source, which has a configuration file and a back file that runs. The configuration files basically tell what parameters to use, which server URL to use, which files to ignore, and which files to use.

    For example, if I just have to do Python, I can make changes in the configuration files in Excel to include just .py files and exclude all of the files. If I have to do Python and C++, I can make changes in the configuration file itself to make .py, .C++ and exclude all of those. Once that configuration file is ready, then we run a White Source back file that just connects to the server, contacts the configuration file as well, does the scan on all the files that are there in the project, the project being for, and then pushes it to Mend, our Mend page.

    On our Mend page, once we go into the product page of it, we can see what libraries have been used by us and what have some vulnerabilities. We also can set policies on Mend. We set some policies for our organization to accept and reject. For each product, we also get the policy violations that the libraries go through and any new versions for any new libraries that are available on that library's parent page - the parent page being the official developers of the library. We can get the new versions as well. We get the licenses we use with the library, and most importantly, we get vulnerability alerts regarding every library we use in our code.

    Once the code is pulled, scanned, and pushed, we get the UI. We go to the library alerts. Once we go to the library alerts, we can see the different severities and the different libraries with vulnerabilities. We normally just sort according to higher severity first and go down to lower severity. We check what can be ignored or what is acceptable and what cannot be ignored, and what is of high priority. Ones that are a high priority, we flag and create a ticket on JIRA. That's our platform for collaboration.

    Once we create a ticket for JIRA, the developers can see it, the QA team can see it, and they will go through that as well. They can tell if the update or the upgrade of the library is possible or not. They'll check its compatibility and see if it's actually doable or not. If it's not doable, they'll just tell us it's not doable, and probably our next version of the application will have the changes - not this one. We term that as acceptable or within our domains of acceptance. However, daily, if a JIRA ticket is created, the developers get back to us saying yes or no. Mostly they can say yes to changing the library to upgrade the library. If it's upgraded, they upgrade it to the next version. We scan it again. We do a weekly scan. We'll just check the next week if that particular liability is upgraded and the vulnerability has been remediated.

    What is most valuable?

    The vulnerability analysis is the best aspect of the solution. It’s my main go-to.

    We can't do static code analysis ourselves; it's manual. That's a lot of manual tasks to handle. It's close to impossible to do that. That was a lot for static code analysis of our projects, alerting on vulnerabilities whenever it's possible. Whenever there's a vulnerability available, Mend does that. It vulnerability analyst is a report as well with how many high vulnerabilities, how many medium, how many lows we got, and how many accepted or how many are without any vulnerabilities basically.

    I see a lot of it is pretty good and has a high level of trust.

    It’s stable and easy to set up.

    What needs improvement?

    All applications in the world that are created have room for improvement.

    Within Mend itself, there’s Mend Prioritize, which prioritizes the vulnerability automatically by itself with relevance to our application. Mend Prioritize has support for five or six languages right now, including JavaScript, C, and C#. The only thing that I don't find support for on Mend Prioritize is C++, which they'll be working on since the product is under development. Once that's done, we can also add it into Mend Prioritize for our weekly scans, which will help us with our analysis and efforts for remediation.

    It's everything we need right now. There's nothing as such that’s out of the world that they should do. We use it just for one thing and focus on that. Therefore, they should not do anything else. We're fine with it as it is.

    For how long have I used the solution?

    I've been using Mend for six months now.

    What do I think about the stability of the solution?

    It’s quite stable. There are no bugs or glitches. It doesn’t crash or freeze. A lot of infrastructure is dependent on Mend right now, and it's not disappointing.

    What do I think about the scalability of the solution?

    It is a pretty scalable product.

    The application security team uses it. That’s four people using it regularly.

    We are using everything that it does. Mend does a lot of things. It does SAST, SCA, it does DAST as well. We are using just the SCA module of it, which we need, and we are using the SCA model to its fullest. I hope we're doing the most efficient deployment of it.

    How are customer service and support?

    We’ve used technical support in the past. We had some issues with One RPM last month. That was sorted quickly.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not previously use any different solution prior to Mend.

    We did look at other solutions. There was Veracode that we tried and Tenable. There was Qualys as well. However, we chose Mend, and we have had a license for three years right now.

    How was the initial setup?

    The initial setup was pretty easy.

    The deployment didn’t take long. Within a day or two, it was done.

    There's no maintenance and deployment of Mend as such.

    What about the implementation team?

    We have a license, so once the license was set up, once the server was set up, after that, we rolled it out by ourselves.

    What was our ROI?

    We’ve seen a terrific ROI. I’d rate the solution a 4.5 out of five in terms of delivering us ROI.

    What's my experience with pricing, setup cost, and licensing?

    I don’t have any information in regards to pricing.

    What other advice do I have?

    I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan.

    I’d rate the solution a nine out of ten.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Sr. Manager at a financial services firm with 10,001+ employees
    Real User
    Once it's configured, it's seamless for the development community
    Pros and Cons
    • "Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
    • "Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."

    What is our primary use case?

    Earlier, Mend was used as a tool behind the scenes for periodic vulnerability checks. It was more reactive. We only began exploring its full potential once we started integrating it with GitHub because that helped us control, and manage the process. It centrally controls all the code going into production. We have built-in rules against the license policy vulnerabilities. We don't allow code to go to production if it hasn't met those criteria.

    Mend has a SaaS environment where all the data is stored, but we do all scanning and remediation work on a component that scans and identifies dependencies. It can be deployed on-prem or on the cloud using their containers. Then, it talks to the SaaS platform for the final identification of vulnerabilities and license composition.

    They have also devised a smart tree containing other tools we plan to evaluate. We haven't used their SAST solution yet, but we're considering it and comparing it to the other SAST tool we use. We use Mend Renovate, which was previously an open-source product. The merge confidence feature is part of Renovate feature. Most of our people are focusing on vulnerability remediation. It gives an excellent idea about how we can move forward with a change. 

    Mend is deployed on the AWS cloud, and we have multi-region enabled. It is deployed active-active in both regions. This is a heavy implementation. The company has a centralized GitHub platform where every developer and team manages their code. There are more than 5,000 users. Changes appear in the report, and actions are happening internally based on that. They may not all be going to the Mend platform to see these results. There are only maybe 5,000 active commits happening monthly. The number of records per project enabled for our company is nearly 60,000. 

    How has it helped my organization?

    Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production.

    Mend streamlined our release process and improved the quality of the code we used during the production. When we had incidents recently, Mend's reports helped us determine the impacted components and remedy the issue quickly. 

    What is most valuable?

    The GitHub integration is one feature we use heavily. It has helped us identify and remedy vulnerabilities. Mend is also easy to use. Once it's configured, it's seamless for the development community. It's clearing issues for them so that they can see the problems and how to fix them.

    We have already integrated Mend with the developers' workflows, including the IDE repository and CI/CD pipelines. Our developers use these IDE keys because it only supported one of the IDEs when we started: IntelliJ IDEA. They have improved and added support for multiple IDEs. We've integrated with more than 50,000 repositories. I think it's nearly 60,000.

    What needs improvement?

    Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary.

    For how long have I used the solution?

    I have been using Mend since I joined the company in 2019, but they have been using it for longer. 

    What do I think about the stability of the solution?

    I only experienced one brief outage where the scan wasn't happening.

    What do I think about the scalability of the solution?

    The scalability is fairly good. Our usage increased dramatically from 3,000 reports to almost 60,000 reports, and we haven't had any issues. 

    How are customer service and support?

    I rate Mend support eight out of ten. We have a shared channel with support on Slack. Their representatives are there to answer our questions or provide clarifications. If we have an issue, we can pose the question, and they respond. We can also create a ticket in their portal. The response time varies based on the severity of the ticket, but it's pretty normal to get a response within an hour. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We had other solutions, like SAST scanning and Black Duck, but nothing offered this level of detail. The previous solutions were reactive and required a lot of manual work, whereas Mend proactively identifies vulnerabilities. The code is scanned immediately once it goes into the repository. 

    Mend has the ability to control the release using the same data going into production or our test environments. That is what sets it apart from other tools. Other tools are emerging with similar capabilities, but when we picked it, it was one of the only tools that had the features we need. 

    How was the initial setup?

    I am the product owner of Mend at this company, so I was responsible for setting it up and the GitHub integration process. The initial setup was straightforward, but we had to do a few steps to meet the company requirements. For example, we need to enable it through the proxy and allow it to reach external registries.

    We needed to configure it to go through that path and then enable and deploy the necessary package managers. That took a little work in the beginning, but everything was good once that was all figured out.

    We have a team of three engineers supporting it, but they're working on this solution full-time. We get releases every other week, so we need to ensure the enrollment is up to date. That deployment doesn't take much time because we build our dock images, and we need to enable multiple package managers. They give us the docker file that we build based on our needs. 

    It takes a day to deploy all these components. We mainly need additional engineers to support our user community, providing answers or clarifications. Otherwise, it's just one person maybe supporting the platform. 

    Mend ensured the correct data version is deployed. Other than that, it's the normal maintenance of supporting our end users. They may have questions about some fixes or suspected false positives, but we have very few false positives. 

    What was our ROI?

    We are seeing a return on investment because the code quality has improved, and it improved our reaction to the kinds of incidents that are happening outside the industry.

    What's my experience with pricing, setup cost, and licensing?

    Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap. 

    Which other solutions did I evaluate?

    We evaluated several tools and picked a shortlist of candidates that met our company's needs. Mend had broader package manager support, minimal false positives, automated remediation, and the GitHub integration. 

    What other advice do I have?

    I rate Mend an eight out of ten. I deduct two points because you may not get coverage for all the package managers. But that's where your team needs to work with the vendor to get that supported. It is a collaborative effort to get more support based on your needs. The company was helpful and responsive,  so we were able to influence their roadmap to get some of these capabilities enabled for us.

    They have been particularly helpful in getting support for Python package managers. We didn't have the file support and Conda package manager, but they stepped up and provided that capability. You need to have a little patience to evaluate and ensure all the tools meet your requirements. If you need anything, you have to work on getting that support.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    ZvikaRonen - PeerSpot reviewer
    Chief Technology Officer at FOSSAware
    Real User
    Top 5Leaderboard
    It has good dashboard and management views, and it is helpful for early fixing and post-production management
    Pros and Cons
    • "The dashboard view and the management view are most valuable."
    • "It should support multiple SBOM formats to be able to integrate with old industry standards."

    What is our primary use case?

    It is used to manage open-source associated risks. I'm a consultant, and I provide consultancy and management services in the domain of open-source risk management. I use this product as a part of the services to my customers. I'm not using it in my company because my company is not developing anything.

    Its deployment is hybrid where scans are on-premise and the knowledge base is on the cloud.

    How has it helped my organization?

    It saves a lot of money with early fixing. If you can figure out an open-source bug earlier, rather than in production, it can save a lot of, almost 100 times, cost.

    It also helps with post-production management because it gives alerts on new vulnerabilities.

    What is most valuable?

    The dashboard view and the management view are most valuable.

    What needs improvement?

    The pricing model needs some changes. It is being offered in bulks of a minimum of 20 developers, which means that small startups with less than 20 developers cannot afford to buy the minimum bulk. There is no flexible pricing model to choose a plan with partial functionality and for less than 20.

    The GUI should support the export of multiple SBOM formats, today this is the transparency expected by federal agencies from companies that write software. 
    There is no one standard yet in the industry for SBOM, so leading tools like WhiteSource should be able to support multiple formats.

    For how long have I used the solution?

    I have been using this solution for years.

    What do I think about the stability of the solution?

    It is very stable.

    What do I think about the scalability of the solution?

    There are hundreds of users who use this solution.

    How are customer service and support?

    I have used their support, and they were excellent.

    Which solution did I use previously and why did I switch?

    I use multiple solutions, such as Snyk, Black Duck, and Sonatype.

    How was the initial setup?

    It is quite simple. Its implementation takes days, and its implementation strategy is a part of our management plan.

    What about the implementation team?

    I'm a consultant, and I help with its implementation. It requires very few people.

    What was our ROI?

    There is definitely an ROI.

    What's my experience with pricing, setup cost, and licensing?

    Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible.

    Which other solutions did I evaluate?

    I evaluated other options, but some of those, such as Protecode, do not exist today. They used to be tools based on the actual reading of the content. They were snippet-based.

    What other advice do I have?

    My advice would be to get ready for implementation by preparing the right structure. Before implementing this tool, you should define the company policy and processes and get accurate training. This creates trust between the developer and the newly-implemented tool. For instance, when there is a violation of a policy, you need to understand why it happened. You should not try to bypass that just because it would fail the build. Developers' trust is the most important thing. So, you should plan ahead with a clear management program for open-source involving all key holders. Implementation of such a tool requires collaboration. It is not the job of just the development team or the head of security. It is supposed to be a joint effort of the entire development group in a company.

    I would rate WhiteSource a nine out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Principal Software Architect at a tech services company with 10,001+ employees
    Real User
    Top 10
    Scalable and stable, with a broad range of features
    Pros and Cons
    • "The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
    • "The initial setup could be simplified."

    What is our primary use case?

    To my knowledge, we are using the latest, SaaS, version. 

    What is most valuable?

    The solution boasts a broad range of features and covers much of what an ideal SCA tool should. It covers the containers. One can create his teams and, should he encounter an issue, send an alert to the team's DL. 

    I am quite happy with WhiteSource. It is very good and provides many things, including extensive reports involving vulnerabilities. 

    What needs improvement?

    I am not clear if WhiteSource provides on-premises service. I know that its competitors provide on-premises and SaaS-based services for the same licensing fee and model, but I am not sure if this applies to WhiteSource, as well. I believe it does not. 

    It is preferable to use on-cloud services, although on-premises one should equally be an option, if I would prefer to not go for SaaS-based hosting. The licensing model should be the same for the different options. 

    The initial setup could be simplified. 

    For how long have I used the solution?

    I have been using WhiteSource for more than a year. 

    What do I think about the stability of the solution?

    The solution is very stable. 

    What do I think about the scalability of the solution?

    It is a preferequisite that the solution is scalable, as it is SaaS-based. 

    How are customer service and technical support?

    I have not had experience with customer support. 

    How was the initial setup?

    The initial setup was of an intermediate complexity. It was neither complex, nor straightforward. It could have been easier. Understandably, it involved a certain amount of configuration. 

    What's my experience with pricing, setup cost, and licensing?

    I cannot comment on billing, as this was handled by other departments in my previous organization. 

    As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using. 

    Which other solutions did I evaluate?

    The reason I logged into the IT Central Station web site is because I was looking for crisp documentation so that I may compare WhiteSource with Black Duck. I did not find what I was looking for. All I found was a conglomerate of user experiences, not the research reports I was searching for.

    I am currently using both of these products.

    What other advice do I have?

    I rate Whitesource as an eight out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user