Mend.io Reviews

I have been using Mend.io and no longer work for that company after leaving a few months back. Mend.io has been used for probably three or four years and it was the best tool that we actually replaced. It was the best tool I ever saw for all the dependencies and all those things.

Everything that has to do with dependencies and third parties was ingested through Mend.io; we used the SaaS tool for a different purpose and then we used Mend.io for all dependencies.

We have been using some capabilities of Mend.io, particularly when AI started; we wanted to utilize some of the AI features, but AI is a gray area. If you want to use it specifically for AI, then that is something every organization must think about how much they should automate the processes. Other than AI, I think the automation is wonderful.

We were able to significantly reduce vulnerable libraries, i.e. 3rd party dependencies since the findings were so accurate. With our ability to develop custom solution on top of Mend.io, our solution would auto-trigger scanning and show vulnerability findings in our centralized dashboard. This was very convenient as developers didn't had to go to Mend.io, but could see all their vulnerabilities in a single central dashboard such as SCA findings from Mend.io, SAST from other tools and likewise.

What I think about Mend.io is that it is very efficient, highly efficient, and it is the best scanning tool for SCA.

Mend.io stands against other SCA solutions on AI; I would say it is on the top compared to any other tool in the market.

The continuous monitoring capabilities in Mend.io aided our organization in maintaining a secure environment; that was wonderful. We automated processes and we actually created our own centralized platform where all the feeds were ingested, and we could see the SAST, DAST, IAST, and SCA everything in one single place. So we had to do some work, but we actually did custom centralization of efforts and were able to ingest everything into our own platform, our own centralized platform.

The only area for improvement I would say is that the false positives are nearly zero; everything is mostly like 99 to 99.99% or we can say 100% accurate.

There were a few areas for improvement just from the last time I saw; I think the user experience had a little problem. We wanted to have certain reports based on our kind of scenario, but the tool did not allow us to create custom reports. We had asked for some facility and some ability for us to create some custom reports. That would be awesome if they allow us to create custom reports the way we wanted.

There is one small area which I don't know whether we should call a tool limitation or a wish list; if I use a library and I don't use all the capabilities of the library but only a portion of it and that portion is not vulnerable, but there is a component which is outdated, that is a problem, even though I don't use that component. Mend.io will discover there is a problem in the whole library; that is correct. That's a valid discovery, but in my case, for example, if I don't use that particular portion, then it actually is not making sense for me, but that's not a limitation of Mend.io; I think that's a general problem with any tool in the market because no tool in the market will actually know what portion of the code I'm actually using from that particular library if it is vulnerable or not.

Mend.io has been used for probably three or four years.

Mend.io is very stable; we did not have any issues. Being a SaaS product, they are not catering only to one company; they're catering to everyone who uses the tool.

Regarding support, the people who were involved in the commercial side were the direct point of contact with Mend.io, but my understanding is Mend.io provides pretty good support. I did not hear any complaints from those teams that Mend.io is slow or the support is not good; I did not hear anything of that sort in my almost three or four years.

Previously, we used different tools; I actually was involved in the decision-making process. Once we onboarded to Mend.io, we saw a drastic improvement in the way Mend.io reported the SCA findings. Many people were also using SonarQube and some other tools for their internal processes, which was not official, but when they reported, they said the other tools were reporting a lot of false positives compared to Mend.io. No one complained that this is a false positive in Mend.io; we were actually able to see if Mend.io shows there is a problem here, and we used to ask the dev teams to go inside those directories and discover, and they actually said there is a problem.

It is very simple to set up Mend.io, even for developers who had no experience and no exposure to tools in Mend.io; we simply provided some straightforward instructions. We had our own internal Wiki and we wrote those instructions on how to onboard; it was pretty straightforward.

I would say it was the easiest tool to onboard.

Being in the industry of security plus AI, I actually specialize in AI and have written a few books on AI available on Amazon, so I am very cautious about AI, especially anything that includes AI, particularly security tools.

As for AI and other features, AI is a gray area and no tool in the industry is anything good in AI currently. They are evolving and it will probably take five to maybe ten years to be very good in AI. AI is an upcoming area; it is not even stabilized and is an evolutionary area. So anything we want to use, whether it is SCA, SAST, DAST, IAST, or any tool, we have to be very careful with AI.

The documentation is huge and awesome; it's huge.

Since it is a huge Wikipedia, some links might be a little outdated; what they do is point to the new location, and sometimes that new location becomes confusing because it auto-redirects. If we had to refer to some old documentation and we want to just for cross-references to what we had done, then the old links are not available because it redirects to the new location. I think that's the usual case with any other tool because even Synopsys had a similar thing where they had huge documentation, and whatever updates were there, they used to redirect those pages.

Overall, I cannot give a 10 to any tool in the market because no tool would be perfect. Except for the AI part, which I am very sensitive to in any tool in the market, otherwise, I would give a rating of nine; it is a very good tool to use. I have provided a rating of 9 for this review.

Public Cloud

Amazon Web Services (AWS)

For my processes, I am mainly using Mend.io for Mend SAST, SCA, and container scans.

The features in Mend.io that I have found most valuable are the scan engine, which is pretty good. Mend.io has improved the scan engine on their side, so all the vulnerabilities are having less false positives as the years go by.

The home dashboard itself gives a very good analysis for Mend.io. This is not just for SCA; it is for SAST and container as well. It gives entire analytics of how many vulnerabilities were found, how much was updated, and how much was fixed over the last three, six, and nine months.

We had an internal analytics, but Mend.io's analytics also gives us a fair comparison regarding how it works and how effective it was, how many vulnerabilities were found over time, and how many were fixed.

I am not familiar with Mend.io's automated vulnerability detection feature.

For monitoring capabilities in Mend.io, I did not understand the maintenance part.

In my opinion, there is one functionality which Mend.io recently introduced about an AI assistant bot that can be improved for the product. Normally, you go inside the product, go inside the project, and locate where your vulnerabilities are, which can be a tedious process from a technical team perspective. However, with the recent AI feature or AI assistant bot, if you ask that particular bot about where that vulnerability is located, what the directory is, what the version is, and what the fixed version is, you will have your answers right then and there.

For now, the AI assistant bot feature is maybe rolled out only to a few select clients, but I think that is something which might be helpful. The AI assistant is not currently available on the portal.

I have been working with Mend.io for almost five years now, and my overall experience with the product is positive.

I would rate the stability of Mend.io a ten.

Regarding scalability, I would also rate it a ten because in some cases, I have 500 projects inside a single product, so I think it is quite scalable.

When it comes to technical support, I would rate them a nine; I could give ten, but just to have this response fair, I will give them nine. Their technical support is quite knowledgeable enough to answer questions.

The response time from technical support is good as long as you define the criticality. Critical tickets are responded to within an hour.

The initial setup process for Mend.io has improved; it is similar to a one CLI agent now. Earlier there were three different agents, and now there are just certain limited commands you need to run for each type of scan, and then you are good to go.

In my opinion, there is one main competitor for Mend.io, but we are not considering it. We are happy with Mend.io. However, Snyk is another solution that I have seen many of my friends implement.

I am still working with Mend.io, and I am using it.

Regarding scanning in Mend.io for SAST, I think that would be scanning, not monitoring. As I mentioned, Mend.io migrated to a new CLI version, which is pretty good. As the years go by, they have one CLI for all three scans, and Mend.io keeps updating that CLI on their side.

The reporting tools in Mend.io, specifically the executive report that PDF report, is a good part to show management, whereas for technical teams, I think CSV reports should be sufficient.

The initial setup process for Mend.io has improved; it is similar to a one CLI agent now. Earlier there were three different agents, and now there are just certain limited commands you need to run for each type of scan, and then you are good to go.

My overall review rating for Mend.io is nine.

Public Cloud

I am using it for Software Composition Analysis, mainly for third-party open-source library security perspective and the license compliance perspective.

The features I find most valuable in Mend.io are the ease of use; it is very easy to access and integrate.

We have been using the automated vulnerability detection feature, and while I am aware of it, there is some delay, so we have been working with them to enhance it further.

Mend.io's detailed dependency analysis is good, and I am looking forward to the usage of AI, especially from the perspective that not all CVE IDs are exploitable.

The monitoring capabilities in Mend.io are good because we have integrated it with a pipeline, and overall the experience has been good.

Mend.io's reporting tools are beneficial for my use case; from a UI perspective and generation of reports, including the SBOM, it has the flexibility and is easy to generate and share with the developer teams.

Based on my extensive experience with Mend.io, what I have learned from providing consultancy for Black Duck in the past and multiple tools is that people do not acknowledge it.

I will share the specific example for improvement with my vendor.

On reachability, they can improve it; that is one area still in the industry where none of the tools are up to the mark.

Mend.io does not use AI technology with the reporting.

I strongly recommend that they start working with AI for the reporting part.

The tools need to bring down the pricing because software in SaaS or on-prem is becoming a more expensive affair.

I have been working with Mend.io for around seven years.

I would rate the stability of Mend.io as an eight.

The scalability of Mend.io is around 7 or 7.5.

I will rate the technical support from Mend.io tech support around a 6.5, but I have noticed that the speed to respond has decreased over time.

Neutral

Black Duck, X-ray, and Snyk are competitors for Mend.io.

The initial setup for Mend.io is very simple.

Black Duck, X-ray, and Snyk are competitors for Mend.io.

I am still using Mend.io.

I am not sure about the process for purchasing that solution through the AWS marketplace or directly from Mend.io.

I cannot take too much time for questions about Mend.io to update my previous review.

I will continue with Mend.io because I plan to use additional tools, but I am not going to replace Mend.io.

I rate Mend.io an eight out of ten.

Public Cloud

Other

Mend.io is integrated into our CI/CD processes. Our primary tool for CI/CD is Concourse CI, where all development teams incorporate Mend into their pipelines. In addition to Concourse CI, some dozens of our Dev teams utilize Jenkins, GoCD, and TeamCity, along with integrations for Azure DevOps and AWS Code pipelines. Our environment generally features a variety of tools from the GitHub ecosystem and supports several programming languages tailored to specific use cases.

Mend.io has played a crucial role in lowering our vulnerabilities and has provided valuable education to numerous developers, fostering a transition from a lack of awareness to a focus on security. It has enhanced the understanding of the importance of addressing dependency vulnerabilities early in the software development lifecycle (SDLC), while also promoting a cultural change that has resulted in both measurable and unmeasurable advantages in managing and recognizing vulnerabilities.

Mend.io is very robust in terms of managing third-party dependencies. It has a built a substantial database of dependencies in their system and incorporates many open-source databases. This makes it very effective, and we find it 100% accurate in detecting vulnerabilities. It supports the largest number of languages, over 200, which is highly beneficial for us.

Mend is a strong player in the SCA space, relatively affordable and has demonstrated effectiveness in container security, although its SAST capabilities may still be developing. Due to overall cost of our technology ecosystem and centralization, ultimately, we opted for Snyk due to its comprehensive range of features within a single platform. It might be beneficial for Mend to explore the possibility of offering an all-in-one solution (SCA, SAST, Containers, IaC) under a single account.

Since approximately 2018 or 2019, we have been utilizing Mend.io as a critical component of our software security strategy. At that time, a strategic decision was made to adopt both Checkmarx and Mend, recognizing the need for robust tools to manage vulnerabilities within our software development lifecycle. However, as we continuously evaluate our toolset for efficiency and cost-effectiveness, we intend to retire Mend.io in the first quarter of next year (Q1-2025). This decision is driven by our choice to transition to Snyk, which offers a more cost-effective alternative while aligning with our initiative to streamline tools across various company divisions.

Over the years, we have developed a comprehensive understanding of Mend.io, which was formerly known as WhiteSource. Our experience with this tool has equipped us with valuable insights into its functionalities and capabilities. We have leveraged Mend.io's features extensively, particularly its strengths in open-source dependency scanning and policy automation, which have significantly aided our vulnerability management efforts. As we prepare for this transition, we feel confident in our knowledge and experience with Mend.io, enabling us to ensure a smooth migration to Snyk while maintaining the integrity and security of our applications.

We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions.
We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions.
Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions.
Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience.
In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.

Mend.io is a highly scalable solution that can effectively meet the requirements of organizations of any size, from small startups to large enterprises. Its architecture is designed to accommodate varying workloads and user demands, making it adaptable to the unique needs of different teams and projects.

One of the key aspects of Mend.io's scalability is its ability to handle large volumes of code and numerous dependencies without compromising performance. As organizations grow and their codebases expand, Mend.io can seamlessly integrate into existing workflows, allowing teams to maintain their security posture without significant disruptions. This flexibility ensures that as development teams scale up their operations or introduce new projects, Mend.io can continue to provide robust support for their software composition analysis needs.

Additionally, Mend.io offers features that facilitate collaboration across multiple teams and divisions within an organization. This capability is particularly beneficial for larger enterprises that require consistent security practices across various departments. The solution's centralized management allows for streamlined oversight and reporting, ensuring that security policies are uniformly applied and monitored.

Moreover, as organizations increasingly adopt DevOps practices and move towards continuous integration/continuous deployment (CI/CD) pipelines, Mend.io's scalability becomes even more critical. The tool can integrate with various CI/CD tools and platforms, enabling automated scanning and real-time feedback on vulnerabilities as code is developed. This integration not only enhances efficiency but also supports rapid development cycles while maintaining a strong security posture.

IMHO, Mend.io's scalability makes it an excellent choice for organizations looking to future-proof their security strategies. Its capacity to grow alongside an organization’s needs, combined with its robust features for collaboration and integration, positions it as a valuable asset in any software development environment.

Mend.io offers excellent customer service. They prioritize providing the best experience to large organizations like ours, belonging to the Fortune 100. On a scale of one to ten, they rate around eight to nine for customer service.

Positive

After conducting a thorough evaluation that spanned approximately three to four months, we made the decision to transition from Fortify to Synopsys Coverity for our Static Application Security Testing (SAST) needs. Coverity emerged as an ideal solution during our assessment, particularly due to its impressive ability to minimize false positives, achieving a rate of less than 5% across a range of codebases from a few thousand lines to over a million lines in our testing scenarios. This capability significantly enhanced our confidence in the tool's effectiveness and reliability for identifying vulnerabilities.

However, after several years of renewals and continued use, we ultimately chose to discontinue our use of Coverity. This decision was primarily influenced by the licensing costs associated with Synopsys, which became increasingly burdensome as our organization sought to optimize expenses. Additionally, we faced integration difficulties related to our forthcoming ecosystem centralization initiatives. As we aimed to streamline our security processes and tools across various divisions, it became clear that maintaining Coverity would not align with our strategic goals.

Consequently, around 2018 or 2019, we decided to adopt Checkmarx and Mend.io as our new solutions. This switch was driven by the need for tools that not only provided robust security features but also offered better integration capabilities and cost-effectiveness within our evolving infrastructure. The transition reflects our commitment to continually assess and refine our security posture, ensuring that we leverage the best tools available for safeguarding our software development efforts.

Setting up Mend.io was a very straightforward process for our organization, primarily because the integration with GitHub required minimal effort. Developers simply needed to integrate Mend.io into their CI-CD pipelines they use, which facilitated seamless access to our repositories. I had created technical artifacts that explains the workflows and integrations processes. Additionally, I created a standardized templated model that made it much easier to adopt. This involved additional steps and configurations to align with our specific workflows and requirements. However, we have comprehensive documentation and handholding available to assist our developers through this process, ensuring that they have the necessary guidance to navigate any challenges that may arise.

Our primary CI/CD tool is Concourse CI, and all development teams have successfully integrated Mend.io into their respective pipelines. This integration has proven beneficial across various teams, as it allows for automated vulnerability scanning during the build process, significantly enhancing our security posture. Additionally, several of our development teams utilize other tools like Jenkins, GoCD, and TeamCity, along with integrations for Azure DevOps and AWS CodePipeline. The versatility of Mend.io in adapting to these different environments has further underscored its value.

Overall, the setup experience with Mend.io has been characterized by its user-friendly interface and effective integration capabilities. The ability to quickly onboard the tool into our existing workflows has enabled us to enhance our development processes without significant overhead or disruption.

Mend.io has demonstrated a strong return on investment (ROI) for our organization by effectively minimizing vulnerabilities and fostering a culture of security awareness among our development teams. The solution excels in Software Composition Analysis (SCA) and container management, emphasizing vulnerability reduction while enhancing our organizational culture, all of which contribute to delivering optimal ROI.

One of the most significant impacts Mend.io has had on our operations is its ability to automate the identification and remediation of open-source vulnerabilities. This automation has led to a substantial reduction in the time our developers spend addressing security issues, enabling them to focus more on innovation and less on remediation. In fact, we have observed a notable decrease in the mean time to resolution for vulnerabilities, which translates directly into cost savings and improved productivity.

Additionally, Mend.io's integration capabilities with our existing development workflows have streamlined processes across teams. By embedding security checks into our CI/CD pipelines, we have accelerated our application delivery timelines while ensuring that security is prioritized from the outset. This proactive approach not only mitigates risks but also enhances our ability to meet project deadlines and deliver safer products to our customers.

Furthermore, the tool's comprehensive reporting features have provided us with valuable insights into our security posture, allowing us to make informed decisions about risk management and compliance. The visibility it offers into our software supply chain has empowered us to take a more strategic approach to security, aligning with industry best practices and regulatory requirements.

From a financial perspective, the cost savings associated with reduced manual processes and faster remediation times have significantly contributed to our ROI. Organizations using Mend.io have reported savings of up to 15% in time spent on vulnerability management, which can lead to substantial financial gains over time. As we continue to leverage Mend.io's capabilities, we anticipate further enhancements in ROI through improved security metrics and operational efficiencies.

In my personal opinion, Mend.io not only serves as an effective tool for managing software vulnerabilities but also plays a crucial role in cultivating a security-focused culture within our organization. Its ability to deliver measurable results in terms of both cost savings and enhanced productivity underscores its value as a strategic investment in our application security efforts.

Mend.io SCA offers a competitive pricing structure that is relatively affordable compared to similar solutions in the market. This makes it an attractive option for organizations looking to enhance their software composition analysis without incurring excessive costs. The setup process for Mend.io is straightforward, allowing teams to get started quickly, educate developers efficiently, and see effective outcomes across the organization in a short timeframe.

However, while Mend.io is a powerful and cost-effective solution, our organization has been focused on streamlining various tools to reduce overall expenses related to Static Application Security Testing (SAST), Software Composition Analysis (SCA), container security, and Infrastructure as Code (IaC). As part of this initiative, we are shifting towards a more centralized scanning approach within the GitHub enterprise platform. This transition has led us to consider alternatives that offer both flexibility and cost advantages.

In this context, Snyk emerged as a viable option that aligns with our strategic goals. It provides the necessary capabilities while supporting our move toward a more integrated security framework. Despite our decision to explore Snyk, we still believe that Mend.io remains a robust, user-friendly, and affordable solution, particularly for SCA and container security needs.

From the perspective about setup costs, pricing, and licensing, it’s essential to consider not only the initial investment but also the long-term value that these tools can provide. Organizations should weigh the benefits of comprehensive features against their budgets and evaluate how well each solution integrates into their existing workflows. Additionally, negotiating longer-term contracts can often yield better pricing terms, which is a strategy worth exploring when considering tools like Mend.io. Most often the vendors offer custom designed pricing based on relationship with their customer and the mutually beneficial current and future value, including brand recognition to future prospects. There is often no one-price-fits-all formula with many enterprise solutions, including Mend.io.

We continue to evaluate various products that offer significant benefits in terms of reducing the time required to remediate vulnerabilities and minimizing the efforts placed on developers. Our evaluation process has included several notable solutions, such as AppScan and Veracode, both of which are cloud-based options designed to enhance application security through static analysis. Additionally, we assessed CodeSonar, Contrast and Fortify, both of which provide robust capabilities for identifying security flaws and quality issues within code.

In our ongoing search for optimal solutions, we also explored GitHub Advanced Security, which is currently under assessment. This tool integrates seamlessly with the GitHub ecosystem, offering unique features tailored for teams already utilizing GitHub for version control. Furthermore, we evaluated Checkmarx, a well-regarded SAST tool that has been instrumental in our security strategy; however, we have decided to decommission it as we pivot towards more integrated and cost-effective alternatives.

Our thorough evaluation process reflects our commitment to adopting tools that not only improve security but also enhance developer productivity by streamlining workflows and reducing the burden of manual remediation efforts. Each product was scrutinized for its effectiveness in addressing our specific needs, including ease of integration within our existing systems, cost implications, and overall impact on our development lifecycle. As we move forward, we remain dedicated to continuously assessing new technologies that can further optimize our security posture while supporting our development teams effectively.

Mend.io is highly recommended for organizations looking to implement Software Composition Analysis (SCA), as it stands out as a top choice with a 100% accuracy rate in vulnerability detection in our case and experience being among the largest scale of implementation; although we understand every customer scenario and experience may vary. While no tool can claim to be flawless, for us Mend.io has consistently delivered reliable results, and I would rate the solution aat 9/10. This rating reflects my belief in its effectiveness while acknowledging that there is always room for continuous development and improvement in any software solution.

Moreover, the incorporation of artificial intelligence (AI) into code security tools like Mend.io is still in its early stages. Although many vendors tout advanced AI functionalities, it may take several more years for these features to reach a level of maturity and stability that organizations can fully rely on. We recognize the practical realities involved within the software development lifecycle (SDLC) and the cultural dynamics within development teams, which often influence how effectively these AI features can be integrated and utilized.

As organizations consider adopting Mend.io, it's essential to keep in mind that while it offers powerful capabilities for SCA, ongoing advancements in technology will continue to shape the landscape of code security tools. Companies should remain open to evolving their strategies as new features and improvements become available. Additionally, engaging with the vendor for insights into their roadmap can provide valuable context on how future developments may enhance the tool's effectiveness.

In a nutshell, in my opinion, Mend.io is a strong contender for those seeking an effective SCA solution, particularly given its high accuracy and user-friendly setup. However, organizations should also be mindful of the evolving nature of AI in this space and remain adaptable to changes that could enhance their security posture over time. If anyone has a need of an experienced and professional consultation, they can reach out to me.

Public Cloud

Other

I work with Mend.io in industries such as retailers, consumer goods, travel, and hospitality.

Mend.io is a security tool that provides security feedback for all tests.

It handles Application Security, performing SCA SAST and container scanning.

They completed a complete shoulder shifting for us to set up Mend.io at the enterprise level.

We had zero workloads because Mend.io was able to handle all the lift and shift of tasks. We only needed to register the application and start using it.

The main consideration is the cost. The products always have their maturity. The actual challenge is how easy it is to integrate it in the early phase of the software development life cycle.

It is the same as what I mentioned for Veracode. We never had anything out of the box.

There are many variables to consider, such as what features and functionalities we are opting in, and how effectively we want that to happen. I am unsure if I can provide a complete answer to that question.

I have been using Mend.io for the last three to four years, with three to six months in my previous organization.

I have not experienced issues with Veracode. It purely depends on the licensing model. Whether you have Silver, Gold, Platinum, or enterprise license, you get the corresponding features.

We never had any issue with the stability or reliability. It rates 10 out of 10.

It has to be scalable and it uses various technologies to achieve this.

Both solutions are giving me confidence in releasing a secure product.

I never had an opportunity to be involved because everything was proactive from Mend.io's perspective. They provide faster feedback, and whenever something fails, they proactively fix it. I would rate it nine out of 10.

I have not had an opportunity to work with Mend.io for the last six months, so I am outdated regarding my infrastructure for more than six months.

I never got an opportunity to provide more detailed advice. I would rate Mend.io 8.5 out of 10.

We have two primary use cases. One use case is to find the vulnerabilities related to the open-source libraries that are included in multiple products in our company.

The second use case is to find out whether the licenses associated are for general use or not, or whether there are any license-related restrictions. Sometimes, when you use open-source components, depending on the type of licenses, they may be applicable only for internal use. We use it to check whether we are violating any licensing or not.

Using Mend SCA, it is easy to identify open-source vulnerabilities, but it is not easy to remediate because there are multiple moving components or moving parts in a build frame or a small library, so the impact of one component can be different on different products. To identify open-source vulnerabilities, you just run a scan in your pipeline, but to fix them, you need to do multiple regression tests and check whether your application or product is getting affected by that upgrade or not.

Mend SCA has helped reduce our mean time to resolution (MTTR). Knowing a risk does not necessarily help us in remediating or fixing that vulnerability, but it helps at least in deploying certain compensatory controls so that we can take on the upgrade part later on. Our protection is deployed at the parameter level, at the system level, or at the network level. It has reduced our MTTR roughly by 20%.

Mend SCA has definitely helped us reduce the number of open-source software vulnerabilities running in our production at any given point in time. We have now started to break the build in case there are any high-level or critical vulnerabilities. Certain teams, not all, are now forced to fix them, which is why the vulnerability count is going down. There is about a 20% reduction in vulnerabilities.

The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.

I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.

I have been using Mend SCA for more than three years, and we started with Mend SAST this year in January.

It is stable.

It is a SaaS solution, so scalability is something that their teams need to handle on their side. Scalability is in their control, and we are just sending those results over there.

We have about 450 users. We only use the portal. We scan via a unified agent or a CLI component, and we have two extra components. We have the Chrome plug-in and the IDE plug-in. The best thing is that on the CI/CD pipeline that we are using, we only need to call a unified agent that does the scan and then posts the results on the dashboard or the portal. It is deployed at multiple locations and at multiple levels of our pipeline. We are using Gitlab Cloud, Bitbucket and Jenkins. We are using many different tools at different locations.

All levels of their support have very good technical knowledge. They know their tool better than us, so when we cannot find a solution, they give us that in 15 minutes. I would rate them a 10 out of 10.

Positive

I did not use any other solution previously.

It is a SaaS solution. I was not involved in its deployment. It was already in the company for six months when I got my hands on it.

In terms of maintenance, we just need to check which users have left the organization so that we can maintain the number of users under the license that we have purchased. That is a small thing required on our side even though we have SSO integrated.

We have seen an ROI. We were able to find vulnerabilities. If our products were not attacked by an external entity, we consider that as an ROI, but it is difficult to put a dollar value on that.

It is fairly priced.

Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website.

Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult. 

We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives.

Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.

Earlier, Mend was used as a tool behind the scenes for periodic vulnerability checks. It was more reactive. We only began exploring its full potential once we started integrating it with GitHub because that helped us control, and manage the process. It centrally controls all the code going into production. We have built-in rules against the license policy vulnerabilities. We don't allow code to go to production if it hasn't met those criteria.

Mend has a SaaS environment where all the data is stored, but we do all scanning and remediation work on a component that scans and identifies dependencies. It can be deployed on-prem or on the cloud using their containers. Then, it talks to the SaaS platform for the final identification of vulnerabilities and license composition.

They have also devised a smart tree containing other tools we plan to evaluate. We haven't used their SAST solution yet, but we're considering it and comparing it to the other SAST tool we use. We use Mend Renovate, which was previously an open-source product. The merge confidence feature is part of Renovate feature. Most of our people are focusing on vulnerability remediation. It gives an excellent idea about how we can move forward with a change. 

Mend is deployed on the AWS cloud, and we have multi-region enabled. It is deployed active-active in both regions. This is a heavy implementation. The company has a centralized GitHub platform where every developer and team manages their code. There are more than 5,000 users. Changes appear in the report, and actions are happening internally based on that. They may not all be going to the Mend platform to see these results. There are only maybe 5,000 active commits happening monthly. The number of records per project enabled for our company is nearly 60,000. 

Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production.

Mend streamlined our release process and improved the quality of the code we used during the production. When we had incidents recently, Mend's reports helped us determine the impacted components and remedy the issue quickly. 

The GitHub integration is one feature we use heavily. It has helped us identify and remedy vulnerabilities. Mend is also easy to use. Once it's configured, it's seamless for the development community. It's clearing issues for them so that they can see the problems and how to fix them.

We have already integrated Mend with the developers' workflows, including the IDE repository and CI/CD pipelines. Our developers use these IDE keys because it only supported one of the IDEs when we started: IntelliJ IDEA. They have improved and added support for multiple IDEs. We've integrated with more than 50,000 repositories. I think it's nearly 60,000.

Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary.

I have been using Mend since I joined the company in 2019, but they have been using it for longer. 

I only experienced one brief outage where the scan wasn't happening.

The scalability is fairly good. Our usage increased dramatically from 3,000 reports to almost 60,000 reports, and we haven't had any issues. 

I rate Mend support eight out of ten. We have a shared channel with support on Slack. Their representatives are there to answer our questions or provide clarifications. If we have an issue, we can pose the question, and they respond. We can also create a ticket in their portal. The response time varies based on the severity of the ticket, but it's pretty normal to get a response within an hour. 

Positive

We had other solutions, like SAST scanning and Black Duck, but nothing offered this level of detail. The previous solutions were reactive and required a lot of manual work, whereas Mend proactively identifies vulnerabilities. The code is scanned immediately once it goes into the repository. 

Mend has the ability to control the release using the same data going into production or our test environments. That is what sets it apart from other tools. Other tools are emerging with similar capabilities, but when we picked it, it was one of the only tools that had the features we need. 

I am the product owner of Mend at this company, so I was responsible for setting it up and the GitHub integration process. The initial setup was straightforward, but we had to do a few steps to meet the company requirements. For example, we need to enable it through the proxy and allow it to reach external registries.

We needed to configure it to go through that path and then enable and deploy the necessary package managers. That took a little work in the beginning, but everything was good once that was all figured out.

We have a team of three engineers supporting it, but they're working on this solution full-time. We get releases every other week, so we need to ensure the enrollment is up to date. That deployment doesn't take much time because we build our dock images, and we need to enable multiple package managers. They give us the docker file that we build based on our needs. 

It takes a day to deploy all these components. We mainly need additional engineers to support our user community, providing answers or clarifications. Otherwise, it's just one person maybe supporting the platform. 

Mend ensured the correct data version is deployed. Other than that, it's the normal maintenance of supporting our end users. They may have questions about some fixes or suspected false positives, but we have very few false positives. 

We are seeing a return on investment because the code quality has improved, and it improved our reaction to the kinds of incidents that are happening outside the industry.

Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap. 

We evaluated several tools and picked a shortlist of candidates that met our company's needs. Mend had broader package manager support, minimal false positives, automated remediation, and the GitHub integration. 

I rate Mend an eight out of ten. I deduct two points because you may not get coverage for all the package managers. But that's where your team needs to work with the vendor to get that supported. It is a collaborative effort to get more support based on your needs. The company was helpful and responsive,  so we were able to influence their roadmap to get some of these capabilities enabled for us.

They have been particularly helpful in getting support for Python package managers. We didn't have the file support and Conda package manager, but they stepped up and provided that capability. You need to have a little patience to evaluate and ensure all the tools meet your requirements. If you need anything, you have to work on getting that support.

Public Cloud

Amazon Web Services (AWS)

We are using Mend to detect and fix vulnerabilities in our products and we also use it to deliver security reports when we are releasing our products. 

Since we moved to Mend.io, a long time ago, everything has been fully automated and we are saving a lot of time. When it comes to MTTR, we are saving three to four weeks of work over the course of a year. We release our product multiple times a year and we have to check everything in terms of licensing, et cetera.

Mend also has a lot of automation, such as raising pull requests on your code to implement updates. That's a pretty significant gain for our company, not having to manage that anymore.

In addition, since we started using Mend.io, we have been able to deliver products without any high CVEs. For medium CVEs, it's up to the team developing the product if they want to remove all of them or only the critical issues. We have four or five products and Mend.io detects between 20 and 25 high CVEs per month. We solve them because the solution is detecting them.

What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour. 

They also have a lot of integrations with different Git providers, like GitHub, GitLab, and Bitbucket. 

It also has a nice tool we can use with the command line. We have continuous integration, and with the command line, we can scan everything without using the user interface. The command line is great. They have a lot of tools and plug-ins for your IDEs to automate scans. Using the command line, the Unified Agent, you can do a bunch of automated operations.

Thanks to the integration we put in place, it's super easy to identify and remediate open-source vulnerabilities, because on every commit of the software we trigger a Mend.io scan. We know, within five minutes, if the new version of the product is impacted by a CVE. If it is, we receive an email, an alert, so that the developers can fix the code. 

On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization.

They also need to provide customizable reports. As a customer, I would like to create my own reports by selecting the relevant columns and data and saving these reports. That way, people in our organization could go to the Mend UI and generate these reports. That feature is not available.

One other area where they could improve would be implementing a version number between the product and projects. In some tools, you can manage the version. Today, in Mend.io, I have to create one product for every version (such as 7.1, 7.2, and 7.3). Many are requesting that Mend provide a version number field.

The last issue is the UI. They have been trying to improve the UI for many years. It has been taking a long time. It would be really nice to have a nice, modern UI so that developers could say to their managers, "Wow, it's new, it's nice, it works well, and it's fast." 

We have been customers of Mend.io for almost seven years.

It's a stable solution. 

One year ago there were some issues due to some database problems. The SaaS application was not available for a few hours, over the course of a week. But it only happened one time since we started using them.

It's very scalable, because we are not doing a lot of scanning every day, maybe 200 per day, and we don't have any issues with the scan performance.

We have three departments using the solution. One team is using GitHub, another team is using Gitlab, and the third team uses Bitbucket and we have integration with these three Git providers. We are running pipelines in Jenkins, Codefresh, and GitLab CI/CD, and we scan the code in all three environments. We have people in France, the UK, the US, and Singapore, a total of 250 users.

The support is great but I haven't had to use them in a long time. But it's very efficient. I also have a nice customer support manager, so I know if I have an urgent ticket to open, I open it through the main support portal and then I can contact my CSM to ask him to work with me. A few hours or a day later, someone is working on my ticket.

Positive

Before Mend.io, we had a manual process. That means we were tracking all the licensees and copyrights manually. We also tried using an open-source tool to detect vulnerabilities and fix them, but it did not work very well. It was consuming a lot of time on my team.

The setup was very straightforward. It took only a few minutes to be able to scan the first project. Because we had 40 or 50 projects to scan, it took about a week to set up everything.

The deployment was done by me with some help from IT.

Because we are using the SaaS solution, we don't have to upgrade the main tools. Regarding the Unified Agent, we try to upgrade a few times a year so that we are using the latest version. Overall, the maintenance is very low. We don't spend much time on it.

In terms of resources, we are saving 15 percent of our time when remediating issues. And for our company, there is a big financial gain because people can work on multiple projects. And most importantly, we know we are not delivering products with high CVEs, which makes it safer for our customers. 

We were one of their biggest customers seven years ago, so we are paying a really good price. Over the last two years, they have tried to add more and more features to their license packages, but the price is a little bit high, comparatively. We are able to do a lot of things with the product, but I can see the price growing and growing and it may be a little bit too expensive now.

I really recommend Mend.io. It's a great company. Rami Sass is the CEO and you can ask him questions. They do everything to make their customers comfortable using their solutions.

We evaluated Black Duck and Snyk. We went with Mend, not because of pricing—we were willing to pay the right price for the right tool—nor for the features. It was for the ability to track all the copyrights when using an open-source dependency. That means we wanted all the copyrights for all the tools contributing to a given open-source dependency. Mend.io was the only tool that could do that.

Mend is a SaaS solution we use to make open source libraries for our products. It covers license usage, license type, and CVE vulnerabilities. We use Mend at our Belfast office, but a subsidiary in Norway also has access to it. There are 67 users at our company. About four are admins, and the rest are developers. 

When talking about security, improvement is hard to measure. We haven't had a security breach yet, and it's probably because we use products like Mend. We would know if it wasn't working. However, I can say that our security posture is excellent because we can address the vulnerabilities Mend reports.

It improved our mean time to resolution, but I can't give a precise figure. The primary benefit is that we no longer download vulnerable libraries. In the past, there wasn't a way to identify them. But based on the number of vulnerabilities in there (and we still have a lot of vulnerabilities in there) I would say it reduced the MTTR by around 70 percent. 

I would say it reduced the vulnerabilities in production by about 80 percent. When we have a release or run the script, it automatically picks up the vulnerabilities. 

Mend's integration with developer workflows is a massive part of our work. We use Visual Studio, and it integrates flawlessly with that. There is also a Chrome extension called Mend Advise that lets our team check libraries for vulnerabilities before they download and use them. It's a useful product.  

There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.

Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't.

Also, the dashboard is busy. It's a little bit over-engineered. There's a lot of information, and the layout could be a bit cleaner. Maybe they could reduce the amount of visibility on the dashboard.

I joined the company a year and a half ago, and the company began using Mend two years before that. 

Mend has never gone down on us.

It's scalable, considering the number of applications we have.

I rate Mend's support a nine out of ten. On the CVE main page, Mend points out the vulnerability and directs us to the remediation. If we're having a problem fixing it, they have a highly responsive help desk that we utilize quite a lot.

The support is great. It's highly responsive. If we open a ticket, we get a call in one or two days. Their chat option is excellent. When we look for more information, we always get a timely response. For example, when we faced a Log4j issue, they posted a lot of information and alerted us to a vulnerability in the library without us having to look at the tool. 

Positive

The company used Snyk before I was there. I think they switched for budgeting reasons.

We can see a return on investments because we have no security breaches, security costs, or GDPR issues. ROI is hard to calculate for security. You could spend time with fixes, but it's hard to say precisely how much you saved if you never have a breach. When we fix a vulnerability, we don't know what it would've cost us if it had been exploited. The return on investment is having a secure product.

Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that.

The solution was there when I joined. During the license renewal process, we looked at other solutions, but none of them offered the level of integration we need. We will look at other solutions before the next renewal in December. The main factors are pricing and integration. Mend is the best solution for now.

I rate Mend an eight out of ten. If you're considering Mend, you should look at your integrations and see what's best suited. It's good having a dashboard, but you need to ensure it supports the tools you use. They tried to sell a SAST product but weren't mature enough for us to take that on board. 

If I were to give somebody advice, I would advise against the SAST solution because they're relatively new in the market. Try a demo first. The SAST solution is fast and does what we need it to do. However, you should ensure you're covered integration-wise.

Public Cloud

We use open-source libraries or software in projects across our company. We conducted an internal study regarding the legalities, security, vulnerabilities, and license compliance, which is when we decided to implement and deploy Mend. It automates the software composition analysis, which is vital when we want to use third-party and open-source software. 

We have a total of around 1000 projects running in Mend; some of those are being trialed and may be withdrawn, and others will go on to the production stage. We have between 300 and 400 end users, primarily integrators and fewer admins and approvers.

The tool is now a mandatory part of our organization to use as a benchmark, giving us a technical advantage. When we acquire other companies, we look to determine if Mend is applicable to them and bring them into our culture of using the solution where possible. We can leverage it for financial benefits when implemented and used to scan on the technical front. We consider Mend a permanent integration with our company for the foreseeable future, so we decided to reinvest in the solution by renewing our contract twice up to this point.

I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.

The solution is also highly valuable to our Intellectual Property Councils, because as a company that uses open-source software, we need to be aware of intellectual properties, code violations, and adherence to our regulations when we include such software. There are, of course, areas for improvement, but it has become mandatory within our organization to run scans using Mend as part of our workflows.

We don't always use WhiteSource SmartFix, and that depends on the recommendations provided by the solution's analysis. On occasion, we have challenged those recommendations, so for us, the software is not entirely a decision-making tool but a tool that assists us in making decisions. Therefore, there is still a human component in the process, and there is always an admin or approver to accept or reject the recommendation. There have been instances where smart fixes were challenged due to a lack of compatibility with project requirements. For example, the solution recommends a version of PostgreSQL, but the decision is made on the product level to go with a different version because it has better integration with the specific product requirements. However, I would say that SmartFix increases our decision-making effectiveness and successfully alerts us. As a leading lighting company, some product decisions must adhere to strict requirements, which require human involvement in the decision-making process.

Initially, the product didn't save us time but required us to spend more time. Many of our processes require a manual component, so we can't entirely rely on automated processes. Therefore, when we run Mend scans on our projects, around 60% of the software development life cycle is sped up, while the remaining 40% requires human intervention. Per our IP Councils, automation does not help us beyond a certain point, and manual intervention is required. If 60% of a project can be streamlined via automation, that certainly saves us time. 

I would say that Mend certainly helps us detect and reduce vulnerabilities. We bring in the solution at the very beginning of a project, so we build early and often and detect vulnerabilities early. This is a significant contributor to our projects' success. 

Integration using the unified agent and other methodologies has been at the forefront of our deployment. The plugins have been merged into the unified agent approach. The integration methodologies have worked wonders for our CICD pipelines and workflows, and each project team can decide whether to run scans pre or post-build.  

We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap.

I consider scan reports to be another area for improvement, but this is also an area of improvement for user management on our end. We need to train end users on how to deal with alerts and the best approach to take for new projects.

We have weekly meetings with Mend and encourage all users who integrate the solution into their product life cycle to attend. This has been very useful, as these technical meetings assist our staff in the best use practices and improving their interpretation of reports, which allows us to leverage the product to our greatest advantage. We are also able to ask for solutions adaptations to suit our requirements, as we produce hardware as a company, not virtual products. 

We have been using the solution for almost five years. 

The solution is highly stable; we had downtime on one occasion for two hours, which was scheduled. Aside from that, I haven't seen any downtime or performance issues, so in terms of stability, I rate the product very highly because we can depend on it.

The solution is scalable, and scalability is vital for such an integral piece of software. Software development scenarios can change fast, requiring support for new languages and apps, so we constantly learn and communicate with Mend to fulfil our fluid requirements and adapt to changes within our environment.

I'm delighted with the technical support, especially as someone involved in the deployment. Technical support has been highly responsive to bugs or errors, helping us mitigate or fix them quickly. It was easy to interpret their technical guidance, which made my job much more manageable. I'm very satisfied and would rate them highly.

Positive

We did not use any other solution.

The deployment was mixed; there's always a window in which we are required to adapt to a tool. This solution isn't an out-of-the-box kind of model. There was some fine-tuning involved in the deployment according to our needs and specific projects, which is expected but somewhat challenging nonetheless. 

The key staff involved in the deployment included me as the deployment manager, a customer success manager from Mend, a leading member of our IP Council, and the security advisers for each product. Once the deployment strategy is decided, the IP Council and security team take a back seat, and I work closely with the product architects moving forward. Deployment, fine-tuning, and getting the scans up and running takes two to two and a half days maximum per product. Ultimately, five or six key staff are involved in the solution's deployment, configuration, and maintenance. 

We have seen an ROI for our projects, and our project managers are happy. This could still be improved, however.

We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals.

We evaluated Black Duck, but it has several limitations that drove us toward choosing Mend. Black Duck is very expensive, and we require a SaaS solution to ensure the privacy of our source code, and they couldn't provide that. Therefore, our team decided to choose the more affordable and secure product.

I would rate the solution a nine out of ten. 

As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment.

Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements. 

I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence.

We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them.

We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.