Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Application Security Tools
October 2022
Get our free report covering Qualys, Invicti, PortSwigger, and other competitors of Web Application Scanning. Updated: October 2022.
634,590 professionals have used our research since 2012.

Read reviews of Web Application Scanning alternatives and competitors

Kevin Dsouza - PeerSpot reviewer
Intramural OfficialIntramural at Northeastern University
Real User
Top 20
Easy to set up with vulnerability analysis and is reliable
Pros and Cons
  • "The vulnerability analysis is the best aspect of the solution."
  • "The only thing that I don't find support for on Mend Prioritize is C++."

What is our primary use case?

We use Mend especially for code analysis. I work in the application security part of my company. Developers will build and push the code to the GitHub repository. We have a build server that pulls in the code, and we are using Jenkins to automate that to do the DevOps stuff.

Once the code is built, we create a product for that particular version on Mend. We are currently working with three different versions for our particular product. We have the products created on Mend via White Source, which has a configuration file and a back file that runs. The configuration files basically tell what parameters to use, which server URL to use, which files to ignore, and which files to use.

For example, if I just have to do Python, I can make changes in the configuration files in Excel to include just .py files and exclude all of the files. If I have to do Python and C++, I can make changes in the configuration file itself to make .py, .C++ and exclude all of those. Once that configuration file is ready, then we run a White Source back file that just connects to the server, contacts the configuration file as well, does the scan on all the files that are there in the project, the project being for, and then pushes it to Mend, our Mend page.

On our Mend page, once we go into the product page of it, we can see what libraries have been used by us and what have some vulnerabilities. We also can set policies on Mend. We set some policies for our organization to accept and reject. For each product, we also get the policy violations that the libraries go through and any new versions for any new libraries that are available on that library's parent page - the parent page being the official developers of the library. We can get the new versions as well. We get the licenses we use with the library, and most importantly, we get vulnerability alerts regarding every library we use in our code.

Once the code is pulled, scanned, and pushed, we get the UI. We go to the library alerts. Once we go to the library alerts, we can see the different severities and the different libraries with vulnerabilities. We normally just sort according to higher severity first and go down to lower severity. We check what can be ignored or what is acceptable and what cannot be ignored, and what is of high priority. Ones that are a high priority, we flag and create a ticket on JIRA. That's our platform for collaboration.

Once we create a ticket for JIRA, the developers can see it, the QA team can see it, and they will go through that as well. They can tell if the update or the upgrade of the library is possible or not. They'll check its compatibility and see if it's actually doable or not. If it's not doable, they'll just tell us it's not doable, and probably our next version of the application will have the changes - not this one. We term that as acceptable or within our domains of acceptance. However, daily, if a JIRA ticket is created, the developers get back to us saying yes or no. Mostly they can say yes to changing the library to upgrade the library. If it's upgraded, they upgrade it to the next version. We scan it again. We do a weekly scan. We'll just check the next week if that particular liability is upgraded and the vulnerability has been remediated.

What is most valuable?

The vulnerability analysis is the best aspect of the solution. It’s my main go-to.

We can't do static code analysis ourselves; it's manual. That's a lot of manual tasks to handle. It's close to impossible to do that. That was a lot for static code analysis of our projects, alerting on vulnerabilities whenever it's possible. Whenever there's a vulnerability available, Mend does that. It vulnerability analyst is a report as well with how many high vulnerabilities, how many medium, how many lows we got, and how many accepted or how many are without any vulnerabilities basically.

I see a lot of it is pretty good and has a high level of trust.

It’s stable and easy to set up.

What needs improvement?

All applications in the world that are created have room for improvement.

Within Mend itself, there’s Mend Prioritize, which prioritizes the vulnerability automatically by itself with relevance to our application. Mend Prioritize has support for five or six languages right now, including JavaScript, C, and C#. The only thing that I don't find support for on Mend Prioritize is C++, which they'll be working on since the product is under development. Once that's done, we can also add it into Mend Prioritize for our weekly scans, which will help us with our analysis and efforts for remediation.

It's everything we need right now. There's nothing as such that’s out of the world that they should do. We use it just for one thing and focus on that. Therefore, they should not do anything else. We're fine with it as it is.

For how long have I used the solution?

I've been using Mend for six months now.

What do I think about the stability of the solution?

It’s quite stable. There are no bugs or glitches. It doesn’t crash or freeze. A lot of infrastructure is dependent on Mend right now, and it's not disappointing.

What do I think about the scalability of the solution?

It is a pretty scalable product.

The application security team uses it. That’s four people using it regularly.

We are using everything that it does. Mend does a lot of things. It does SAST, SCA, it does DAST as well. We are using just the SCA module of it, which we need, and we are using the SCA model to its fullest. I hope we're doing the most efficient deployment of it.

How are customer service and support?

We’ve used technical support in the past. We had some issues with One RPM last month. That was sorted quickly.

How would you rate customer service and support?


Which solution did I use previously and why did I switch?

We did not previously use any different solution prior to Mend.

We did look at other solutions. There was Veracode that we tried and Tenable. There was Qualys as well. However, we chose Mend, and we have had a license for three years right now.

How was the initial setup?

The initial setup was pretty easy.

The deployment didn’t take long. Within a day or two, it was done.

There's no maintenance and deployment of Mend as such.

What about the implementation team?

We have a license, so once the license was set up, once the server was set up, after that, we rolled it out by ourselves.

What was our ROI?

We’ve seen a terrific ROI. I’d rate the solution a 4.5 out of five in terms of delivering us ROI.

What's my experience with pricing, setup cost, and licensing?

I don’t have any information in regards to pricing.

What other advice do I have?

I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan.

I’d rate the solution a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Application Security Tools
October 2022
Get our free report covering Qualys, Invicti, PortSwigger, and other competitors of Web Application Scanning. Updated: October 2022.
634,590 professionals have used our research since 2012.