Being in the industry of security plus AI, I actually specialize in AI and have written a few books on AI available on Amazon, so I am very cautious about AI, especially anything that includes AI, particularly security tools. As for AI and other features, AI is a gray area and no tool in the industry is anything good in AI currently. They are evolving and it will probably take five to maybe ten years to be very good in AI. AI is an upcoming area; it is not even stabilized and is an evolutionary area. So anything we want to use, whether it is SCA, SAST, DAST, IAST, or any tool, we have to be very careful with AI. The documentation is huge and awesome; it's huge. Since it is a huge Wikipedia, some links might be a little outdated; what they do is point to the new location, and sometimes that new location becomes confusing because it auto-redirects. If we had to refer to some old documentation and we want to just for cross-references to what we had done, then the old links are not available because it redirects to the new location. I think that's the usual case with any other tool because even Synopsys had a similar thing where they had huge documentation, and whatever updates were there, they used to redirect those pages. Overall, I cannot give a 10 to any tool in the market because no tool would be perfect. Except for the AI part, which I am very sensitive to in any tool in the market, otherwise, I would give a rating of nine; it is a very good tool to use. I have provided a rating of 9 for this review.
I am still using Mend.io. I am not sure about the process for purchasing that solution through the AWS marketplace or directly from Mend.io. I cannot take too much time for questions about Mend.io to update my previous review. I will continue with Mend.io because I plan to use additional tools, but I am not going to replace Mend.io. I rate Mend.io an eight out of ten.
Mend.io is highly recommended for organizations looking to implement Software Composition Analysis (SCA), as it stands out as a top choice with a 100% accuracy rate in vulnerability detection in our case and experience being among the largest scale of implementation; although we understand every customer scenario and experience may vary. While no tool can claim to be flawless, for us Mend.io has consistently delivered reliable results, and I would rate the solution aat 9/10. This rating reflects my belief in its effectiveness while acknowledging that there is always room for continuous development and improvement in any software solution. Moreover, the incorporation of artificial intelligence (AI) into code security tools like Mend.io is still in its early stages. Although many vendors tout advanced AI functionalities, it may take several more years for these features to reach a level of maturity and stability that organizations can fully rely on. We recognize the practical realities involved within the software development lifecycle (SDLC) and the cultural dynamics within development teams, which often influence how effectively these AI features can be integrated and utilized. As organizations consider adopting Mend.io, it's essential to keep in mind that while it offers powerful capabilities for SCA, ongoing advancements in technology will continue to shape the landscape of code security tools. Companies should remain open to evolving their strategies as new features and improvements become available. Additionally, engaging with the vendor for insights into their roadmap can provide valuable context on how future developments may enhance the tool's effectiveness. In a nutshell, in my opinion, Mend.io is a strong contender for those seeking an effective SCA solution, particularly given its high accuracy and user-friendly setup. However, organizations should also be mindful of the evolving nature of AI in this space and remain adaptable to changes that could enhance their security posture over time. If anyone has a need of an experienced and professional consultation, they can reach out to me.
Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website. Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult. We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives. Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.
I rate Mend an eight out of ten. If you're considering Mend, you should look at your integrations and see what's best suited. It's good having a dashboard, but you need to ensure it supports the tools you use. They tried to sell a SAST product but weren't mature enough for us to take that on board. If I were to give somebody advice, I would advise against the SAST solution because they're relatively new in the market. Try a demo first. The SAST solution is fast and does what we need it to do. However, you should ensure you're covered integration-wise.
IT Service Manager at a wholesaler/distributor with 51-200 employees
Real User
Jul 17, 2022
I would rate the solution a nine out of ten. As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment. Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements. I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence. We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them. We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.
Intramural OfficialIntramural at Northeastern University
Real User
Jul 6, 2022
I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan. I’d rate the solution a nine out of ten.
My advice would be to get ready for implementation by preparing the right structure. Before implementing this tool, you should define the company policy and processes and get accurate training. This creates trust between the developer and the newly-implemented tool. For instance, when there is a violation of a policy, you need to understand why it happened. You should not try to bypass that just because it would fail the build. Developers' trust is the most important thing. So, you should plan ahead with a clear management program for open-source involving all key holders. Implementation of such a tool requires collaboration. It is not the job of just the development team or the head of security. It is supposed to be a joint effort of the entire development group in a company. I would rate WhiteSource a nine out of ten.
Head of Software Engineering at a legal firm with 1,001-5,000 employees
Real User
May 10, 2022
We do not use the Merge Confidence feature. We also don't use WhiteSource Smart Fix. We might use it in the future, however, it depends on how our teams are doing their co-branching as I would need to give it a try first to see if it works in all scenarios. It's similar to GitHub's Dependabot and it would be interesting to explore. In terms of using WhiteSource products in conjunction with their SCA product, we've just signed an order on their FaaS one. That will add forty contributing developers. I did a trial with it and I'm looking forward to using that. The FaaS is very timely. We used a tool that Microsoft deprecated, and we were without a SaaS solution, and even the solution we had with Microsoft wasn't really the best one. It was great that this came along at the right time. While we could have gone to another manufacturer for that, it made sense to stick with WhiteSource due to the promise of that integration with SCA and SaaS. I have not looked at the IAC, or the infrastructure as a code. I suspect it may not cover our use case. We use Bicep, so we do not use Terraform or anything similar. From what I've seen on the market, very few support Bicep at the moment, and Bicep is Microsoft's more elaborate version of their arm templates. It's fairly new. That's why there are not many products on the market. However, if this was something they were to support, I’d be interested. I'd rate the solution seven out of ten. I know there are more improvements coming, however, there are more improvements needed in terms of the usability of the product. Even items like a mobile-friendly version of it. At the moment it's a fairly old-fashioned website that doesn't work well on other devices and it's generally a bit clunky to use. That said, in terms of reporting vulnerabilities, it's very good.
When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering. In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices. I rate WhiteSource an eight out of ten.
I would recommend using WhiteSource. It has an edge over other tools in the market and is a faster solution. WhiteSource is easy to integrate with the CICD pipeline and runs standalone scans as it is a SaaS deployment. Integration of this solution does not require much time or knowledge. I would rate this solution a nine out of ten.
FOSS Coordinator at a manufacturing company with 5,001-10,000 employees
Real User
Jul 1, 2021
The solution is only cloud-based, not on-premises. It is user-friendly. There are around 50 people currently using it in our organization. I rate WhiteSource as an eight out of ten.
Business Process Analyst at a financial services firm with 1,001-5,000 employees
Real User
Feb 22, 2021
I would rate WhiteSource a three out of ten considering the fact that we couldn't use it while we were paying for it. It had good features, but we couldn't use it.
Project Manager at a wellness & fitness company with 11-50 employees
Real User
Jan 6, 2020
I believe we’re still in a stage where we’re trying to gain all the benefits of the solution and understand what features can be maximized. The product is simple on one hand as it's so easy to use, run and get insights from, but on the other hand, it offers so much that it’s hard to fully grasp all its capabilities. I’m not sure I have the best knowledge so far to recommend features and capabilities since this is very new to us. Currently, we’re happy to have something that addresses our needs.
Co Founder at a consumer goods company with 11-50 employees
Real User
Dec 31, 2019
The good thing is that their product just keeps getting better. They are very attentive to their customers. All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.
For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them. I would rate this solution a seven out of ten.
Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t...
Being in the industry of security plus AI, I actually specialize in AI and have written a few books on AI available on Amazon, so I am very cautious about AI, especially anything that includes AI, particularly security tools. As for AI and other features, AI is a gray area and no tool in the industry is anything good in AI currently. They are evolving and it will probably take five to maybe ten years to be very good in AI. AI is an upcoming area; it is not even stabilized and is an evolutionary area. So anything we want to use, whether it is SCA, SAST, DAST, IAST, or any tool, we have to be very careful with AI. The documentation is huge and awesome; it's huge. Since it is a huge Wikipedia, some links might be a little outdated; what they do is point to the new location, and sometimes that new location becomes confusing because it auto-redirects. If we had to refer to some old documentation and we want to just for cross-references to what we had done, then the old links are not available because it redirects to the new location. I think that's the usual case with any other tool because even Synopsys had a similar thing where they had huge documentation, and whatever updates were there, they used to redirect those pages. Overall, I cannot give a 10 to any tool in the market because no tool would be perfect. Except for the AI part, which I am very sensitive to in any tool in the market, otherwise, I would give a rating of nine; it is a very good tool to use. I have provided a rating of 9 for this review.
I am still using Mend.io. I am not sure about the process for purchasing that solution through the AWS marketplace or directly from Mend.io. I cannot take too much time for questions about Mend.io to update my previous review. I will continue with Mend.io because I plan to use additional tools, but I am not going to replace Mend.io. I rate Mend.io an eight out of ten.
I never got an opportunity to provide more detailed advice. I would rate Mend.io 8.5 out of 10.
Mend.io is highly recommended for organizations looking to implement Software Composition Analysis (SCA), as it stands out as a top choice with a 100% accuracy rate in vulnerability detection in our case and experience being among the largest scale of implementation; although we understand every customer scenario and experience may vary. While no tool can claim to be flawless, for us Mend.io has consistently delivered reliable results, and I would rate the solution aat 9/10. This rating reflects my belief in its effectiveness while acknowledging that there is always room for continuous development and improvement in any software solution. Moreover, the incorporation of artificial intelligence (AI) into code security tools like Mend.io is still in its early stages. Although many vendors tout advanced AI functionalities, it may take several more years for these features to reach a level of maturity and stability that organizations can fully rely on. We recognize the practical realities involved within the software development lifecycle (SDLC) and the cultural dynamics within development teams, which often influence how effectively these AI features can be integrated and utilized. As organizations consider adopting Mend.io, it's essential to keep in mind that while it offers powerful capabilities for SCA, ongoing advancements in technology will continue to shape the landscape of code security tools. Companies should remain open to evolving their strategies as new features and improvements become available. Additionally, engaging with the vendor for insights into their roadmap can provide valuable context on how future developments may enhance the tool's effectiveness. In a nutshell, in my opinion, Mend.io is a strong contender for those seeking an effective SCA solution, particularly given its high accuracy and user-friendly setup. However, organizations should also be mindful of the evolving nature of AI in this space and remain adaptable to changes that could enhance their security posture over time. If anyone has a need of an experienced and professional consultation, they can reach out to me.
Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website. Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult. We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives. Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.
I rate Mend an eight out of ten. If you're considering Mend, you should look at your integrations and see what's best suited. It's good having a dashboard, but you need to ensure it supports the tools you use. They tried to sell a SAST product but weren't mature enough for us to take that on board. If I were to give somebody advice, I would advise against the SAST solution because they're relatively new in the market. Try a demo first. The SAST solution is fast and does what we need it to do. However, you should ensure you're covered integration-wise.
I would rate the solution a nine out of ten. As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment. Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements. I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence. We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them. We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.
I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan. I’d rate the solution a nine out of ten.
My advice would be to get ready for implementation by preparing the right structure. Before implementing this tool, you should define the company policy and processes and get accurate training. This creates trust between the developer and the newly-implemented tool. For instance, when there is a violation of a policy, you need to understand why it happened. You should not try to bypass that just because it would fail the build. Developers' trust is the most important thing. So, you should plan ahead with a clear management program for open-source involving all key holders. Implementation of such a tool requires collaboration. It is not the job of just the development team or the head of security. It is supposed to be a joint effort of the entire development group in a company. I would rate WhiteSource a nine out of ten.
I rate WhiteSource a seven out of ten.
We do not use the Merge Confidence feature. We also don't use WhiteSource Smart Fix. We might use it in the future, however, it depends on how our teams are doing their co-branching as I would need to give it a try first to see if it works in all scenarios. It's similar to GitHub's Dependabot and it would be interesting to explore. In terms of using WhiteSource products in conjunction with their SCA product, we've just signed an order on their FaaS one. That will add forty contributing developers. I did a trial with it and I'm looking forward to using that. The FaaS is very timely. We used a tool that Microsoft deprecated, and we were without a SaaS solution, and even the solution we had with Microsoft wasn't really the best one. It was great that this came along at the right time. While we could have gone to another manufacturer for that, it made sense to stick with WhiteSource due to the promise of that integration with SCA and SaaS. I have not looked at the IAC, or the infrastructure as a code. I suspect it may not cover our use case. We use Bicep, so we do not use Terraform or anything similar. From what I've seen on the market, very few support Bicep at the moment, and Bicep is Microsoft's more elaborate version of their arm templates. It's fairly new. That's why there are not many products on the market. However, if this was something they were to support, I’d be interested. I'd rate the solution seven out of ten. I know there are more improvements coming, however, there are more improvements needed in terms of the usability of the product. Even items like a mobile-friendly version of it. At the moment it's a fairly old-fashioned website that doesn't work well on other devices and it's generally a bit clunky to use. That said, in terms of reporting vulnerabilities, it's very good.
When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering. In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices. I rate WhiteSource an eight out of ten.
I would recommend using WhiteSource. It has an edge over other tools in the market and is a faster solution. WhiteSource is easy to integrate with the CICD pipeline and runs standalone scans as it is a SaaS deployment. Integration of this solution does not require much time or knowledge. I would rate this solution a nine out of ten.
I rate Whitesource as an eight out of ten.
The solution is only cloud-based, not on-premises. It is user-friendly. There are around 50 people currently using it in our organization. I rate WhiteSource as an eight out of ten.
I would rate WhiteSource a three out of ten considering the fact that we couldn't use it while we were paying for it. It had good features, but we couldn't use it.
I would rate WhiteSource a nine out of ten. It is a good product.
Improve the UI please... developers cannot find themselves in this dashboard.
I believe we’re still in a stage where we’re trying to gain all the benefits of the solution and understand what features can be maximized. The product is simple on one hand as it's so easy to use, run and get insights from, but on the other hand, it offers so much that it’s hard to fully grasp all its capabilities. I’m not sure I have the best knowledge so far to recommend features and capabilities since this is very new to us. Currently, we’re happy to have something that addresses our needs.
The good thing is that their product just keeps getting better. They are very attentive to their customers. All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.
Overall, this is a great product.
For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them. I would rate this solution a seven out of ten.