2019-09-19T08:39:00Z

What advice do you have for others considering Mend.io?

Julia Miller - PeerSpot reviewer
  • 0
  • 7
PeerSpot user
Get the report
Helped 765,234 peers since 2012
18

18 Answers

SM
Real User
Top 20
2023-09-26T06:29:00Z
Sep 26, 2023

Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website. Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult. We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives. Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.

Search for a product comparison
KW
Real User
Top 20
2023-01-10T19:59:00Z
Jan 10, 2023

I rate Mend an eight out of ten. If you're considering Mend, you should look at your integrations and see what's best suited. It's good having a dashboard, but you need to ensure it supports the tools you use. They tried to sell a SAST product but weren't mature enough for us to take that on board. If I were to give somebody advice, I would advise against the SAST solution because they're relatively new in the market. Try a demo first. The SAST solution is fast and does what we need it to do. However, you should ensure you're covered integration-wise.

GP
Real User
Top 20
2022-07-17T14:21:00Z
Jul 17, 2022

I would rate the solution a nine out of ten. As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment. Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements. I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence. We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them. We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.

Kevin Dsouza - PeerSpot reviewer
Real User
Top 10
2022-07-06T19:15:30Z
Jul 6, 2022

I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan. I’d rate the solution a nine out of ten.

ZvikaRonen - PeerSpot reviewer
Real User
Top 5Leaderboard
2022-05-15T12:32:00Z
May 15, 2022

My advice would be to get ready for implementation by preparing the right structure. Before implementing this tool, you should define the company policy and processes and get accurate training. This creates trust between the developer and the newly-implemented tool. For instance, when there is a violation of a policy, you need to understand why it happened. You should not try to bypass that just because it would fail the build. Developers' trust is the most important thing. So, you should plan ahead with a clear management program for open-source involving all key holders. Implementation of such a tool requires collaboration. It is not the job of just the development team or the head of security. It is supposed to be a joint effort of the entire development group in a company. I would rate WhiteSource a nine out of ten.

Nils Hedström - PeerSpot reviewer
Real User
Top 10
2022-05-12T11:02:45Z
May 12, 2022

I rate WhiteSource a seven out of ten.

Learn what your peers think about Mend.io. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Ben Dyer - PeerSpot reviewer
Real User
Top 10
2022-05-10T15:47:00Z
May 10, 2022

We do not use the Merge Confidence feature. We also don't use WhiteSource Smart Fix. We might use it in the future, however, it depends on how our teams are doing their co-branching as I would need to give it a try first to see if it works in all scenarios. It's similar to GitHub's Dependabot and it would be interesting to explore. In terms of using WhiteSource products in conjunction with their SCA product, we've just signed an order on their FaaS one. That will add forty contributing developers. I did a trial with it and I'm looking forward to using that. The FaaS is very timely. We used a tool that Microsoft deprecated, and we were without a SaaS solution, and even the solution we had with Microsoft wasn't really the best one. It was great that this came along at the right time. While we could have gone to another manufacturer for that, it made sense to stick with WhiteSource due to the promise of that integration with SCA and SaaS. I have not looked at the IAC, or the infrastructure as a code. I suspect it may not cover our use case. We use Bicep, so we do not use Terraform or anything similar. From what I've seen on the market, very few support Bicep at the moment, and Bicep is Microsoft's more elaborate version of their arm templates. It's fairly new. That's why there are not many products on the market. However, if this was something they were to support, I’d be interested. I'd rate the solution seven out of ten. I know there are more improvements coming, however, there are more improvements needed in terms of the usability of the product. Even items like a mobile-friendly version of it. At the moment it's a fairly old-fashioned website that doesn't work well on other devices and it's generally a bit clunky to use. That said, in terms of reporting vulnerabilities, it's very good.

Shashidhar Gowda - PeerSpot reviewer
Vendor
2022-03-02T12:13:50Z
Mar 2, 2022

When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering. In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices. I rate WhiteSource an eight out of ten.

MR
Real User
2022-01-23T17:06:21Z
Jan 23, 2022

I would recommend using WhiteSource. It has an edge over other tools in the market and is a faster solution. WhiteSource is easy to integrate with the CICD pipeline and runs standalone scans as it is a SaaS deployment. Integration of this solution does not require much time or knowledge. I would rate this solution a nine out of ten.

SK
Real User
2021-08-30T10:35:31Z
Aug 30, 2021

I rate Whitesource as an eight out of ten.

AH
Real User
2021-07-01T10:13:31Z
Jul 1, 2021

The solution is only cloud-based, not on-premises. It is user-friendly. There are around 50 people currently using it in our organization. I rate WhiteSource as an eight out of ten.

ZD
Real User
2021-02-22T14:10:50Z
Feb 22, 2021

I would rate WhiteSource a three out of ten considering the fact that we couldn't use it while we were paying for it. It had good features, but we couldn't use it.

WL
Real User
2021-01-15T20:36:24Z
Jan 15, 2021

I would rate WhiteSource a nine out of ten. It is a good product.

NK
Real User
2020-01-16T08:31:00Z
Jan 16, 2020

Improve the UI please... developers cannot find themselves in this dashboard.

reviewer1264290 - PeerSpot reviewer
Real User
2020-01-06T10:07:00Z
Jan 6, 2020

I believe we’re still in a stage where we’re trying to gain all the benefits of the solution and understand what features can be maximized. The product is simple on one hand as it's so easy to use, run and get insights from, but on the other hand, it offers so much that it’s hard to fully grasp all its capabilities. I’m not sure I have the best knowledge so far to recommend features and capabilities since this is very new to us. Currently, we’re happy to have something that addresses our needs.

reviewer1257792 - PeerSpot reviewer
Real User
2019-12-31T07:22:00Z
Dec 31, 2019

The good thing is that their product just keeps getting better. They are very attentive to their customers. All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.

reviewer1255491 - PeerSpot reviewer
Real User
2019-12-23T12:59:00Z
Dec 23, 2019

Overall, this is a great product.

DH
Real User
2019-09-19T08:39:00Z
Sep 19, 2019

For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them. I would rate this solution a seven out of ten.

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t...
Download Mend.io ReportRead more

Related Q&As