Mend.io AI Native AppSec Platform

I have been using Mend.io  and no longer work for that company after leaving a few months back. Mend.io  has been used for probably three or four years and it was the best tool that we actually replaced. It was the best tool I ever saw for all the dependencies and all those things.

Everything that has to do with dependencies and third parties was ingested through Mend.io; we used the SaaS tool for a different purpose and then we used Mend.io for all dependencies.

We have been using some capabilities of Mend.io, particularly when AI started; we wanted to utilize some of the AI features, but AI is a gray area. If you want to use it specifically for AI, then that is something every organization must think about how much they should automate the processes. Other than AI, I think the automation is wonderful.

What I think about Mend.io is that it is very efficient, highly efficient, and it is the best scanning tool for SCA .

Mend.io stands against other SCA  solutions on AI; I would say it is on the top compared to any other tool in the market.

The continuous monitoring capabilities in Mend.io aided our organization in maintaining a secure environment; that was wonderful. We automated processes and we actually created our own centralized platform where all the feeds were ingested, and we could see the SAST , DAST, IAST, and SCA everything in one single place. So we had to do some work, but we actually did custom centralization of efforts and were able to ingest everything into our own platform, our own centralized platform.

The only area for improvement I would say is that the false positives are nearly zero; everything is mostly like 99 to 99.99% or we can say 100% accurate.

There were a few areas for improvement just from the last time I saw; I think the user experience had a little problem. We wanted to have certain reports based on our kind of scenario, but the tool did not allow us to create custom reports. We had asked for some facility and some ability for us to create some custom reports. That would be awesome if they allow us to create custom reports the way we wanted.

There is one small area which I don't know whether we should call a tool limitation or a wish list; if I use a library and I don't use all the capabilities of the library but only a portion of it and that portion is not vulnerable, but there is a component which is outdated, that is a problem, even though I don't use that component. Mend.io will discover there is a problem in the whole library; that is correct. That's a valid discovery, but in my case, for example, if I don't use that particular portion, then it actually is not making sense for me, but that's not a limitation of Mend.io; I think that's a general problem with any tool in the market because no tool in the market will actually know what portion of the code I'm actually using from that particular library if it is vulnerable or not.

Mend.io has been used for probably three or four years.

Mend.io is very stable; we did not have any issues. Being a SaaS product, they are not catering only to one company; they're catering to everyone who uses the tool.

Regarding support, the people who were involved in the commercial side were the direct point of contact with Mend.io, but my understanding is Mend.io provides pretty good support. I did not hear any complaints from those teams that Mend.io is slow or the support is not good; I did not hear anything of that sort in my almost three or four years.

Positive

Previously, we used different tools; I actually was involved in the decision-making process. Once we onboarded to Mend.io, we saw a drastic improvement in the way Mend.io reported the SCA findings. Many people were also using SonarQube  and some other tools for their internal processes, which was not official, but when they reported, they said the other tools were reporting a lot of false positives compared to Mend.io. No one complained that this is a false positive in Mend.io; we were actually able to see if Mend.io shows there is a problem here, and we used to ask the dev teams to go inside those directories and discover, and they actually said there is a problem.

It is very simple to set up Mend.io, even for developers who had no experience and no exposure to tools in Mend.io; we simply provided some straightforward instructions. We had our own internal Wiki and we wrote those instructions on how to onboard; it was pretty straightforward.

I would say it was the easiest tool to onboard.

Being in the industry of security plus AI, I actually specialize in AI and have written a few books on AI available on Amazon, so I am very cautious about AI, especially anything that includes AI, particularly security tools.

As for AI and other features, AI is a gray area and no tool in the industry is anything good in AI currently. They are evolving and it will probably take five to maybe ten years to be very good in AI. AI is an upcoming area; it is not even stabilized and is an evolutionary area. So anything we want to use, whether it is SCA, SAST , DAST, IAST, or any tool, we have to be very careful with AI.

The documentation is huge and awesome; it's huge.

Since it is a huge Wikipedia, some links might be a little outdated; what they do is point to the new location, and sometimes that new location becomes confusing because it auto-redirects. If we had to refer to some old documentation and we want to just for cross-references to what we had done, then the old links are not available because it redirects to the new location. I think that's the usual case with any other tool because even Synopsys had a similar thing where they had huge documentation, and whatever updates were there, they used to redirect those pages.

Overall, I cannot give a 10 to any tool in the market because no tool would be perfect. Except for the AI part, which I am very sensitive to in any tool in the market, otherwise, I would give a rating of nine; it is a very good tool to use. I have provided a rating of 9 for this review.

Neutral