Useful tool
What do you like best about the product?
Enhances the application security and it's relatively easy to use and integrate.
What do you dislike about the product?
it might be helpful to separate pricing for each product
What problems is the product solving and how is that benefiting you?
Automated dependency updates benefits me a loot to keep the project secure and free of vulnerabilities.
Mend has been an excellent tool, both for OSA and SAST
What do you like best about the product?
I really like the ability to integrate the tooling directly into our source code repository. This allows us to scan hundreds of repositories without needing to configure each of them separately. Onboarding is simple and the updated user interface is attractive and easy to use.
What do you dislike about the product?
SAST capabilities are new and still maturing. Documentation is good, but could use some improvement.
What problems is the product solving and how is that benefiting you?
Mend is helping us maintain an inventory of all of our open source components and is scanning every commit for open source vulnerabilities. Additionally, Mend is helping us identify potential security vulnerabilities in our source code.
Great Product
What do you like best about the product?
It is easy to navigate and to find vulnerabilities and violations.
What do you dislike about the product?
I know there is a newer version coming, but it could have a bit more functionality.
What problems is the product solving and how is that benefiting you?
Mend is helping us contain vulnerabilities and licensing.
Helps to identify open-source vulnerabilities and eliminate any licensing risks
What is our primary use case?
We have two primary use cases. One use case is to find the vulnerabilities related to the open-source libraries that are included in multiple products in our company.
The second use case is to find out whether the licenses associated are for general use or not, or whether there are any license-related restrictions. Sometimes, when you use open-source components, depending on the type of licenses, they may be applicable only for internal use. We use it to check whether we are violating any licensing or not.
How has it helped my organization?
Using Mend SCA, it is easy to identify open-source vulnerabilities, but it is not easy to remediate because there are multiple moving components or moving parts in a build frame or a small library, so the impact of one component can be different on different products. To identify open-source vulnerabilities, you just run a scan in your pipeline, but to fix them, you need to do multiple regression tests and check whether your application or product is getting affected by that upgrade or not.
Mend SCA has helped reduce our mean time to resolution (MTTR). Knowing a risk does not necessarily help us in remediating or fixing that vulnerability, but it helps at least in deploying certain compensatory controls so that we can take on the upgrade part later on. Our protection is deployed at the parameter level, at the system level, or at the network level. It has reduced our MTTR roughly by 20%.
Mend SCA has definitely helped us reduce the number of open-source software vulnerabilities running in our production at any given point in time. We have now started to break the build in case there are any high-level or critical vulnerabilities. Certain teams, not all, are now forced to fix them, which is why the vulnerability count is going down. There is about a 20% reduction in vulnerabilities.
What is most valuable?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.
What needs improvement?
I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.
For how long have I used the solution?
I have been using Mend SCA for more than three years, and we started with Mend SAST this year in January.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
It is a SaaS solution, so scalability is something that their teams need to handle on their side. Scalability is in their control, and we are just sending those results over there.
We have about 450 users. We only use the portal. We scan via a unified agent or a CLI component, and we have two extra components. We have the Chrome plug-in and the IDE plug-in. The best thing is that on the CI/CD pipeline that we are using, we only need to call a unified agent that does the scan and then posts the results on the dashboard or the portal. It is deployed at multiple locations and at multiple levels of our pipeline. We are using Gitlab Cloud, Bitbucket and Jenkins. We are using many different tools at different locations.
How are customer service and support?
All levels of their support have very good technical knowledge. They know their tool better than us, so when we cannot find a solution, they give us that in 15 minutes. I would rate them a 10 out of 10.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not use any other solution previously.
How was the initial setup?
It is a SaaS solution. I was not involved in its deployment. It was already in the company for six months when I got my hands on it.
In terms of maintenance, we just need to check which users have left the organization so that we can maintain the number of users under the license that we have purchased. That is a small thing required on our side even though we have SSO integrated.
What was our ROI?
We have seen an ROI. We were able to find vulnerabilities. If our products were not attacked by an external entity, we consider that as an ROI, but it is difficult to put a dollar value on that.
What's my experience with pricing, setup cost, and licensing?
What other advice do I have?
Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website.
Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult.
We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives.
Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.
Streamlined Integration for Compliance with Open-Source Licenses & Vulnerability Detection
What do you like best about the product?
One of the strengths of Mend.io lies in the simplicity of integrating their unified agent into our Continuous Integration pipeline. This streamlined process, with its commendable support system and verbose documentation, has reduced setup times. We're now efficiently detecting open-source license violations. Coupled with the integration with JIRA, it ensures that open vulnerabilities are promptly and systematically recorded, streamlining our response and tracking processes.
What do you dislike about the product?
While the platform functions efficiently, there's scope for modernising the user interface. It would be beneficial to see Mend.io adopt a more contemporary design. However, it's worth noting that this aesthetic aspect doesn't detract from the product's overall usability.
What problems is the product solving and how is that benefiting you?
Mend addresses the challenges associated with open-source license compliance and vulnerability detection in our codebase. Efficiently identifying and alerting us about any license violations ensures that our software remains compliant, reducing potential legal risks. Additionally, its vulnerability detection capabilities enable us to swiftly pinpoint and rectify security vulnerabilities, enhancing our applications' overall safety and integrity.
The integration of Mend.io with JIRA facilitates a systematic recording and tracking of these vulnerabilities, ensuring a structured and effective response from our team. As a result, we maintain a higher standard of code quality and save significant time and resources, allowing us to focus on further development and innovation. This has been crucial for us, especially in the demanding environment of Continuous Integration.
Industry Leading SCA Tool
What do you like best about the product?
Streamlined approach to SCA makes integration easy and informative. New features being added that have incredible value for what you are paying.
What do you dislike about the product?
It seems as though sometimes features are released without having much documentation published about it.
What problems is the product solving and how is that benefiting you?
SBOM, SCA, Supply Chain Risk Managment.
Very helpful and supporting to Detect Open Source Vulnerabilities
What do you like best about the product?
The quality report & recommendations.
User friendly Interface
What do you dislike about the product?
Sometimes rigid process, difficulties in cutomization
What problems is the product solving and how is that benefiting you?
Sharing OpenSource Licencing details to customers
Resolve security challenges due to older versions of OSS
Industry-leading SCA, work in progress
What do you like best about the product?
Quick and accurate scanning, multiple plug-ins for various different build and ci/cd platforms. Prioritize, Whitesource for developers
What do you dislike about the product?
hard to get some features working like
eua, and integration this Jira was challenging
What problems is the product solving and how is that benefiting you?
Quick and accurate scanning, multiple plug-ins for various different build and ci/cd platforms. Prioritize, Whitesource for developers
Mend makes security issue fixing and reporting really simple.
What do you like best about the product?
Mend's integration with source control systems and IDEs is simply outstanding.
What do you dislike about the product?
Nothing I dislike as of now. But I wish mend had a chat feature or something for quick resolution of small issues without needing to open support cases.
What problems is the product solving and how is that benefiting you?
Mend is simplifying the whole process of addressing security issues and helps us generate reports to present to our customers on how secure our applications are.
Great platform and team is always working on improving the product
What do you like best about the product?
Overall I feel that Mend is a good platform and what I love most is that they are always working on continued improvements.
Moreover features like prioritize etc make it the best
What do you dislike about the product?
frankly it's a good tool. Still, if i have to list the cons,i would say .so , .a file types support should be added. Also, prioritize should include support for more and more package maangers .
What problems is the product solving and how is that benefiting you?
all our deployment compliance, license violation issues, library management, vulnerability management , in house patterns/libraries and policy violation are trusted to Mend .
