Overview
Product Information on Mend
What is Mend?
Mend Pricing
Overall experience with Mend
“A Strong Partner in Application Security”
“Capable SCA platform, somewhat hampered by poor load visibility and inflexible migration path to later version”
About Company
Company Description
Mend.io, previously known as WhiteSource, focusses on building high-grade Application Security (AppSec) programs which aim to mitigate risk while accelerating development. Leveraging cutting-edge automated technology, the company offers protection against threats associated with supply chains, malicious package attacks, and vulnerabilities found in both open source and custom code. Additionally, Mend.io addresses potential risks linked to open-source licenses. The firm is recognized for its record of satisfying complex, large-scale application security demands and is therefore chosen by numerous demanding development and security teams across the globe. Additionally, Mend.io administrates the automated dependency update project, Renovate.
Company Details
Do You Manage Peer Insights at Mend.io?
Access Vendor Portal to update and manage your profile.
Key Insights
A Snapshot of What Matters - Based on Validated User Reviews
Reviewer Insights for: Mend
Performance of Mend Across Market Features
Mend Likes & Dislikes
The things I like about the product are skewed by a security governance focus. I love that we now have that single pane of glass to verify our exposure to critical zero-day vulnerabilities. Before our Mend adoption this was a longer, more drawn out affair and we have significantly reduced our time to remediate as a result. The same applies to our production of SBOMs and compliance reports for security audits. In addition, we have reduced the time it takes to review and manage third-party licenses used in our products. Ultimately, Mend has provided a robust solutions that empowers our developers to manage vulnerabilities directly within their existing workflows/
It's straightforward to use Integrates with our ASPM platform seamlessly False Positive rate is on par with similar solutions
Separation of scans by product. Neat arrangement of CVE ratings and fix recommendations.
Scalability as previously mentioned
Lack of visibility of current scan queues/volumes No historic scan data (though this is being introduced slowly) Poor migration path to newer version (no side-by-side migration available)
With a large number of projects to scan, mend.io can be slow to deliver results. If you have projects with many builds with different version numbers for the same artefact, it can be cumbersome to delete the older versions, as deletion is only possible one artefact at a time.
Top Mend Alternatives
Peer Discussions
Mend Reviews and Ratings
- IT Security & Risk Management Associate1B-10B USDSoftwareReview Source
A Strong Partner in Application Security
We have chosen to give a 4-star rating to Mend as it has become a foundational component of our AppSec Governance program. The platform is highly effective at "shifting left," allowing our multifarious teams to identify and remediate vulnerabilities in both open-source dependencies (SCA) and custom code (SAST) within the development lifecycle. We particularly value the reachability analysis, which helps us prioritize exploitable vulnerabilities and reduce developer fatigue. The primary reason for a 4-star rather than a 5-star rating is that we have encountered some scalability challenges owing to the sheer volume of projects and the complex nature of the environment of a global enterprise that grows through M&A. At our scale, we found that certain UI and reporting features required additional tuning to maintain performance. However, it is important to note that in every instance where we have faced such hurdles, the Mend team has been exceptionally quick to respond and remediate the issues. Their technical support and engineering teams have acted as true partners, working closely with us to optimize the platform for our specific needs. While we must emphasize that our use case is niche, the quality of their partnership and the effectiveness of their core security engine make them a top-tier choice for any serious AppSec initiative. We are confident that had we been completing this in 12-24 months time, 5-stars would be given. - APPSEC PROGRAMME MANAGER1B-10B USDSoftwareReview Source
Capable SCA platform, somewhat hampered by poor load visibility and inflexible migration path to later version
The product is good - it generates no more false positives than other SCA tools, and is (relatively easy to work with). Our native integration with Azure DevOps is straightforward to manage. However, there are oversights including inability to exclude entire projects - only being able to exclude on a per-repo basis, lack of visibility of current scan queues and unhelpful logfiles which mean I regularly have to ask my developers (2500+) to raise support tickets as I don't have the empirical knowledge of each technology in use in our estate to troubleshoot effectively - the logs don't help in this regard. - It Security & Risk Management Associate50M-1B USDBankingReview Source
Mend Platform Offers Broad Coverage but Faces Documentation and Support Issues
Mend provides a mature platform with extensive coverage across SCA, SAST and container security which has helped improve visibility across our software supply chain. However, customer communication and out-of-date documentation has been a challenge. - It Security & Risk Management Associate50M-1B USDBankingReview Source
Vulnerability Analysis Effective But Initial Setup Support Remains a Challenge
Mend provides strong vulnerability analysis and scanning capabilities in the context of SCA. However, the Vendor's lack of support during the initial on-boarding and deployment of the tool made the project difficult at the outset. - MANAGER, CUSTOMER SERVICE AND SUPPORT10B+ USDSoftwareReview Source
Integration With Maven Builds Is Simple, but Large Scans May Be Slow
It's very easy to integrate Mend.io into a Maven build and announce builds and consumed libraries for scanning. Findings are colour-coded, and there are easy-to-navigate vulnerability alerts. The vulnerabilities from CVE + NVD are updated every few minutes and are automatically applied to the project.