Mend AppSec Platform

I work with Mend.io  in industries such as retailers, consumer goods, travel, and hospitality.

Mend.io  is a security tool that provides security feedback for all tests.

It handles Application Security, performing SCA  SAST  and container scanning.

They completed a complete shoulder shifting for us to set up Mend.io at the enterprise level.

We had zero workloads because Mend.io was able to handle all the lift and shift of tasks. We only needed to register the application and start using it.

The main consideration is the cost. The products always have their maturity. The actual challenge is how easy it is to integrate it in the early phase of the software development life cycle.

It is the same as what I mentioned for Veracode . We never had anything out of the box.

There are many variables to consider, such as what features and functionalities we are opting in, and how effectively we want that to happen. I am unsure if I can provide a complete answer to that question.

I have been using Mend.io for the last three to four years, with three to six months in my previous organization.

I have not experienced issues with Veracode . It purely depends on the licensing model. Whether you have Silver, Gold, Platinum, or enterprise license, you get the corresponding features.

We never had any issue with the stability or reliability. It rates 10 out of 10.

It has to be scalable and it uses various technologies to achieve this.

Both solutions are giving me confidence in releasing a secure product.

I never had an opportunity to be involved because everything was proactive from Mend.io's perspective. They provide faster feedback, and whenever something fails, they proactively fix it. I would rate it nine out of 10.

I have not had an opportunity to work with Mend.io for the last six months, so I am outdated regarding my infrastructure for more than six months.

I never got an opportunity to provide more detailed advice. I would rate Mend.io 8.5 out of 10.

What do you like best about the product?

an easy-to-use and helpful tool for checking auto-updates and dependencies.

What do you dislike about the product?

not quite a good integration and is a bit too pricy.

What problems is the product solving and how is that benefiting you?

depedency check and updates, the remediation suggestions as well.

What do you like best about the product?

Enhances the application security and it's relatively easy to use and integrate.

What do you dislike about the product?

it might be helpful to separate pricing for each product

What problems is the product solving and how is that benefiting you?

Automated dependency updates benefits me a loot to keep the project secure and free of vulnerabilities.

Mend.io  is integrated into our CI/CD processes. Our primary tool for CI/CD is Concourse CI, where all development teams incorporate Mend into their pipelines. In addition to Concourse CI, some dozens of our Dev teams utilize Jenkins , GoCD , and TeamCity , along with integrations for Azure DevOps  and AWS  Code pipelines. Our environment generally features a variety of tools from the GitHub  ecosystem and supports several programming languages tailored to specific use cases.

Mend.io  has played a crucial role in lowering our vulnerabilities and has provided valuable education to numerous developers, fostering a transition from a lack of awareness to a focus on security. It has enhanced the understanding of the importance of addressing dependency vulnerabilities early in the software development lifecycle (SDLC), while also promoting a cultural change that has resulted in both measurable and unmeasurable advantages in managing and recognizing vulnerabilities.

Mend.io is very robust in terms of managing third-party dependencies. It has a built a substantial database of dependencies in their system and incorporates many open-source databases. This makes it very effective, and we find it 100% accurate in detecting vulnerabilities. It supports the largest number of languages, over 200, which is highly beneficial for us.

Mend is a strong player in the SCA  space, relatively affordable and has demonstrated effectiveness in container security, although its SAST  capabilities may still be developing. Due to overall cost of our technology ecosystem and centralization, ultimately, we opted for Snyk  due to its comprehensive range of features within a single platform. It might be beneficial for Mend to explore the possibility of offering an all-in-one solution (SCA , SAST , Containers, IaC ) under a single account.

Since approximately 2018 or 2019, we have been utilizing Mend.io as a critical component of our software security strategy. At that time, a strategic decision was made to adopt both Checkmarx and Mend, recognizing the need for robust tools to manage vulnerabilities within our software development lifecycle. However, as we continuously evaluate our toolset for efficiency and cost-effectiveness, we intend to retire Mend.io in the first quarter of next year (Q1-2025). This decision is driven by our choice to transition to Snyk , which offers a more cost-effective alternative while aligning with our initiative to streamline tools across various company divisions.

Over the years, we have developed a comprehensive understanding of Mend.io, which was formerly known as WhiteSource. Our experience with this tool has equipped us with valuable insights into its functionalities and capabilities. We have leveraged Mend.io's features extensively, particularly its strengths in open-source dependency scanning and policy automation, which have significantly aided our vulnerability management efforts. As we prepare for this transition, we feel confident in our knowledge and experience with Mend.io, enabling us to ensure a smooth migration to Snyk while maintaining the integrity and security of our applications.

We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions.
We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions.
Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions.
Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience.
In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.

Mend.io is a highly scalable solution that can effectively meet the requirements of organizations of any size, from small startups to large enterprises. Its architecture is designed to accommodate varying workloads and user demands, making it adaptable to the unique needs of different teams and projects.

One of the key aspects of Mend.io's scalability is its ability to handle large volumes of code and numerous dependencies without compromising performance. As organizations grow and their codebases expand, Mend.io can seamlessly integrate into existing workflows, allowing teams to maintain their security posture without significant disruptions. This flexibility ensures that as development teams scale up their operations or introduce new projects, Mend.io can continue to provide robust support for their software composition analysis needs.

Additionally, Mend.io offers features that facilitate collaboration across multiple teams and divisions within an organization. This capability is particularly beneficial for larger enterprises that require consistent security practices across various departments. The solution's centralized management allows for streamlined oversight and reporting, ensuring that security policies are uniformly applied and monitored.

Moreover, as organizations increasingly adopt DevOps practices and move towards continuous integration/continuous deployment (CI/CD) pipelines, Mend.io's scalability becomes even more critical. The tool can integrate with various CI/CD tools and platforms, enabling automated scanning and real-time feedback on vulnerabilities as code is developed. This integration not only enhances efficiency but also supports rapid development cycles while maintaining a strong security posture.

IMHO, Mend.io's scalability makes it an excellent choice for organizations looking to future-proof their security strategies. Its capacity to grow alongside an organization’s needs, combined with its robust features for collaboration and integration, positions it as a valuable asset in any software development environment.

Mend.io offers excellent customer service. They prioritize providing the best experience to large organizations like ours, belonging to the Fortune 100. On a scale of one to ten, they rate around eight to nine for customer service.

Positive

After conducting a thorough evaluation that spanned approximately three to four months, we made the decision to transition from Fortify to Synopsys Coverity  for our Static Application Security Testing (SAST)  needs. Coverity  emerged as an ideal solution during our assessment, particularly due to its impressive ability to minimize false positives, achieving a rate of less than 5% across a range of codebases from a few thousand lines to over a million lines in our testing scenarios. This capability significantly enhanced our confidence in the tool's effectiveness and reliability for identifying vulnerabilities.

However, after several years of renewals and continued use, we ultimately chose to discontinue our use of Coverity. This decision was primarily influenced by the licensing costs associated with Synopsys, which became increasingly burdensome as our organization sought to optimize expenses. Additionally, we faced integration difficulties related to our forthcoming ecosystem centralization initiatives. As we aimed to streamline our security processes and tools across various divisions, it became clear that maintaining Coverity would not align with our strategic goals.

Consequently, around 2018 or 2019, we decided to adopt Checkmarx and Mend.io as our new solutions. This switch was driven by the need for tools that not only provided robust security features but also offered better integration capabilities and cost-effectiveness within our evolving infrastructure. The transition reflects our commitment to continually assess and refine our security posture, ensuring that we leverage the best tools available for safeguarding our software development efforts.

Setting up Mend.io was a very straightforward process for our organization, primarily because the integration with GitHub  required minimal effort. Developers simply needed to integrate Mend.io into their CI-CD pipelines they use, which facilitated seamless access to our repositories. I had created technical artifacts that explains the workflows and integrations processes. Additionally, I created a standardized templated model that made it much easier to adopt. This involved additional steps and configurations to align with our specific workflows and requirements. However, we have comprehensive documentation and handholding available to assist our developers through this process, ensuring that they have the necessary guidance to navigate any challenges that may arise.

Our primary CI/CD tool is Concourse CI, and all development teams have successfully integrated Mend.io into their respective pipelines. This integration has proven beneficial across various teams, as it allows for automated vulnerability scanning during the build process, significantly enhancing our security posture. Additionally, several of our development teams utilize other tools like Jenkins , GoCD , and TeamCity , along with integrations for Azure DevOps  and AWS CodePipeline . The versatility of Mend.io in adapting to these different environments has further underscored its value.

Overall, the setup experience with Mend.io has been characterized by its user-friendly interface and effective integration capabilities. The ability to quickly onboard the tool into our existing workflows has enabled us to enhance our development processes without significant overhead or disruption.

Mend.io has demonstrated a strong return on investment (ROI) for our organization by effectively minimizing vulnerabilities and fostering a culture of security awareness among our development teams. The solution excels in Software Composition Analysis (SCA) and container management, emphasizing vulnerability reduction while enhancing our organizational culture, all of which contribute to delivering optimal ROI.

One of the most significant impacts Mend.io has had on our operations is its ability to automate the identification and remediation of open-source vulnerabilities. This automation has led to a substantial reduction in the time our developers spend addressing security issues, enabling them to focus more on innovation and less on remediation. In fact, we have observed a notable decrease in the mean time to resolution for vulnerabilities, which translates directly into cost savings and improved productivity.

Additionally, Mend.io's integration capabilities with our existing development workflows have streamlined processes across teams. By embedding security checks into our CI/CD pipelines, we have accelerated our application delivery timelines while ensuring that security is prioritized from the outset. This proactive approach not only mitigates risks but also enhances our ability to meet project deadlines and deliver safer products to our customers.

Furthermore, the tool's comprehensive reporting features have provided us with valuable insights into our security posture, allowing us to make informed decisions about risk management and compliance. The visibility it offers into our software supply chain has empowered us to take a more strategic approach to security, aligning with industry best practices and regulatory requirements.

From a financial perspective, the cost savings associated with reduced manual processes and faster remediation times have significantly contributed to our ROI. Organizations using Mend.io have reported savings of up to 15% in time spent on vulnerability management, which can lead to substantial financial gains over time. As we continue to leverage Mend.io's capabilities, we anticipate further enhancements in ROI through improved security metrics and operational efficiencies.

In my personal opinion, Mend.io not only serves as an effective tool for managing software vulnerabilities but also plays a crucial role in cultivating a security-focused culture within our organization. Its ability to deliver measurable results in terms of both cost savings and enhanced productivity underscores its value as a strategic investment in our application security efforts.

Mend.io SCA offers a competitive pricing structure that is relatively affordable compared to similar solutions in the market. This makes it an attractive option for organizations looking to enhance their software composition analysis without incurring excessive costs. The setup process for Mend.io is straightforward, allowing teams to get started quickly, educate developers efficiently, and see effective outcomes across the organization in a short timeframe.

However, while Mend.io is a powerful and cost-effective solution, our organization has been focused on streamlining various tools to reduce overall expenses related to Static Application Security Testing (SAST) , Software Composition Analysis (SCA), container security, and Infrastructure as Code  (IaC). As part of this initiative, we are shifting towards a more centralized scanning approach within the GitHub enterprise platform. This transition has led us to consider alternatives that offer both flexibility and cost advantages.

In this context, Snyk emerged as a viable option that aligns with our strategic goals. It provides the necessary capabilities while supporting our move toward a more integrated security framework. Despite our decision to explore Snyk, we still believe that Mend.io remains a robust, user-friendly, and affordable solution, particularly for SCA and container security needs.

From the perspective about setup costs, pricing, and licensing, it’s essential to consider not only the initial investment but also the long-term value that these tools can provide. Organizations should weigh the benefits of comprehensive features against their budgets and evaluate how well each solution integrates into their existing workflows. Additionally, negotiating longer-term contracts can often yield better pricing terms, which is a strategy worth exploring when considering tools like Mend.io. Most often the vendors offer custom designed pricing based on relationship with their customer and the mutually beneficial current and future value, including brand recognition to future prospects. There is often no one-price-fits-all formula with many enterprise solutions, including Mend.io.

We continue to evaluate various products that offer significant benefits in terms of reducing the time required to remediate vulnerabilities and minimizing the efforts placed on developers. Our evaluation process has included several notable solutions, such as AppScan  and Veracode , both of which are cloud-based options designed to enhance application security through static analysis. Additionally, we assessed CodeSonar , Contrast and Fortify, both of which provide robust capabilities for identifying security flaws and quality issues within code.

In our ongoing search for optimal solutions, we also explored GitHub Advanced Security , which is currently under assessment. This tool integrates seamlessly with the GitHub ecosystem, offering unique features tailored for teams already utilizing GitHub for version control. Furthermore, we evaluated Checkmarx, a well-regarded SAST tool that has been instrumental in our security strategy; however, we have decided to decommission it as we pivot towards more integrated and cost-effective alternatives.

Our thorough evaluation process reflects our commitment to adopting tools that not only improve security but also enhance developer productivity by streamlining workflows and reducing the burden of manual remediation efforts. Each product was scrutinized for its effectiveness in addressing our specific needs, including ease of integration within our existing systems, cost implications, and overall impact on our development lifecycle. As we move forward, we remain dedicated to continuously assessing new technologies that can further optimize our security posture while supporting our development teams effectively.

Mend.io is highly recommended for organizations looking to implement Software Composition Analysis (SCA), as it stands out as a top choice with a 100% accuracy rate in vulnerability detection in our case and experience being among the largest scale of implementation; although we understand every customer scenario and experience may vary. While no tool can claim to be flawless, for us Mend.io has consistently delivered reliable results, and I would rate the solution aat 9/10. This rating reflects my belief in its effectiveness while acknowledging that there is always room for continuous development and improvement in any software solution.

Moreover, the incorporation of artificial intelligence (AI) into code security tools like Mend.io is still in its early stages. Although many vendors tout advanced AI functionalities, it may take several more years for these features to reach a level of maturity and stability that organizations can fully rely on. We recognize the practical realities involved within the software development lifecycle (SDLC) and the cultural dynamics within development teams, which often influence how effectively these AI features can be integrated and utilized.

As organizations consider adopting Mend.io, it's essential to keep in mind that while it offers powerful capabilities for SCA, ongoing advancements in technology will continue to shape the landscape of code security tools. Companies should remain open to evolving their strategies as new features and improvements become available. Additionally, engaging with the vendor for insights into their roadmap can provide valuable context on how future developments may enhance the tool's effectiveness.

In a nutshell, in my opinion, Mend.io is a strong contender for those seeking an effective SCA solution, particularly given its high accuracy and user-friendly setup. However, organizations should also be mindful of the evolving nature of AI in this space and remain adaptable to changes that could enhance their security posture over time. If anyone has a need of an experienced and professional consultation, they can reach out to me.

Public Cloud

Other

What do you like best about the product?

Easy to use. Helpful. Support is very responsive.

What do you dislike about the product?

Needing to report to the security team that doesn't understand software.

What problems is the product solving and how is that benefiting you?

Keeps us up to date on any known vulnerabilities in the open source packages we leverage.