Leader in the field
What do you like best about the product?
Mend has several strengths. First, the company behind it is relatively transparent, helpful, and straightforward. I appreciated that they didn't oversell the product the way several competitors did. The software integrates nicely with Microsoft development tools. Customer support is good and responsive as well.
What do you dislike about the product?
This isn't really a knock, but as a point in time, they are integrating the SCA and the, I think, acquired SAST solutions together into a common platform. Obviously, that's a large effort, and once that is done, it will be even better.
What problems is the product solving and how is that benefiting you?
Mend simplifies the reporting and auditing aspect of documenting that vulnerabilities have been managed properly.
Helps to identify open-source vulnerabilities and eliminate any licensing risks
What is our primary use case?
We have two primary use cases. One use case is to find the vulnerabilities related to the open-source libraries that are included in multiple products in our company.
The second use case is to find out whether the licenses associated are for general use or not, or whether there are any license-related restrictions. Sometimes, when you use open-source components, depending on the type of licenses, they may be applicable only for internal use. We use it to check whether we are violating any licensing or not.
How has it helped my organization?
Using Mend SCA, it is easy to identify open-source vulnerabilities, but it is not easy to remediate because there are multiple moving components or moving parts in a build frame or a small library, so the impact of one component can be different on different products. To identify open-source vulnerabilities, you just run a scan in your pipeline, but to fix them, you need to do multiple regression tests and check whether your application or product is getting affected by that upgrade or not.
Mend SCA has helped reduce our mean time to resolution (MTTR). Knowing a risk does not necessarily help us in remediating or fixing that vulnerability, but it helps at least in deploying certain compensatory controls so that we can take on the upgrade part later on. Our protection is deployed at the parameter level, at the system level, or at the network level. It has reduced our MTTR roughly by 20%.
Mend SCA has definitely helped us reduce the number of open-source software vulnerabilities running in our production at any given point in time. We have now started to break the build in case there are any high-level or critical vulnerabilities. Certain teams, not all, are now forced to fix them, which is why the vulnerability count is going down. There is about a 20% reduction in vulnerabilities.
What is most valuable?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.
What needs improvement?
I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.
For how long have I used the solution?
I have been using Mend SCA for more than three years, and we started with Mend SAST this year in January.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
It is a SaaS solution, so scalability is something that their teams need to handle on their side. Scalability is in their control, and we are just sending those results over there.
We have about 450 users. We only use the portal. We scan via a unified agent or a CLI component, and we have two extra components. We have the Chrome plug-in and the IDE plug-in. The best thing is that on the CI/CD pipeline that we are using, we only need to call a unified agent that does the scan and then posts the results on the dashboard or the portal. It is deployed at multiple locations and at multiple levels of our pipeline. We are using Gitlab Cloud, Bitbucket and Jenkins. We are using many different tools at different locations.
How are customer service and support?
All levels of their support have very good technical knowledge. They know their tool better than us, so when we cannot find a solution, they give us that in 15 minutes. I would rate them a 10 out of 10.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not use any other solution previously.
How was the initial setup?
It is a SaaS solution. I was not involved in its deployment. It was already in the company for six months when I got my hands on it.
In terms of maintenance, we just need to check which users have left the organization so that we can maintain the number of users under the license that we have purchased. That is a small thing required on our side even though we have SSO integrated.
What was our ROI?
We have seen an ROI. We were able to find vulnerabilities. If our products were not attacked by an external entity, we consider that as an ROI, but it is difficult to put a dollar value on that.
What's my experience with pricing, setup cost, and licensing?
What other advice do I have?
Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website.
Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult.
We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives.
Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.
Streamlined Integration for Compliance with Open-Source Licenses & Vulnerability Detection
What do you like best about the product?
One of the strengths of Mend.io lies in the simplicity of integrating their unified agent into our Continuous Integration pipeline. This streamlined process, with its commendable support system and verbose documentation, has reduced setup times. We're now efficiently detecting open-source license violations. Coupled with the integration with JIRA, it ensures that open vulnerabilities are promptly and systematically recorded, streamlining our response and tracking processes.
What do you dislike about the product?
While the platform functions efficiently, there's scope for modernising the user interface. It would be beneficial to see Mend.io adopt a more contemporary design. However, it's worth noting that this aesthetic aspect doesn't detract from the product's overall usability.
What problems is the product solving and how is that benefiting you?
Mend addresses the challenges associated with open-source license compliance and vulnerability detection in our codebase. Efficiently identifying and alerting us about any license violations ensures that our software remains compliant, reducing potential legal risks. Additionally, its vulnerability detection capabilities enable us to swiftly pinpoint and rectify security vulnerabilities, enhancing our applications' overall safety and integrity.
The integration of Mend.io with JIRA facilitates a systematic recording and tracking of these vulnerabilities, ensuring a structured and effective response from our team. As a result, we maintain a higher standard of code quality and save significant time and resources, allowing us to focus on further development and innovation. This has been crucial for us, especially in the demanding environment of Continuous Integration.
Mend - Fixing What I Didn't Know Was Broken
What do you like best about the product?
Using the CLI unified agent is a breeze and the syntax is easy to understand/follow. The web UI is not only easy on the eyes but the user experience makes it easy to find what you're looking for.
What do you dislike about the product?
Currently, at least in my use of the product, there are two different portals depending on which product I'm using, SAST vs SCA, which is kind of awkward to bounce between.
What problems is the product solving and how is that benefiting you?
Mend takes the reigns on most of the heavy lifting around the Static Code Analysis needs, considering it is much quicker and effecient at scanning the nearly 400,000 lines of code I'm throwing at it than I would be if doing it by hand like a caveman.
best SCA and SAST tool
What do you like best about the product?
It is a great tool to scan our binaries, we have been using it for a while now and have liked the solution. It is good to have sbom as a part of SCA scanning portal but I would like to see SAST also intergrated there.
What do you dislike about the product?
As of today, we do not see any major issues from mend, one of the concerns we have is that recently support team has not replied back to our tickets for weeks and we have had to escalte it via our partners to get it resolved.
What problems is the product solving and how is that benefiting you?
Mend has helped us with a tool which has reduced our overhead as a devops team by intergrating it to our ci/cd pipelines and increased our velocity. it has also helped us with a single point of presence for SBOMS
Gartner Review
What do you like best about the product?
Scanning capabilities, scanning of open source and sending notifications
What do you dislike about the product?
Reporting feature needs to have more user friendly reports
What problems is the product solving and how is that benefiting you?
we use open source components and mend is giving us good info about vulnerabilities
Easy to use tool that supports our scanning needs
What do you like best about the product?
Mend supports source code library scans, container scans and also checks licenses used by our apps and services to ensure we are meeting our security, compliance and licensing requirements. We would have to use multiple platforms to achieve this.
What do you dislike about the product?
Mend is investing heavily in updating their scanning to be simpler and easier to use, however the new scanning tool does not support all of our use cases yet and we have to use a multitude of scanning methods on the mend platform to meet our needs. For example the CLI tool does not support poetry for python yet. We often have to roll our own utilities to make Mend work nicely with our CI/CD tooling, such as creating our own clean up tools and pipes to process the scan results.
What problems is the product solving and how is that benefiting you?
• Licensing compliance - ensuring we are not using libraries with licenses that are incompatible with how we are using the library
• Scanning for and reporting on the vulnerabilities in our libraries and containers to enable us to understand our exposure to threats and the risks on our business
• Understanding how up-to-date our libraries are. Old libraries are higher risk due to the risk of abandonware, and can have expensive upgrades (especially when dealing with zero-day vulnerabilities)
Industry Leading SCA Tool
What do you like best about the product?
Streamlined approach to SCA makes integration easy and informative. New features being added that have incredible value for what you are paying.
What do you dislike about the product?
It seems as though sometimes features are released without having much documentation published about it.
What problems is the product solving and how is that benefiting you?
SBOM, SCA, Supply Chain Risk Managment.
Saves time, faster, Amazing customer support
What do you like best about the product?
Customer support.
Integration for other tools.
What do you dislike about the product?
UI: Options on UI is not handy or not much presentable.
What problems is the product solving and how is that benefiting you?
Getting defined analysis for SCA and container scanning report helping me to keep track of vulnerability.
Great developers integration
What do you like best about the product?
I like the developers integration kit- spesifically the repo integration when I can see all my PR and decide on the action plan
What do you dislike about the product?
The first implementation was painful - it took couple of days to fully complete the integration and needed to open support cases to make sure it is completed
What problems is the product solving and how is that benefiting you?
I am able to manage the risk in my code- it shows me the risk for each libarary and suggest how it can be resolved- super quick and helpful!
