We performed a comparison between Mend and Checkmarx based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison results: Based on the parameters we compared, Mend comes out ahead of Chechmarx. While both possess flexibility and good vulnerability compliance, Checkmarx’s modular licensing and data search tools leave room for improvement.
"We use the solution for dynamic application testing."
"The user interface is excellent. It's very user friendly."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"One of the most valuable features is it is flexible."
"Helps us check vulnerabilities in our SAP Fiori application."
"Vulnerability details is valuable."
"The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools."
"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"The dashboard view and the management view are most valuable."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"Its ease of use and good results are the most valuable."
"The vulnerability analysis is the best aspect of the solution."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"The plugins for the development environment have room for improvements such as for Android Studio and X code."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"I would like to see the rate of false positives reduced."
"Updating and debugging of queries is not very convenient."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"The dashboard UI and UX are problematic."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Mend.io is ranked 5th in Application Security Tools with 29 reviews. Checkmarx One is rated 7.6, while Mend.io is rated 8.4. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and OWASP Zap, whereas Mend.io is most compared with SonarQube, Black Duck, Snyk, Veracode and JFrog Xray. See our Checkmarx One vs. Mend.io report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.