We use their Cloud SaaS version. We do not use the Merge Confidence feature. That's not how we interact with the product. We also do not use other Mend (formerly WhiteSource) products in conjunction with SCA products. We only use the OSS scanning capabilities.

I'd rate the solution a nine out of ten. I would advise others to look at the industry and try competing products. All of them were very willing to let us do a POC. We had five that we evaluated, three of them immediately fell off and it really was down to a horse race between Black Duck and Mend (formerly WhiteSource). At that time, GitHub Advanced Security was not available. If it had been available, we would've put that in the evaluation also. If I did the same evaluation today, I still think Mend (formerly WhiteSource) would win. However, it might be a tough call.

If any organization doing serious development or is trying to do OSS governance manually and does not have a tool like this, they're being very foolish at some point in time to both security problems and potentially licensing problems depending on their retail model. I feel very strongly that automated OSS governance is absolutely necessary. 

I consider automated OSS governance absolutely essential in a serious dev shop. At some point, teams trying to do this manually will be exposed to security and compliance problems if they don't have a tool like this. I consider Mend (formerly WhiteSource) to be one of the very best and a strong competitor, really for any shop.

I rate Mend an eight out of ten. I deduct two points because you may not get coverage for all the package managers. But that's where your team needs to work with the vendor to get that supported. It is a collaborative effort to get more support based on your needs. The company was helpful and responsive,  so we were able to influence their roadmap to get some of these capabilities enabled for us.

They have been particularly helpful in getting support for Python package managers. We didn't have the file support and Conda package manager, but they stepped up and provided that capability. You need to have a little patience to evaluate and ensure all the tools meet your requirements. If you need anything, you have to work on getting that support.

I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan.

I’d rate the solution a nine out of ten.

When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering.

In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices.

I rate WhiteSource an eight out of ten.

We do not use the Merge Confidence feature. We also don't use WhiteSource Smart Fix. We might use it in the future, however, it depends on how our teams are doing their co-branching as I would need to give it a try first to see if it works in all scenarios. It's similar to GitHub's Dependabot and it would be interesting to explore.

In terms of using WhiteSource products in conjunction with their SCA product, we've just signed an order on their FaaS one. That will add forty contributing developers. I did a trial with it and I'm looking forward to using that. The FaaS is very timely. We used a tool that Microsoft deprecated, and we were without a SaaS solution, and even the solution we had with Microsoft wasn't really the best one. It was great that this came along at the right time. While we could have gone to another manufacturer for that, it made sense to stick with WhiteSource due to the promise of that integration with SCA and SaaS.

I have not looked at the IAC, or the infrastructure as a code. I suspect it may not cover our use case. We use Bicep, so we do not use Terraform or anything similar. From what I've seen on the market, very few support Bicep at the moment, and Bicep is Microsoft's more elaborate version of their arm templates. It's fairly new. That's why there are not many products on the market. However, if this was something they were to support, I’d be interested.

I'd rate the solution seven out of ten. I know there are more improvements coming, however, there are more improvements needed in terms of the usability of the product. Even items like a mobile-friendly version of it. At the moment it's a fairly old-fashioned website that doesn't work well on other devices and it's generally a bit clunky to use. That said, in terms of reporting vulnerabilities, it's very good.

My advice would be to get ready for implementation by preparing the right structure. Before implementing this tool, you should define the company policy and processes and get accurate training. This creates trust between the developer and the newly-implemented tool. For instance, when there is a violation of a policy, you need to understand why it happened. You should not try to bypass that just because it would fail the build. Developers' trust is the most important thing. So, you should plan ahead with a clear management program for open-source involving all key holders. Implementation of such a tool requires collaboration. It is not the job of just the development team or the head of security. It is supposed to be a joint effort of the entire development group in a company.

I would rate WhiteSource a nine out of ten.

I rate Mend an eight out of ten. If you're considering Mend, you should look at your integrations and see what's best suited. It's good having a dashboard, but you need to ensure it supports the tools you use. They tried to sell a SAST product but weren't mature enough for us to take that on board. 

If I were to give somebody advice, I would advise against the SAST solution because they're relatively new in the market. Try a demo first. The SAST solution is fast and does what we need it to do. However, you should ensure you're covered integration-wise.

Mend SCA is better than Mend SAST. They are a market leader in SCA. The adoption of Mend SCA and the scanning of Mend SCA are pretty good. It is one of the best solutions for SCA. It was already deployed for at least six months before I got this tool. At one point, I saw WhiteSource's name on the Microsoft website as a critical solution for open-source scanning, which made me think that this solution must be good if Microsoft mentioned it on its website.

Its adoption was very slow in the beginning. Three years ago, there was no awareness of using this solution, so we had to tell the team about what the solution is for, what are its advantages, how it impacts their product, and so on. The adoption is good now, and people know exactly what it is being used for. They know the types of vulnerabilities that are there. They know the types of features that are there. Earlier, they used to go through me for any support program, but now they are directly raising tickets depending on the priority of the ticket and then directly communicating with my support representative to fix them. The initial one and a half years were difficult. 

We are also using Mend SAST. They have a variety of different application security solutions in addition to SCA. These solutions are complementary. When you use solutions from different vendors, more diversity can lead to problems. When you have a Mend solution for SCA and a Mend solution for SAST, they are complementary, so the results of those scans would be far more helpful than having different vendors at each and every level. Diversification is good to a certain extent, but if you diversify too much, you might get a lot of false positives.

Overall, I would rate Mend SCA a 10 out of 10. It is definitely one of the best ones in the market.

I would rate the solution a nine out of ten. 

As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment.

Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements. 

I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence.

We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them.

We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.

It was pretty good. I would rate WhiteSource an eight out of ten.

I rate WhiteSource a seven out of ten.

The good thing is that their product just keeps getting better. They are very attentive to their customers.

All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.

Overall, this is a great product.

For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them.

I would rate this solution a seven out of ten.

I rate Whitesource as an eight out of ten. 

I believe we’re still in a stage where we’re trying to gain all the benefits of the solution and understand what features can be maximized.

The product is simple on one hand as it's so easy to use, run and get insights from, but on the other hand, it offers so much that it’s hard to fully grasp all its capabilities.

I’m not sure I have the best knowledge so far to recommend features and capabilities since this is very new to us. Currently, we’re happy to have something that addresses our needs.

It’s important to define guidelines and best practices regarding how to use the product internally; who defines what? Who accesses what? 

Best way to integrate my GitHub repo, my Maven project, etc.

I recommend using WhiteSource to other companies if they are in a similar situation that we are. If they are having real problems in dealing with all these open source licenses, then it is a good approach to use WhiteSource and get a handle of the whole topic. 

I do recommend it.

The solution is only cloud-based, not on-premises. 

It is user-friendly. 

There are around 50 people currently using it in our organization. 

I rate WhiteSource as an eight out of ten. 

I would rate WhiteSource a three out of ten considering the fact that we couldn't use it while we were paying for it. It had good features, but we couldn't use it.

Improve the UI please... developers cannot find themselves in this dashboard.

We are a happy customer.

I would rate WhiteSource a nine out of ten. It is a good product.

I would recommend using WhiteSource. It has an edge over other tools in the market and is a faster solution. 

WhiteSource is easy to integrate with the CICD pipeline and runs standalone scans as it is a SaaS deployment. Integration of this solution does not require much time or knowledge. 

I would rate this solution a nine out of ten.