Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Governance up until that time had been manual and when we tried to do manual governance of a large codebase, our chances of success were pretty minimal. Mend (formerly WhiteSource) does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.

We use Mend (formerly WhiteSource) Smart Fix. I’d say pretty much everything in Mend (formerly WhiteSource) is easy to use. We really don't have too much difficulty using the product at all. I've implemented other scanners and tools and had much more trouble with those products than we've ever had with Mend (formerly WhiteSource). That’s extremely important. It's hard to sell to some of these teams to put any level of overhead on top of their product development efforts and the fact that Mend (formerly WhiteSource) is as easy as it is to use is a critical aspect of adoption here. It scores very highly on that scale.

Mend (formerly WhiteSource) Smart Fix helps our developers fix vulnerable transitive dependencies. It's all very helpful to our development community. First of all, we're able to find that there are issues. Second of all, we're able to figure out very quickly what needs to be done to remediate the issues. 

Mend (formerly WhiteSource) helped reduce our mean time to resolution since adopting it. A lot of it is process improvement and technical aspects that can tell us how to go about remediating the issues. We get that out of Mend (formerly WhiteSource). Making the developers aware that these issues are there and insisting they be corrected and making the effort to do that visibly is very valuable to us.

Overall, Mend (formerly WhiteSource) helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time. I won't give metrics, however, it's fair to say that our state before and after Mend (formerly WhiteSource) is dramatically different and moved in a positive direction.

Mend's ability to integrate our developer's existing workflows, including their IDE repository and CI is good. Azure DevOps is really important. That's what the pipelines are. That's a very important piece of the entire puzzle. If this was just an external scanner where periodically we'd go through and scan our repos and give them a report, we’d do that with pen testing products, for example, for security testing. The problem is, by the time they get those reports, they've already shipped the code to multiple environments and it's too late to stop the train. With these features being baked into the pipelines like this, they know immediately. As a result, we're able to quickly take action to remediate findings.

The GitHub integration is one feature we use heavily. It has helped us identify and remedy vulnerabilities. Mend is also easy to use. Once it's configured, it's seamless for the development community. It's clearing issues for them so that they can see the problems and how to fix them.

We have already integrated Mend with the developers' workflows, including the IDE repository and CI/CD pipelines. Our developers use these IDE keys because it only supported one of the IDEs when we started: IntelliJ IDEA. They have improved and added support for multiple IDEs. We've integrated with more than 50,000 repositories. I think it's nearly 60,000.

The vulnerability analysis is the best aspect of the solution. It’s my main go-to.

We can't do static code analysis ourselves; it's manual. That's a lot of manual tasks to handle. It's close to impossible to do that. That was a lot for static code analysis of our projects, alerting on vulnerabilities whenever it's possible. Whenever there's a vulnerability available, Mend does that. It vulnerability analyst is a report as well with how many high vulnerabilities, how many medium, how many lows we got, and how many accepted or how many are without any vulnerabilities basically.

I see a lot of it is pretty good and has a high level of trust.

It’s stable and easy to set up.

What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour. 

They also have a lot of integrations with different Git providers, like GitHub, GitLab, and Bitbucket. 

It also has a nice tool we can use with the command line. We have continuous integration, and with the command line, we can scan everything without using the user interface. The command line is great. They have a lot of tools and plug-ins for your IDEs to automate scans. Using the command line, the Unified Agent, you can do a bunch of automated operations.

Thanks to the integration we put in place, it's super easy to identify and remediate open-source vulnerabilities, because on every commit of the software we trigger a Mend.io scan. We know, within five minutes, if the new version of the product is impacted by a CVE. If it is, we receive an email, an alert, so that the developers can fix the code. 

We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.

The way WhiteSource scans the code is great. Being a legal firm, we're a bit more sensitive around our data, and we didn't want that going to different regions. With WhiteSource we can keep our data in the same data sovereignty as it was. That is a big deal for us. In terms of the analysis it can do, it is really useful. This was new to us as an organization, as not only can we find vulnerabilities, but we can also look at the license distribution.

We can understand the open-source licenses, which come with some constraints. That's something we wanted to avoid. Recently, there was a log4j vulnerability that was very prominent in the security community, and we were quickly able to see if we were using it and where. That's the inventory side. It was really useful in that respect.

It’s easy to identify and remediate open source vulnerabilities using this solution. There were a couple of times when something was reported as a vulnerability. When we looked into it a bit more and we talked with the WhiteSource support staff, we found that it was caused by something else. That's pretty rare. Most of the time, it's fairly clear. It says you need to go from one version of the library to another version of the library. It's pretty plain and works well. There have been just a couple of occasions where we needed to dig a little deeper.

Tech support has been very swift and helps us understand false vulnerabilities and they make sure that they don’t happen again in the future. They've got a good support system.

We can detect the vulnerabilities in the SaaS tool itself. We can go to our particular project and see them, or we can see them when we run the code. We can run the tool locally. Even before we scan the code, we can perform a local scan and that's been pretty useful for our developers. It is certainly useful that the vulnerability is displayed both in the WhiteSource platform and our CI/CD tool of choice. We use it as DevOps, and we can see the results with that tool as well. This means that we don't have to use another tool.

WhiteSource helped reduce our mean time to resolution since we adopted the product. More than anything else, it's just shining a light on the work we need to do. We had a lot of legacy code that no one had really explored the software composition analysis on it. The main value is that it showed us what we needed to fix, and with the dashboard security trends feature, we can see over time if we made progress. We had a way to report upward and show our progress. From that respect, it's been very valuable.

The product has helped reduce the number of open-source software vulnerabilities running in our production. It would probably be quite a high number as we didn't really have anything before. I would probably say that we're about 70% through remediating all of the vulnerabilities. This is a good number since nothing existed before.

We've introduced policies as well. If we just rely on good intentions, often people don't follow through. If we have a policy set that makes developers have to stop and fix something, it breaks their workflow in a positive way as it's saying that these are high vulnerabilities. It allows us to set up quite nuanced policies. That has been really useful. Without that, it'd be less effective as a tool.

WhiteSource's portability to integrate with our developers' existing workflows including their IDE, repository, and CI/CD pipelines, is good. It's improving all the time. In terms of integration, it's pretty easy.

The dashboard view and the management view are most valuable.

Mend's integration with developer workflows is a massive part of our work. We use Visual Studio, and it integrates flawlessly with that. There is also a Chrome extension called Mend Advise that lets our team check libraries for vulnerabilities before they download and use them. It's a useful product.  

There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.

The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.

I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.

The solution is also highly valuable to our Intellectual Property Councils, because as a company that uses open-source software, we need to be aware of intellectual properties, code violations, and adherence to our regulations when we include such software. There are, of course, areas for improvement, but it has become mandatory within our organization to run scans using Mend as part of our workflows.

We don't always use WhiteSource SmartFix, and that depends on the recommendations provided by the solution's analysis. On occasion, we have challenged those recommendations, so for us, the software is not entirely a decision-making tool but a tool that assists us in making decisions. Therefore, there is still a human component in the process, and there is always an admin or approver to accept or reject the recommendation. There have been instances where smart fixes were challenged due to a lack of compatibility with project requirements. For example, the solution recommends a version of PostgreSQL, but the decision is made on the product level to go with a different version because it has better integration with the specific product requirements. However, I would say that SmartFix increases our decision-making effectiveness and successfully alerts us. As a leading lighting company, some product decisions must adhere to strict requirements, which require human involvement in the decision-making process.

Initially, the product didn't save us time but required us to spend more time. Many of our processes require a manual component, so we can't entirely rely on automated processes. Therefore, when we run Mend scans on our projects, around 60% of the software development life cycle is sped up, while the remaining 40% requires human intervention. Per our IP Councils, automation does not help us beyond a certain point, and manual intervention is required. If 60% of a project can be streamlined via automation, that certainly saves us time. 

I would say that Mend certainly helps us detect and reduce vulnerabilities. We bring in the solution at the very beginning of a project, so we build early and often and detect vulnerabilities early. This is a significant contributor to our projects' success. 

Integration using the unified agent and other methodologies has been at the forefront of our deployment. The plugins have been merged into the unified agent approach. The integration methodologies have worked wonders for our CICD pipelines and workflows, and each project team can decide whether to run scans pre or post-build.  

The integration with Azure DevOps was good.

The results and the dashboard they provide are good.

It was pretty straightforward for me.

WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful.

WhiteSource is very accurate and covers all of our languages (including C++).

WhiteSource Prioritize is amazing. If we are using a vulnerable library, it shows us if we are actually using the vulnerable method or not. This saves us a lot of time that we can instead invest in other projects.

It also does a great job of automating many activities we used to do manually. Now the system does it for us and it generates a great security dashboard that shows us whether our remediation velocity is improving or not.

For us, the most valuable tool was open-source licensing analysis. Although we don't use it on a weekly basis, when we needed to produce a reliable analysis of our open-source licensing exposure, we found it very very effective. Considering the alternatives, which were to analyse manually, WhiteSource saved us a ton of work that we really needed to complete in a short time. It would have involved finding all the different packages, be them in package.json files or analyse the docker images, and then find their effective license, which in itself is not a simple task.

The most valuable features of this solution are:

1. The vulnerability and license alerts are the main purposes of us utilizing this tool. We don't want to ship software and mistakenly include a GPL component. Similarly, we want to stay up to date on all vulnerabilities in third-party libraries so we can take action if our software solutions are impacted.
2. Implementing policies is helpful because it's great when certain "no-nos" can be codified as policies and auto-rejected.
3. Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.

The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate. This helps us quite a bit.

The solution boasts a broad range of features and covers much of what an ideal SCA tool should. It covers the containers. One can create his teams and, should he encounter an issue, send an alert to the team's DL. 

I am quite happy with WhiteSource. It is very good and provides many things, including extensive reports involving vulnerabilities. 

The most valuable features for us are:

1. Fix suggestions. Our dev team uses the fix suggestions feature to quickly find the best path for remediation. Before that you would have to research online for fixes, and most of the time it’s not that straightforward.
2. Trace analysis. Trace analysis enables our team to get the fix, including a clear path to the vulnerable method. This saves quite some time.
3. Open-source inventory reports. These reports are easy to manage and provide a clear view of our open-source assets. There’s also an option to create policies around that.

Our use case focuses on licenses, so the most valuable feature would probably be the license reports and policies, which is why we reached out in the first place.

The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies.

We use the Policies feature to approve or reject automatically open-source licenses, according to preset company policy.

With respect to ticketing, we use the JIRA integration to assign a problematic open-source library. It opens a ticket on our end and it is assigned automatically to the right owner. It saves a lot of hassle and simplifies the process internally.

Scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed and that we’re not using “forbidden” libraries.

Several dashboards. The licenses dashboard, which gives me an overview of all the licenses used in our software. For example, right at the moment, there are several hundreds of licenses used. The licenses dashboard and release management dashboard along with reports (like risk, vulnerabilities, high severity, bug alerts, etc.).

The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.

The policy automation on effective vulnerabilities feature had a major impact on how we address open source vulnerabilities since it focuses on effective vulnerabilities and directs you to the specific methods. Other services will give a much larger list to remediate. I believe it cuts around 80% of alerts.

With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions. It sounds simple but I haven’t seen this capability with any other solution. This saves quite some time.

There are more small things within the UI that focus on giving the quickest remediation path, and I believe this is the WhiteSource’s strongest area.

The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar). It helps us to scan easily and is agnostic to the technology.

• Open Source dependencies scan
• Common Vulnerabilities and Exposures (CVE) detection
• Useful license and copyright reports.
• Dashboards to manage the risk by product or by organisation.

We are using a lot of Open Source components to develop our products. WhiteSource is the perfect tool to manage the Open Source governance. All our continuous integration stack is using WhiteSource to scan our dependencies (Maven, NPM, Docker).

Next, we are integrating the WhiteSource reports in our products (in a legal-notices folder) to store all the copyright and licensing information. WhiteSource replaced a painful and complex in-house solution, now it's fully automated.

Its ease of use and good results are the most valuable.

The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business. 

The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution.