The increased use of open-source software components in application development exposes companies to security vulnerabilities and liability related to software licensing. To mitigate these risks, software development organizations are turning to Software Composition Analysis (SCA) tools, which identify security and license compliance issues in code. On the PeerSpot technology review site, reviews from Mend SCA highlighted the three top priorities that SCA users generally want: ease of use, risk mitigation, and a strong feature set and integration capabilities.
Let’s take a look at these priorities and what some users said about their importance.
Users felt that ease of use and set up was one of the most valuable aspects of a strong SCA solution. For Jeffrey H., system manager of cloud engineering at performing arts company Common Spirit, that ease of use helped his company quickly improve open source visibility and governance. The company had quite a few vulnerabilities when it first put Mend SCA in place, he says. “Governance up until that time had been manual, and when we tried to do manual governance of a large code base, our chances of success were pretty minimal.” Using Mend SCA changed that. The tool is pretty “easy to use, great for finding vulnerabilities, and Mend is simple to set up,” he says. He also notes that Mend SCA is “able to discover with a very good degree of accuracy what open source we have in our products.” If the open source components it discovers are out of date or have Mitre Common Vulnerabilities and Exposures (CVEs) against them, the product will surface those issues and enable his team to do remediation and track trends over time.
Similarly, an AVP at a software company says, “Mend is fast and easy to implement. The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business. The initial setup of this solution was straightforward and easy.”
Risk mitigation is the foundational purpose of an SCA solution, and Mend users on PeerSpot spoke to this capability in their reviews. Shashidhar G., who works in program and portfolio management at software company Acceldata, uses Mend for automating open-source vulnerability detection. He and his team are able to find code components from compromised open-source libraries and fix them. He uses Mend to create policies that “disallow some of the risky open sources to be used in our solutions by developers.” He added, “We are able to scan and fix vulnerabilities in our containers to ensure that if there are any licenses that violate the open source usage or put our product at risk, we make sure that either we remove or remediate the open sources with risky licenses. Those are the main three use cases.”
At Common Spirit, Jeffrey H. found that “overall, Mend helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time.” He went on to say, “Mend Smart Fix helps our developers fix vulnerable transitive dependencies. It’s all very helpful to our development community. First of all, we’re able to find that there are issues. Second of all, we’re able to figure out very quickly what needs to be done to remediate the issues.” The solution also sped up their mean time to resolution.
SCA users rate a solution’s feature set and integration abilities as highly important. According to a principal software architect at a tech services company, Mend “boasts a broad range of features and covers much of what an ideal SCA tool should. It covers the containers. The architect also noted the value of Mend’s easy setup and Mend extensive reports involving vulnerabilities.”
What mattered to a senior lead software engineer at a tech services company was that Mend integrates well with Azure DevOps. Similarly, a software company AVP found that Mend is easy to integrate with the CI/CD pipeline, running standalone scans. He remarked, “Integration of this solution does not require much time or knowledge.” Mend’s ability to integrate with developer’s existing workflows was what stood out to Jeffrey H at Common Spirit.
For all of these users, detecting and remediating vulnerabilities and compliance issues in open-source code had proved to be a challenge. With Mend SCA in place, their development teams, along with all the other stakeholders involved in security and compliance, now have an effective tool for mitigating security and compliance risks. Shashidhar G. put the issue in context, saying, “We were doing everything manually, but still we were not able to do everything. Now we have a solution. We can save the human resources that are being paid for. Our return on investment, in terms of our ability to showcase our solutions as secure and sell them, is going to be multifold. I’m expecting, at least, the return on investment of new sales and cross-sales will be at least six times higher.”
Learn more about Mend SCA