Mend (formerly WhiteSource) is the maker of application security products that effortlessly secure what developers create. Mend removes the burden of application security, allowing teams to create and deliver quality, secure code.
The Mend Application Security Platform includes Mend SCA, Mend SAST, Mend Renovate, and Mend Supply Chain Defender.
Our plugins integrate with your repositories, build tools, CI servers and more. It calculates the digital signature for all your components without ever scanning your code. It then cross-references the digital signatures with the ones in the Mend database to detect the open source components in your products. An immediate up-to-date report is generated with all components and issues detected. It does that every time you run your build.
Our SAST product uses a hybrid architecture. It scans your software locally, so your source code never leaves your premises. Analysis, auto-remediation, reporting and other functions are done in the cloud. This gives you the best of both worlds — peace of mind of an on-premises scanner, with no administrative or maintenance headaches.
The Mend database is the biggest and most mature database of open source vulnerabilities. It contains more than 300,000 vulnerable components which are aggregated from the CVE/NVD, and various other sources like the GitHub issue tracker, security advisories, and open source projects issue trackers.
Mend uses a proprietary patented algorithm that matches between vulnerability and only the impacted version, thus guaranteeing no false positives that waste developers’ time.
Yes, Mend enforces policies automatically throughout the software development process. You can define your policies according to security vulnerabilities severity, open source license type, software bugs severity, age of a component and many more. You can approve, reject, initiate an approval flow or open an issue ticket based on your criteria and definitions.
In addition, Mend also offers a browser extension, which notifies your developers if a certain component meets your organization’s policies while searching online in the worldwide web without downloading the component.
We offer a variety of reports that will help you monitor all of your open source activity such as an Inventory report, due diligence report, high severity bugs report and vulnerability report and many more.
Can I still use your application security platform if my environment is not connected to the Internet?
Some of our plugins for our SCA product can be used on isolated environments. The plugin generates the update request, saves the request locally as a text file. This file is then moved to an online environment from which it can be Mend either automatically or manually to WhiteSource.
Our standard SLAs are:
|SEVERITY LEVEL||FIRST ANALYSIS TIME||STANDARD RESTORATION TIME|
|Severity 1||6 hours||24 hours|
|Severity 2||24 hours||10 business days|
|Severity 3||48 hours||21 business days|
|Severity 4||48 hours||N/A|
Most of our communication is done via e-mails and comments in the support tickets.
When needed we conduct meetings over the phone but don’t offer phone support as a standard part of our service.
We Support our customers remotely. In on-premises installations we conduct hands on sessions with the customers to jointly connect to the environment and troubleshoot.
In such cases, where a critical issue cannot be resolved remotely, we also support on site visits to ensure quick turnarounds.
Yes, Mend is ISO27001 certified.
The onboarding process is included in our pricing. As part of it, we escort our customers during the whole deployment process: plugin integration, platform configuration, understanding reports and dashboards and analyzing data provided by Mend. We also share best practices and suggest known processes so the maximum value can be driven from our tool.
“Contributing Developer” means any employee or contractor who during the term of the agreement accesses or uses the Mend Program or any engineer, developer or other person that writes, develops or modifies the Customer’s, or Customer’s affiliate’s, code being scanned or monitored by the Mend Program. For the avoidance of doubt, the same individual will not be counted more than once even if acting in two separate roles such as a developer and platform user.
Mend automates and manages open source components and custom code throughout the Software Development Life Cycle (SDLC). Therefore, pricing based on the number of contributing developers best reflects the impact of our solution, without limiting you to artificial factors such as size of code or number of scans.
No. The number of portal users does not reflect the work that is actually being performed in order to support these developers. We find that many organizations can even manage their open source usage with a limited number of portal users, for example by leveraging our APIs and consume our data outside the web portal.
Yes. Mend offers one comprehensive solution that includes the full extent of our database with vulnerabilities from the CVE and dozens of other sources and unlimited capabilities (unlimited number of plugins, unlimited number of users, unlimited number of policies, and more).
No. We believe that only through continuous monitoring can our customers take full advantage of Mend’s capabilities. Our recommended practice is to activate our plugins with every commit, or nightly build, and therefore we offer an unlimited number of scans.
No. We take pride in offering a transparent, simple, and predictable pricing.
We price per Contributing Developers, since we know managers have a better visibility into the growth of their head count rather than the size of their software or lines of code.
Still have questions? Call us or email at email@example.com