Checkmarx One vs Mend.io Comparison 2024

Checkmarx One

Mend.io

Checkmarx One

Read 67 Checkmarx One reviews

34,421 views|22,385 comparisons

Mend.io

Read 29 Mend.io reviews

10,193 views|5,993 comparisons

Comparison Buyer's Guide

Download the complete report

Buyer's Guide

Checkmarx One vs. Mend.io

May 2024

Executive Summary

Updated on Apr 2, 2023

We performed a comparison between Mend and Checkmarx based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

Ease of Deployment: Reviewers of both solutions stated that the deployment processes were quick and efficient, with those deploying Checkmarx noting that the setup can take less than an hour.

Features: Mend offers open source software vulnerability remediation, as well as excellent integration with other applications. Its ability to manually configure policies and its over-engineered dashboard leaves the need for improvement. Checkmarx allows companies to automatically scan and resolve vulnerabilities in all major code languages with a high level of accuracy, and possess a user-friendly UI. However, someone who is not a developer may struggle to use it, and it lacks a holistic view of the portfolio-level dashboard.

Pricing: Mend is described as not overly expensive, with some enterprises being able to negotiate a lower price than what they had paid in previous years, while those using Checkmarx expressed that they would like to see its licensing improved.

Service and Support: The technical support of both solutions are noted as highly responsive and diligent in their responses.

ROI: A return on investment was observed by users of both solutions, in the form of improved quality of code and lack of security breaches.

Comparison results: Based on the parameters we compared, Mend comes out ahead of Chechmarx. While both possess flexibility and good vulnerability compliance, Checkmarx’s modular licensing and data search tools leave room for improvement.

To learn more, read our detailed Checkmarx One vs. Mend.io Report (Updated: May 2024).

Download the complete report

770,616 professionals have used our research since 2012.

Featured Review

Anonymous User

Senior Engineer at a tech vendor

Useful automation , detailed reports, but scalability could improve

We have always used some kind of code analysis tool and Checkmarx has been working for us at this time. We like the tool.

Anonymous User

IT Service Manager at a wholesaler/distributor

Provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support

The tool is now a mandatory part of our organization to use as a benchmark, giving us a technical advantage. When we acquire other companies, we... Read more →

Quotes From Members

We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:

Pros

"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.""The solution communicates where to fix the issue for the purpose of less iterations.""The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility.""The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal.""The user interface is excellent. It's very user friendly.""Vulnerability details is valuable.""The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.""The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."

More Checkmarx One Pros →

"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions.""The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate.""We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds.""The solution boasts a broad range of features and covers much of what an ideal SCA tool should.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""Enables scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed.""The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies.""It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."

More Mend.io Pros →

Cons

"If it is a very large code base then we have a problem where we cannot scan it.""Implementing a blackout time for any user or teams: Needs improvement.""One area for improvement in Checkmarx is pricing, as it's more expensive than other products.""The reports are good, but they still need to be improved considering what the UI offers.""When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped.""I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features.""In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now.""Updating and debugging of queries is not very convenient."

More Checkmarx One Cons →

"The solution lacks the code snippet part.""Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.""The UI is not that friendly and you need to learn how to navigate easily.""The initial setup could be simplified.""The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.""We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running.""I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.""If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."

More Mend.io Cons →

Pricing and Cost Advice

"It is the right price for quality delivery."

"I believe pricing is better compared to other commercial tools."

"The pricing was not very good. This is just a framework which shouldn’t cost so much."

"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."

"It is a good product but a little overpriced."

"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."

"Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."

"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."

More Checkmarx One Pricing and Cost Advice →

"We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. "

"The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."

"Pricing is competitive."

"The solution involves a yearly licensing fee."

"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."

"WhiteSource is much more affordable than Veracode."

"This is an expensive solution."

"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."

More Mend.io Pricing and Cost Advice →

See Which Vendors Are Best For You

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See Recommendations

770,616 professionals have used our research since 2012.

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.

Read all 4 answers →

What do you like most about Checkmarx?

Top Answer:Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

Read all 38 answers →

What is your experience regarding pricing and costs for Checkmarx?

Top Answer:The solution's price is high and you pay based on the number of users.

Read all 25 answers →

How does WhiteSource compare with SonarQube?

Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy… more »

How does WhiteSource compare with Black Duck?

Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »

What do you like most about Mend.io?

Top Answer:The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related… more »

Read all 23 answers →

Ranking

3rd

out of 74 in Application Security Tools

Views

34,421

Comparisons

22,385

Reviews

Average Words per Review

508

Rating

7.7

5th

out of 74 in Application Security Tools

Views

10,193

Comparisons

5,993

Reviews

Average Words per Review

1,324

Rating

8.5

Comparisons

SonarQube vs. Checkmarx One

Compared 52% of the time.

Veracode vs. Checkmarx One

Compared 13% of the time.

Fortify on Demand vs. Checkmarx One

Compared 6% of the time.

Snyk vs. Checkmarx One

Compared 4% of the time.

OWASP Zap vs. Checkmarx One

Compared 2% of the time.

More Checkmarx One Competitors →

SonarQube vs. Mend.io

Compared 25% of the time.

Black Duck vs. Mend.io

Compared 16% of the time.

Snyk vs. Mend.io

Compared 9% of the time.

Veracode vs. Mend.io

Compared 8% of the time.

JFrog Xray vs. Mend.io

Compared 6% of the time.

More Mend.io Competitors →

Also Known As

WhiteSource, Mend SCA, Mend.io Supply Chain Defender

Learn More

Checkmarx

Mend.io

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend.io Features

Mend.io has many valuable key features. Some of the most useful ones include:

Vulnerability analysis
Automated remediation
Seamless integration
Business prioritization
Limitless scalability
Intuitive interface
Language support
Integration
Continuous monitoring
Remediation suggestions
Customization

Mend.io Benefits

There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

Easy to use: The Mend.io platform is very user-friendly and easy to set up.

Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.

Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.

Broad support: Mend.io provides 27 different programming languages and various programming frameworks.

Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.

Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.

Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates

Top Industries

REVIEWERS

Computer Software Company31%

Financial Services Firm19%

Comms Service Provider9%

Manufacturing Company9%

VISITORS READING REVIEWS

Financial Services Firm21%

Computer Software Company15%

Manufacturing Company9%

Insurance Company5%

REVIEWERS

Computer Software Company33%

Financial Services Firm11%

Media Company6%

Energy/Utilities Company6%

VISITORS READING REVIEWS

Financial Services Firm17%

Computer Software Company16%

Manufacturing Company10%

Insurance Company5%

Company Size

REVIEWERS

Small Business38%

Midsize Enterprise13%

Large Enterprise50%

VISITORS READING REVIEWS

Small Business17%

Midsize Enterprise12%

Large Enterprise72%

REVIEWERS

Small Business36%

Midsize Enterprise7%

Large Enterprise57%

VISITORS READING REVIEWS

Small Business19%

Midsize Enterprise14%

Large Enterprise67%

Buyer's Guide

Checkmarx One vs. Mend.io

May 2024

Free Report: Checkmarx One vs. Mend.io

Find out what your peers are saying about Checkmarx One vs. Mend.io and other solutions. Updated: May 2024.

DOWNLOAD NOW

770,616 professionals have used our research since 2012.

Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Mend.io is ranked 5th in Application Security Tools with 29 reviews. Checkmarx One is rated 7.6, while Mend.io is rated 8.4. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and OWASP Zap, whereas Mend.io is most compared with SonarQube, Black Duck, Snyk, Veracode and JFrog Xray. See our Checkmarx One vs. Mend.io report.

See our list of best Application Security Tools vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.

Checkmarx One vs Mend.io comparison