When it comes to choosing an SCA solution, any responsible decision maker should consider Black Duck and Mend (formerly WhiteSource). Black Duck has been around longer than any other player in the space, and WhiteSource was a household name in enterprise cybersecurity (until they changed their name to Mend in May 2022). But is either solution right for you?
Selecting the right Software Composition Analysis (SCA) tool is a critical decision that will shape your organization’s cybersecurity posture for years to come. But with the growing complexity of cyber threats and ever-changing regulatory demands, the challenge lies not just in choosing a tool but understanding what sets them apart and identifying the one best suited for your needs.
In this post, we’ll compare Black Duck, Mend, and Finite State across the five most critical areas where a quality SCA tool needs to perform: developer guidance, SBOM support, accuracy (false positive rate), DevOps integrations, and total cost of ownership.
This guide is based on our extensive industry experience, conversations with cybersecurity professionals, and our own research. If you have any questions about the data shared in the table, reach out to the team here.
| Black Duck | Mend | Finite State |
| Synopsis’s SCA solution, Black Duck, has been in the application security space for 15 years — longer than any other solution. It added security capabilities in 2015, having previously been focused on license compliance. Black Duck is especially proficient in analyzing C and C++ languages — which are particularly problematic when it comes to third-party vulnerabilities. | Mend offers agile, open-source security and license compliance management. They integrate with the DevOps pipeline to detect open source libraries with security or compliance issues. Mend serves over 1,000 customers, including more than 25 Fortune 100 companies. | Finite State provides end-to-end SDLC security to help teams identify and mitigate software risk. Leveraging source code and binary SCA, it covers the most intricate and complex software use cases — delving into the hardware, software, libraries, embedded systems, and first-, third-, and open-source code used in connected devices. Finite State delivers high-fidelity SBOMs, has compatibility with over 200+ threat intelligence feeds for vulnerability enrichment and remediation guidance, and streamlines developer workflows through CI/CD pipeline integrations and auto PRs. |
Skip To:
We’ll unpack these individual competencies in a moment, but first here’s how Black Duck, Mend, and Finite State stack up against each other at a glance, on a scale of 1–5. These scores are based on each tool’s capabilities as of January 2023.
“Wait—Finite State just gets to give themselves a perfect score?”
We’ll explain the quantitative reasons why Finite State comes out on top in these areas, but for the sake of good faith, here are a few general reasons why the scores shook out this way:
Let’s look at how Black Duck, Mend, and Finite State stack up against each other in detail.
At the very least, any SCA tool should alert your developers to third-party vulnerabilities in your applications. However, an advanced SCA can do much more to close the gap between finding and patching a vulnerability.
This is important to consider, because companies often let third-party vulnerabilities linger within their applications simply because developers don’t have the time or direction necessary to fix them. In fact, 59% of respondents to a 2021 IBM Security™ study cited delays associated with patching vulnerabilities as a reason their organizations hadn’t become more resilient to cyber threats.
Finding the problem is only the beginning, and a strong SCA solution can help your developers through every step of the patching process. A high degree of developer guidance saves you immense amounts of time in labor, and reduces the amount of time your application remains vulnerable to hackers.
We graded these tools’ developer guidance capabilities on the following five-point scale:
|
Score: |
1 |
2 |
3 |
4 |
5 |
|
Capabilities: |
No guidance |
Refers to current versions |
Provides versions & risks for each patch |
Provides compatibility, popularity & data points for each patch |
AutoPatch: Can patch vulnerabilities automatically |
The Takeaways —
Black Duck falls short: While Black Duck will direct your dev team to current versions of vulnerable components of your software, it won’t help them much beyond that. It’s on your developers to research the risks associated with the patch, assess whether or not the patch is compatible with your application, and find out whether or not other developers are satisfied with the patch in question.
Mend is a little better: If your developers are using Mend (formerly WhiteSource), they will gain an understanding of the risks associated with implementing a given recommended patch. This saves some of your time, but your dev team will still need to figure out if the patch is compatible with your software and is trusted by other developers.
The Finite State advantage: Not only does our tool provide information on each patch’s risks, compatibility, and popularity, but Finite State can automatically implement safe patches for you—so your product and security teams can make informed decisions and move on.
The software bill of materials (SBOM) plays an essential role for both software companies and their enterprise customers. Organizations that deliver software applications face increasing regulatory and compliance pressures to produce a comprehensive SBOM: one that not only shows vulnerabilities and licenses, but also points out technical debt (portions of code that need future cleanup).
For enterprise customers, it’s more common to ask your vendor for an accompanying software bill of materials. But it’s also important to validate the SBOMs that these vendors provide—which an advanced SCA tool can help you do.
We graded these tools’ SBOM support on the following five-point scale:
|
Score: |
1 |
2 |
3 |
4 |
5 |
|
Capabilities: |
No SBOM support |
Exports SBOMs in only one format (no import) |
Exports SBOMs in multiple formats (no import) |
Supports multiple SBOM formats (import and export) |
Dependency info incorporated into SBOM |
The Takeaways —
Mend does the bare minimum, and not much else: While you can export SBOMs, you can’t choose from multiple formats, you can’t import SBOMs, and you can’t intuitively see how your components nest within each other.
Black Duck and Finite State are the strongest: Both tools allow you to import and export multiple SBOM formats, and clearly delineate all dependency relationships between the components and subcomponents in your application.
Black Duck is especially strong in its analysis of C languages. If your application is built on components using C and/or C++ and your application has millions of lines of code, you can expect at least 65% of your vulnerabilities to come from code in these languages.
Finite State in particular lets you visually navigate your SBOM, so you can see how your third-party code is nested and where any given vulnerability lies.
SCA false positives are just plain bad for business. In our 2022 report The True Costs of False Positives in Software Security, 62.1% of surveyed technology leaders revealed that decreasing false positives is a higher business priority than increasing true positives. False positives waste valuable time and significantly hamper productivity on both development and security teams—and they can even harm relationships between teams.
We ran each of these tools against a set of applications with 511 known vulnerabilities to see how many they’d catch, how many they’d miss, and how many false positives they’d flag. Here’s how they stacked up:
We graded these tools’ accuracy on the following five-point scale:
|
Score: |
1 |
2 |
3 |
4 |
5 |
|
Capabilities: |
False positive rate above 10% |
False positive rate of 5–10% |
False positive rate of 2–5% |
False positive rate of 1–2% |
False positive rate below 1% |
The Takeaways —
Both Black Duck and Mend generate a lot of false positives: And even though Mend has an edge on Black Duck, it still generates five to ten times as many false positives as Finite State.
The Finite State advantage: One of the reasons we built Finite State was to take on the problem of false positives in the SCA space—without missing true positives. By design, Finite State is the most accurate SCA tool on the market today.
Most SCA solutions claim to protect and integrate into your DevOps process. Each of these leading tools integrates with your build pipeline and repository, and supports container scanning, but some integrate more fully than others. For example, not every SCA offers binary application scanning and runtime protection. Here’s how these particular tools stack up against each other:
We graded these tools’ DevOps integration capabilities on the following five-point scale:
|
Score: |
1 |
2 |
3 |
4 |
5 |
|
Capabilities: |
No DevOps integration: a standalone product |
Build pipeline integration |
Repository integration and container scanning |
Binary application scanning |
Runtime protection |
The Takeaways —
Mend is the weakest: While Mend integrates with your build environment and repository, it cannot be used to scan licensed third-party code.
Black Duck is better: You can use Black Duck to scan vendor’s applications as well as your own—but it won’t cover you in runtime.
The Finite State advantage: Finite State is the only SCA on the market that offers runtime protection. Finite State is built on a Shift Left Security philosophy: it protects your build pipeline and runtime, integrates with your repository, and allows for both container and binary scanning.
Price is important when considering SCA options. You want to know how much you’re going to pay your SCA vendor—and ideally, there won’t be any surprises. Unfortunately, an SCA’s price isn’t always easy to determine. Some SCAs are transparent with pricing, others use complex formulas based on variable directional metrics, and others are entirely opaque.
But when evaluating the cost of an SCA solution, you need to look past the initial price tag. An SCA should help keep your application safe from vulnerabilities, but it should also reduce the cost of labor spent on fixing those vulnerabilities. For example, an SCA that costs an extra $1,000 per month in subscription fees may save you $10,000 a month in labor via some of the factors described above, e.g., a lower false positive rate, or more advanced developer guidance.
So when cross-evaluating SCA options, we looked for two factors:
Here’s how Black Duck, Mend, and Finite State stack up:
We graded these tools’ total cost of ownership on the following five-point scale:
|
Score: |
1 |
2 |
3 |
4 |
5 |
|
Capabilities: |
Low labor savings |
Medium labor savings, high price |
Medium labor savings, competitive price |
High labor savings, high price |
High labor savings, competitive price |
The Takeaways —
Black Duck is costly: It has a high price tag, but it’s particularly weak in terms of developer guidance and accuracy—which means you spend a lot more labor realizing the value of this tool.
Mend is a little better: Their pricing is relatively straightforward (and their customers tend to say that they’re a fair and transparent vendor to work with). However, Mend users will still spend a lot of unnecessary labor making up for false positives and limited developer guidance.
The Finite State advantage: Our pricing model is entirely transparent, with no hidden fees or limits—plus, Finite State saves labor with a low false positive rate, clear developer guidance, automatic patching, prioritization, and other remediation options.
When we take all these factors into consideration, Black Duck has a slight edge on Mend—but neither shines in these five competencies like Finite State.
Selecting the right SCA is critical to protecting your organization, and these five factors are the strongest indicators of how valuable an SCA tool can be to your organization.
We built Finite State so you can rapidly secure your software supply chain without slowing down your business. If you’re exploring SCA options and still aren’t convinced, or if you’d like to delve even deeper into comprehensive analyses, continue reading these following pages:
Book a demo to learn more about how Finite State can help protect your software supply chain today.