Finite State Blog

Mend vs. Finite State: A Side-by-side SCA Tool Comparison

Written by Finite State Team | Aug 30, 2023 5:15:00 PM

In May of 2022, WhiteSource, a longstanding SCA solution and leader in application security, rebranded as Mend. Mend is still one of the most widely used SCA tools in the cybersecurity world and a common candidate when companies consider a new SCA solution—but is it right for you?

Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. However, with ever-changing regulatory demands and the growing complexity of cyber threats, evaluating your options and understanding what sets the best solutions apart can be challenging. 

This comparison evaluates Mend and Finite State on five capabilities that companies find most important when choosing an SCA tool. 

This guide is based on our extensive industry experience, conversations with cybersecurity professionals, and our own research. These scores are based on each tool’s capabilities as of January 2023.

 

Mend vs. Finite State: a side-by-side comparison

Mend (formerly WhiteSource)

Finite State

Mend (formerly WhiteSource) offers agile open-source security and license compliance management. They integrate with the DevOps pipeline to detect open-source libraries with security or compliance issues. Mend serves more than 1,000 customers, including more than 25 Fortune 100 companies.

Finite State provides end-to-end SDLC security to help teams identify and mitigate software risk. Leveraging source code and binary SCA, it covers the most intricate and complex software use cases — delving into the hardware, software, libraries, embedded systems, and first-, third-, and open-source code used in connected devices. Finite State delivers high-fidelity SBOMs, has compatibility with over 200+ threat intelligence feeds for vulnerability enrichment and remediation guidance, and streamlines developer workflows through CI/CD pipeline integrations and auto PRs.

 

We’ve measured these tools’ competencies in the five most critical areas where a quality SCA tool needs to perform. 

  1. Developer guidance 
  2. Comprehensive SBOM support
  3. Low false positives output
  4. Integration to the DevOps process 
  5. Total cost of ownership

We’ll unpack these individual competencies in a moment, but here’s how Mend and Finite State stack up against each other at a glance on a scale of 1–5. 

At this point, you should be asking, “Isn’t it a bit suspect for Finite State to give themselves a perfect score?” 

Fair point, but there are a few good reasons for this: 

  1. This scoring system focuses on the five areas that are absolutely vital to choosing a strong SCA solution. We arrived at these factors after countless conversations with IT security and development teams over the years: these are the ones that come up over and over. 
  2. We could score all of these solutions across many more factors—like the size of the company’s internal research team, the number of integrations available, etc. However, getting reliable numbers for these factors is difficult to do, and even if we did get accurate numbers, they could change next week.
  3. Finite State was specifically built to master these five areas. When companies switch from another solution to Finite State, it’s because of one (or several) of these factors.  

Let’s look at how these two stack up against each other in detail.

 

Mend vs. Finite State on developer guidance

At the bare minimum, an SCA tool should alert developers to third-party vulnerabilities in their applications. A more advanced SCA will not only point out the vulnerabilities but also give your developers directions for patching them—which can drastically decrease the time it takes to fix them

When choosing an SCA solution, it’s essential to acknowledge the level of guidance the tool will give your developers. A tool with top-tier guidance will tell your developers what their patch options are and whether or not the patches are compatible with your application—and some will even offer auto-patching and suppression management features. Here’s how Mend and Finite State compare on this front:

We graded these tools’ developer guidance capabilities on the following five-point scale:

Score:

1

2

3

4

5

Capabilities:

No guidance

Refers to current versions

Provides versions & risks for each patch

Provides compatibility, popularity & data points for each patch

AutoPatch: Can patch vulnerabilities automatically

 

The Takeaway — Not only does our tool provide information on each patch’s risks, compatibility, and popularity, but Finite State can automatically implement safe patches for you—so your product and security teams can make informed decisions and move on.

 

Mend vs. Finite State on SBOM support

The software bill of materials (SBOM) plays an essential role for both software companies and their enterprise customers. Organizations that deliver software applications face increasing regulatory and compliance pressures to produce a comprehensive SBOM that shows vulnerabilities and licenses and points out technical debt (portions of code that need future cleanup).

For enterprise customers, it’s more common to ask your vendor for an accompanying software bill of materials. But it’s also important to validate the SBOMs that these vendors provide—which an advanced SCA tool can help you do. Here’s how Mend and Finite State stack up in this area:

We graded these tools’ SBOM support on the following five-point scale:

Score:

1

2

3

4

5

Capabilities:

False positive rate above 10%

False positive rate of 5–10%

False positive rate of 2–5%

False positive rate of 1–2%

False positive rate below 1%

 

The Takeaway — Although Mend allows you to export SBOMs for your applications (which can be helpful when selling into regulated industries), it falls short in terms of comprehensive SBOM support. On the other hand, Finite State allows you to import and export multiple SBOM formats and clearly delineates all dependency relationships between the components and subcomponents in your application. Plus, you can visually navigate your SBOM inside Finite State, so you can see how your third-party code is nested and where any given vulnerability lies.

 

Mend vs. Finite State on false positives

SCA false positives are just plain bad for business. In a 2022 report, The True Costs of False Positives in Software Security, 62.1% of surveyed technology leaders revealed that decreasing false positives is a higher business priority than increasing true positives. False positives waste valuable time and significantly hamper productivity on both development and security teams—and they can even harm relationships between teams. 

We ran both Mend and Finite State against a set of applications with 511 known vulnerabilities to see how many they’d catch, how many they’d miss, and how many false positives they’d flag. Here’s how they stacked up:

We graded their ’ accuracy on the following five-point scale:

Score:

1

2

3

4

5

Capabilities:

False positive rate above 10%

False positive rate of 5–10%

False positive rate of 2–5%

False positive rate of 1–2%

False positive rate below 1%

 

The Takeaway — While Mend is a solid technical product, it tends to flag a great deal of false positives (up to ten times as many as Finite State). One of the reasons we built Finite State was to take on the problem of false positives in the SCA space—without missing true positives. 

 

Mend vs. Finite State on DevOps integration

Most SCA solutions claim to protect and integrate into your DevOps process. While both Mend and Finite State integrate with your build pipeline and repository and support container scanning, only Finite State offers binary application scanning and runtime protection. Here’s how these particular tools stack up against each other:

We graded these tools’ DevOps integration capabilities on the following five-point scale:

Score:

1

2

3

4

5

Capabilities:

No DevOps integration: a standalone product

Build pipeline integration

Repository integration and container scanning

Binary application scanning

Runtime protection

 

The Takeaway — Finite State is built on a Shift Left Security philosophy. Our SCA tool protects your build pipeline and runtime, integrates with your repository, and allows for both container and binary scanning—so you’re always aware of known vulnerabilities in your third-party code, whether it’s open source or licensed.

 

Mend vs Finite State on total cost of ownership

Each SCA tool comes with a cost. This goes beyond the price you pay for the tool, though: you should also consider the cost of labor to use the tool. For example, a tool with a low subscription fee and a high false positive rate may end up costing you more in development time than a tool with a higher subscription fee and a lower false positive rate.

Then, there’s the pricing structure itself to consider. Some SCAs are transparent with pricing, others use complex formulas based on variable directional metrics, and others are entirely opaque. So when cross-evaluating SCA options, we looked for two factors:

  1. Competitive pricing: The vendor uses transparent, straightforward pricing.
  2. Labor savings: The tool has robust enough capabilities to reduce software supply chain security supply labor costs.

Here’s how Mend and Finite State stack up:

We graded these tools’ total cost of ownership on the following five-point scale:

Score:

1

2

3

4

5

Capabilities:

Low labor savings

Medium labor savings, high price

Medium labor savings, competitive price

High labor savings, high price

High labor savings, competitive price

 

The Takeaway — We commonly hear professionals in the cybersecurity industry praise Mend for being a good company to work with: they’re transparent with their pricing and don’t tend to push hidden fees on their customers. They scored lower in this regard because of the amount of labor that goes into dealing with false positives—but in terms of pricing, they are rather competitive. 

The Finite State advantage: Our pricing model is entirely transparent, with no hidden fees or limits—plus, Finite State saves labor with a low false positive rate, clear developer guidance, automatic patching, prioritization, and other remediation options.

 

Choose the SCA that’s right for you

Selecting the right SCA is critical to protecting your organization, and these five factors are the strongest indicators of how valuable an SCA tool can be to your organization. 

At Finite State, we designed our solution to help you secure your software supply chain rapidly and efficiently without disrupting your business operations. Schedule a demo today to discover how we can empower your organization.