Mend Application Security Platform

Additional Info

CompanyMend (formerly WhiteSource Software)
Company size (employees)100 to 499
Headquarters RegionNorth America
Type of solutionSoftware


The Mend Application Security Platform enables organizations with static application security testing (SAST) and software composition analysis (SCA) to find and fix security issues with ease, using Mend’s unique automated remediation technology. Mend’s platform is the industry’s first-ever solution to automatically remediate vulnerabilities in custom source code and open source. Presented directly in the developer’s repository, Mend’s automated SAST and SCA remediation capability reduces remediation time by 80 percent. Mend SAST, which supports 27 different programming languages, enables developers to create new applications quickly without sacrificing security. The solution contains a breakthrough scanning engine that produces results 10x faster than traditional SAST solutions and can be triggered with every code commit so developers aren’t left waiting. Teams have visibility into over 70 CWE types – including OWASP Top 10 and 25 SANS – in desktop, web and mobile applications developed on various platforms and networks resulting in comprehensive and accurate detections. In addition, the platform also includes Mend Supply Chain Defender, which helps protect enterprises against software supply chain attacks. It detects and blocks malicious open source packages before a developer can download them.

The platform, launched in May 2022, enables developers to easily write quality, secure code. Traditional application security products force developers to choose between security and meeting deadlines. Mend fits seamlessly into developers’ native workflows thanks to a cloud architecture that scales to support an unlimited number of apps, developers, and repositories.

Mend’s platform is used by companies such as Microsoft, IBM, Comcast, and Philips to reduce security risk and increase the productivity of their security and development teams. Mend is pushing the boundaries of threat detection and vulnerability remediation with this unified platform.

How we are different

- Mend SAST enables enterprise application developers to swiftly create new applications without compromising on security. Static code analysis detects security flaws in custom application code while pull requests are generated specifically to each line of code by automatic remediation. This enables developers to update their custom code to easily remove security issues. With support for 27 different programming languages and a variety of programming frameworks, its scanning engine generates results up to 10x faster than legacy SAST solutions, and with easy integration with existing DevOps environments and CI/CD pipelines, developers don’t need to configure or trigger scans manually. Inside the code repository, a unified developer experience displays side-by-side alerts and remediation options for custom and open source code.
- Mend SCA helps create secure software without sacrificing speed or agility, identifying vulnerabilities in more than 200 different languages, frameworks, and development technologies. Automated prioritization with patented reachability path analysis determines which vulnerabilities can be safely ignored while automated remediation creates pull requests that enable developers to update to the recommended source package. Merge confidence calculates the likelihood that a dependency update will break a project using crowd-sourced statistics, and its software bill of materials keeps track of components in the latest build of each version deployed. Open source license compliance also provides legal teams with visibility and control over the use of open source licenses.
- Mend Supply Chain Defender protects organizations from software supply chain attacks. It detects and blocks malicious open source packages before the developer downloads them, protecting the codebase from being overrun with malicious activities. Mend Supply Chain Defender has already identified and reported thousands of malicious packages, which were immediately removed from their registries to safeguard open source users from inadvertently installing malicious code.