WhiteSource, Renamed Mend, Takes on Remediating Code IssuesMend Is Pushing Beyond SCA to Safeguard First-Party Code and Automate Remediation
WhiteSource has renamed itself Mend as the company pushes beyond software composition analysis to become a broad application security platform with automated remediation.
See Also: The DevOps Roadmap for Security
The Boston-based vendor says the name WhiteSource didn't have any negative connotations when the company was founded in Israel in 2011, but co-founder and CEO Rami Sass recognizes that some people today find the company name offensive. The term "whitelist" has fallen out of favor in recent years due to stigma and racial stereotyping, and the U.K. government switched to the term "allow list" in 2020.
"The name Mend is strongly associated with the act of fixing and closing gaps," Sass says. "WhiteSource simply does not convey the essence of what we do anymore. I think Mend is a lot more to the point of the kind of value that we bring to our customers."
Sass says the new name is also intended to reflect the company's shift from a pure-play software composition analysis provider to a company that safeguards both first-party code and open-source dependencies. Mend now offers static application security testing and has invested quite a lot around finding, prioritizing and remediating security vulnerabilities in open-source dependencies, Sass says (see: No Log4j, But Spring4Shell Exploitation Attempts Increase).
"It's a very big transformation for us as a company, and we want to reposition ourselves in a new market," Sass says. "Up until now, we were the leader in the software composition analysis market, and we are now looking to become a major player in the broader application security space."
Securing the Supply Chain
Mend is expanding its offering around open-source dependencies to cover the proprietary pieces of first-party code that vendors write for their own applications, Sass says. The company has also gone beyond detection and added automated remediation capabilities, meaning it can now scan, prioritize and fix security vulnerabilities in both open-source and proprietary code, he says.
Mend has also developed Supply Chain Defender to automatically detect malicious packages in open-source code. Historically, open-source vulnerabilities were mistakes made in good faith, but Sass says people, groups and nation-states have been intentionally and maliciously adding vulnerabilities to less popular open-source projects over the past 18 months to exploit weaknesses in the software.
Sass says Mend's new technology can identify malicious dependencies in real time and treat them as zero-day vulnerabilities, blocking them from ever entering a customer's development pipeline or being exposed in software. Mend's static application security testing offering debuted in late March while the company's automated remediation and Supply Chain Defender technology are being rolled out now.
Software composition analysis and static application security testing are purchased by the same buyers and consumed by the same people in customer organizations, and Sass anticipates the two markets will merge in the next 18 to 24 months. He says Mend's move to consolidate these two markets is natural and organic.
"We will have a much deeper and broader footprint within our customers," Sass says. "For each of our customers, we will be able to bring a lot more value than we have while still targeting the same people inside the organization."
Go Big or Go Home
Sass says Mend's broader vision is to make application security invisible through automation, allowing customers to develop and introduce new software and services without even having to think about security. None of Mend's competitors actively protect against malicious dependencies, while startups in the space don't have Mend's breadth of coverage across programming languages and attack types.
Mend frequently encounters Synopsys, Sonatype, Checkmarx, Veracode, Snyk and Sonar when pursuing prospects, and Sass says the company has set itself apart from peers by fully automating the fixing of vulnerabilities for customers. The company's focus on large, technologically advanced enterprises is also a differentiator, and Mend counts IBM, Microsoft, Capital One, Comcast and EY among its customers.
Sass hopes to grow Mend's headcount from 300 employees today to nearly 400 a year from now, with a focus on hiring more salespeople and marketing professionals in North America. Roughly half of Mend's revenue today comes from outside North America, and Sass says the company has recently opened offices in Singapore and South Korea to build out its presence in the Far East.
From a metrics standpoint, Sass says Mend plans to track mean time to remediation to ensure that vulnerabilities being detected by the system are actually getting fixed quickly for users. Mend also plans to monitor the adoption of its new offerings by tracking the number of scans performed by the static application security testing tool and the number of developers covered by Supply Chain Defender.
"Putting remediation first is the way to derive value out of security solutions," Sass says. "The vision here is to make application security invisible to the engineering team."