When it comes to choosing an SCA solution, any responsible decision maker should consider Black Duck and Mend (formerly WhiteSource). Black Duck has been around longer than any other player in the space, and WhiteSource was a household name in enterprise cybersecurity (until they changed their name to Mend in May 2022). But is either solution right for you?
Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart.
This comparison evaluates Black Duck, Mend, and MergeBase (a purpose-built newcomer to the SCA space) on five capabilities that companies find most important when choosing an SCA tool. (If you’d like to see our analysis of all the major SCA solutions side by side, check out our SCA buyer’s guide.)
Black Duck vs. WhiteSource (now Mend) vs. MergeBase: a side-by-side comparison
We’ve measured these tools’ competencies in the five most critical areas where a quality SCA tool needs to perform. This guide is based on our extensive industry experience, conversations with cybersecurity professionals, and our own research.
We looked at the following five core competencies:
- Developer guidance with compatibility check
- Comprehensive SBOM support
- Low false positives output
- Integration to the DevOps process with runtime protection
- Total cost of ownership
We’ll unpack these individual competencies in a moment, but here’s how Black Duck, Mend, and MergeBase stack up against each other at a glance, on a scale of 1–5. These scores are based on each tool’s capabilities as of January 2023.
“Wait—MergeBase just gets to give themselves a perfect score?” We’ll explain the quantitative reasons why MergeBase comes out on top in these areas, but for the sake of good faith, here are a few general reasons why the scores shook out this way:
- This scoring system focuses on the five areas that are absolutely vital to choosing a strong SCA solution. We arrived at these factors after countless conversations with IT security and development teams over the years: these are the ones that come up over and over.
- We could score all of these solutions across many more factors—like the size of the company’s internal research team, the number of integrations available, etc. It’s almost certain that Black Duck and Mend would outscore us in these and other areas. However, getting reliable numbers for such factors is difficult, and even if we did get accurate numbers, they could change next week.
- MergeBase was specifically built to master these five areas. When companies switch from one of these other players to MergeBase, it’s because of one (or several) of these factors.
- While MergeBase is strictly an SCA solution, these other SCA tools are parts of much larger software security suites. With breadth of coverage comes a lack of focus. If we were to rate ourselves against everything that Mend does, our score would look a lot different—but we’re not playing their game.
Let’s look at how Black Duck, Mend, and MergeBase stack up against each other in detail.
Black Duck vs. WhiteSource (Mend) vs. MergeBase on developer guidance
At the very least, any SCA tool should alert your developers to third-party vulnerabilities in your applications. However, an advanced SCA can do much more to close the gap between finding and patching a vulnerability.
This is important to consider, because companies often let third-party vulnerabilities linger within their applications simply because developers don’t have the time or direction necessary to fix them. In fact, 59% of respondents to a 2021 IBM Security™ study cited delays associated with patching vulnerabilities as a reason their organizations hadn’t become more resilient to cyber threats.
Finding the problem is only the beginning, and a strong SCA solution can help your developers through every step of the patching process. A high degree of developer guidance saves you immense amounts of time in labor, and reduces the amount of time your application remains vulnerable to hackers.
We graded these tools’ developer guidance capabilities on the following five-point scale:
|Capabilities:||No guidance||Refers to current versions||Provides versions & risks for each patch||Provides compatibility, popularity & data points for each patch||AutoPatch: Can patch vulnerabilities automatically|
Black Duck falls short: While Black Duck will direct your dev team to current versions of vulnerable components of your software, it won’t help them much beyond that. It’s on your developers to research the risks associated with the patch, assess whether or not the patch is compatible with your application, and find out whether or not other developers are satisfied with the patch in question.
Mend is a little better: If your developers are using Mend, they will gain an understanding of the risks associated with implementing a given recommended patch. This saves some of your time, but your dev team will still need to figure out if the patch is compatible with your software and is trusted by other developers.
The MergeBase advantage: Not only does our tool provide information on each patch’s risks, compatibility, and popularity, but MergeBase can automatically implement safe patches for you—so your product and security teams can make informed decisions and move on.
Black Duck vs. WhiteSource (Mend) vs. MergeBase on SBOM support
The software bill of materials (SBOM) plays an essential role for both software companies and their enterprise customers. Organizations that deliver software applications face increasing regulatory and compliance pressures to produce a comprehensive SBOM: one that not only shows vulnerabilities and licenses, but also points out technical debt (portions of code that need future cleanup).
For enterprise customers, it’s more common to ask your vendor for an accompanying software bill of materials. But it’s also important to validate the SBOMs that these vendors provide—which an advanced SCA tool can help you do.
We graded these tools’ SBOM support on the following five-point scale:
|Capabilities:||No SBOM support||Exports SBOMs in only one format (no import)||Exports SBOMs in multiple formats (no import)||Supports multiple SBOM formats (import and export)||Dependency info incorporated into SBOM|
Mend does the bare minimum, and not much else: While you can export SBOMs, you can’t choose from multiple formats, you can’t import SBOMs, and you can’t intuitively see how your components nest within each other.
Black Duck and MergeBase are the strongest: Both tools allow you to import and export multiple SBOM formats, and clearly delineate all dependency relationships between the components and subcomponents in your application.
Black Duck is especially strong in its analysis of C languages. If your application is built on components using C and/or C++ and your application has millions of lines of code, you can expect at least 65% of your vulnerabilities to come from code in these languages.
MergeBase in particular lets you visually navigate your SBOM, so you can see how your third-party code is nested and where any given vulnerability lies.
Black Duck vs. WhiteSource (Mend) vs. MergeBase on false positives
SCA false positives are just plain bad for business. In our 2022 report The True Costs of False Positives in Software Security, 62.1% of surveyed technology leaders revealed that decreasing false positives is a higher business priority than increasing true positives. False positives waste valuable time and significantly hamper productivity on both development and security teams—and they can even harm relationships between teams.
We ran each of these tools against a set of applications with 511 known vulnerabilities to see how many they’d catch, how many they’d miss, and how many false positives they’d flag. Here’s how they stacked up:
We graded these tools’ accuracy on the following five-point scale:
|Capabilities:||False positive rate above 10%||False positive rate of 5–10%||False positive rate of 2–5%||False positive rate of 1–2%||False positive rate below 1%|
Both Black Duck and Mend generate a lot of false positives: And even though Mend has an edge on Black Duck, it still generates five to ten times as many false positives as MergeBase.
The MergeBase advantage: One of the reasons we built MergeBase was to take on the problem of false positives in the SCA space—without missing true positives. By design, MergeBase is the most accurate SCA tool on the market today.
Black Duck vs. WhiteSource (Mend) vs. MergeBase on DevOps integration
Most SCA solutions claim to protect and integrate into your DevOps process. Each of these leading tools integrates with your build pipeline and repository, and supports container scanning, but some integrate more fully than others. For example, not every SCA offers binary application scanning and runtime protection. Here’s how these particular tools stack up against each other:
We graded these tools’ DevOps integration capabilities on the following five-point scale:
|Capabilities:||No DevOps integration: a standalone product||Build pipeline integration||Repository integration and container scanning||Binary application scanning||Runtime protection|
Mend is the weakest: While Mend integrates with your build environment and repository, it cannot be used to scan licensed third-party code.
Black Duck is better: You can use Black Duck to scan vendor’s applications as well as your own—but it won’t cover you in runtime.
The MergeBase advantage: MergeBase is the only SCA on the market that offers runtime protection. MergeBase is built on a Shift Left Security philosophy: it protects your build pipeline and runtime, integrates with your repository, and allows for both container and binary scanning.
Black Duck vs. WhiteSource (Mend) vs. MergeBase on total cost of ownership
Price is important when considering SCA options. You want to know how much you’re going to pay your SCA vendor—and ideally, there won’t be any surprises. Unfortunately, an SCA’s price isn’t always easy to determine. Some SCAs are transparent with pricing, others use complex formulas based on variable directional metrics, and others are entirely opaque.
But when evaluating the cost of an SCA solution, you need to look past the initial price tag. An SCA should help keep your application safe from vulnerabilities, but it should also reduce the cost of labor spent on fixing those vulnerabilities. For example, an SCA that costs an extra $1,000 per month in subscription fees may save you $10,000 a month in labor via some of the factors described above, e.g., a lower false positive rate, or more advanced developer guidance.
So when cross-evaluating SCA options, we looked for two factors:
- Competitive pricing: The vendor uses transparent, straightforward pricing.
- Labor savings: The tool has robust enough capabilities to reduce software supply chain security supply labor costs.
Here’s how Black Duck, Mend, and MergeBase stack up:
We graded these tools’ total cost of ownership on the following five-point scale:
|Capabilities:||Low labor savings||Medium labor savings, high price||Medium labor savings, competitive price||High labor savings, high price||High labor savings, competitive price|
Black Duck is costly: It has a high price tag, but it’s particularly weak in terms of developer guidance and accuracy—which means you spend a lot more labor realizing the value of this tool.
Mend is a little better: Their pricing is relatively straightforward (and their customers tend to say that they’re a fair and transparent vendor to work with). However, Mend users will still spend a lot of unnecessary labor making up for false positives and limited developer guidance.
The MergeBase advantage: Our pricing model is entirely transparent, with no hidden fees or limits—plus MergeBase saves labor with a low false positive rate, clear developer guidance, automatic patching, prioritization, and other remediation options. If you want an estimate of how much MergeBase will cost (or save) your company, check out our total cost of ownership calculator.
Choose the SCA that’s right for you
When we take all these factors into consideration, Black Duck has a slight edge on Mend—but neither shines in these five competencies like MergeBase.
Selecting the right SCA is critical to protecting your organization, and these five factors are the strongest indicators of how valuable an SCA tool can be to your organization.
We built MergeBase so you can rapidly secure your software supply chain without slowing down your business. If you’re considering SCA options, you’re welcome to download our comparison worksheet to build your own SCA benchmark for your organization.
For more information on this guide and to learn more about how MergeBase can help protect your software supply chain, please connect with us at firstname.lastname@example.org. Or if you’d like to see MergeBase in action, we’d love to show you a demo!