CAE Secures Azure DevOps Repos with Mend SCA

 
 

CAE is a high technology company, at the leading edge of digital immersion, providing solutions to make the world a safer place. Backed by a record of more than 75 years of industry firsts, we continue to reimagine the customer experience and revolutionize training and operational support solutions in civil aviation, defence and security, and healthcare. We are the partner of choice to customers worldwide who operate in complex, high-stakes and largely regulated environments, where successful outcomes are critical. As a testament to our customers’ ongoing needs for our solutions, over 60 percent of CAE’s revenue is recurring in nature. We have the broadest global presence in our industry, with approximately 13,000 employees, 180 sites and training locations in over 35 countries.

To support the company’s need for rapid product innovation, CAE software developers had adopted Microsoft’s platform for software development known as Azure DevOps. At the same time, the security team had purchased Mend SCA to help developers identify and remediate open source software vulnerabilities.

Just a few months after purchasing Mend SCA, it was clear that the product was a winner because it enabled CAE’s developers to quickly find and remediate all Log4j vulnerabilities when they were announced in December 2021. Other organizations struggled for days or weeks to do what CAE was able to do in just hours.

The next challenge was scaling Mend SCA to cover the many hundreds of software projects that were using Azure DevOps. The first deployment technique they used was a traditional agent-based scan inside their Azure DevOps build pipeline. This method worked, but it required a separate configuration for each project, which was a bit time-consuming. They were looking for something faster.

Azure DevOps is a wonderful development environment that lets our engineers produce software quickly and efficiently. Mend is also fast and efficient. So they are a good match for each other.

Michael Vincent, the DevSecOps specialist responsible for making CAE infrastructure and applications more secure, asked Mend’s support engineers Gary Segal and Angela Ruhstorfer how to scale the Mend SCA software quickly to all of their software projects. Their suggestion was to use Mend’s new integration with Azure DevOps Repos.

Mend’s repo integration provides a number of advantages over other types of integrations:

  • Shift left — Scanning code in the repository is the furthest left you can shift while still enforcing policies and requiring all developers to scan their code.
  • Feedback on demand — Developers receive feedback on their code when it is fresh in their minds, making it easier to remediate vulnerabilities.
  • No context switching — Developers don’t need to leave their native environment (Azure DevOps Repos) and don’t have to learn a new UI, making it easier to consume and act upon scan results.
  • Differential results — Developers are notified only if a pull request introduces new errors.
  • Automated remediation — Security vulnerabilities can be automatically prioritized and remediated.

  Fast deployment — A single deployment to the repo at the organizational level was all that was needed to add Mend SCA to all software projects at CAE.

Mend’s software pairs beautifully with Azure DevOps Repos. When used together, we get both speed and security.

Using Mend’s integration with Azure DevOps Repos allowed CAE to scale as quickly as they wanted because once Mend was deployed to the organizational repo, all the other repos instantly had access to Mend.

According to Michael Vincent: “I just clicked a button and literally all projects were onboarded. It was pretty stunning.”

 The speed of rollout was then just a matter of training developers how to use Mend SCA. Michael Vincent used lunch-and-learn sessions to introduce Mend SCA to the developers. In just three months, Michael was able to train developers who are responsible for 800 repos, all of which are now secured by Mend SCA.

Mend’s documentation is excellent. Any problem you encounter, just check the documentation. It’s all there.

To support the company’s need for rapid product innovation, CAE software developers had adopted Microsoft’s platform for software development known as Azure DevOps. At the same time, the security team had purchased Mend SCA to help developers identify and remediate open source software vulnerabilities.

Just a few months after purchasing Mend SCA, it was clear that the product was a winner because it enabled CAE’s developers to quickly find and remediate all Log4j vulnerabilities when they were announced in December 2021. Other organizations struggled for days or weeks to do what CAE was able to do in just hours.

The next challenge was scaling Mend SCA to cover the many hundreds of software projects that were using Azure DevOps. The first deployment technique they used was a traditional agent-based scan inside their Azure DevOps build pipeline. This method worked, but it required a separate configuration for each project, which was a bit time-consuming. They were looking for something faster.

Azure DevOps is a wonderful development environment that lets our engineers produce software quickly and efficiently. Mend is also fast and efficient. So they are a good match for each other.

Michael Vincent, the DevSecOps specialist responsible for making CAE infrastructure and applications more secure, asked Mend’s support engineers Gary Segal and Angela Ruhstorfer how to scale the Mend SCA software quickly to all of their software projects. Their suggestion was to use Mend’s new integration with Azure DevOps Repos.

Mend’s repo integration provides a number of advantages over other types of integrations:

  • Shift left — Scanning code in the repository is the furthest left you can shift while still enforcing policies and requiring all developers to scan their code.
  • Feedback on demand — Developers receive feedback on their code when it is fresh in their minds, making it easier to remediate vulnerabilities.
  • No context switching — Developers don’t need to leave their native environment (Azure DevOps Repos) and don’t have to learn a new UI, making it easier to consume and act upon scan results.
  • Differential results — Developers are notified only if a pull request introduces new errors.
  • Automated remediation — Security vulnerabilities can be automatically prioritized and remediated.

  Fast deployment — A single deployment to the repo at the organizational level was all that was needed to add Mend SCA to all software projects at CAE.

Mend’s software pairs beautifully with Azure DevOps Repos. When used together, we get both speed and security.

Using Mend’s integration with Azure DevOps Repos allowed CAE to scale as quickly as they wanted because once Mend was deployed to the organizational repo, all the other repos instantly had access to Mend.

According to Michael Vincent: “I just clicked a button and literally all projects were onboarded. It was pretty stunning.”

 The speed of rollout was then just a matter of training developers how to use Mend SCA. Michael Vincent used lunch-and-learn sessions to introduce Mend SCA to the developers. In just three months, Michael was able to train developers who are responsible for 800 repos, all of which are now secured by Mend SCA.

Mend’s documentation is excellent. Any problem you encounter, just check the documentation. It’s all there.