Learning Pool keeps investors happy by ensuring compliance with open source software license policies

 

Learning Pool is an educational technology company offering an online learning platform. Learning Pool employs over 400 people across nine offices in the UK and North America. It serves 1500 customers worldwide, delivering its learning and training services to 5.1 million users through its online apps. Notable customers include InterContinental Hotel Groups (IHG), HubSpot, Valvoline, Sky, the Football Association, Royal Caribbean, Volkswagen Financial Services, the Royal College of Paediatrics, and the Royal Bank of Canada.

Learning Pool was seeking a further round of venture capital investment and the question of compliance began to arise. Its preferred investor was particularly concerned about Learning Pool’s use of open source software. They wanted assurances that Learning Pool had policies written and a process in place to safeguard its codebase from legal challenges.

Until this point, Learning Pool had manually checked its open-source usage to make sure they were not encumbered by software licenses that would discourage investors. It had a list of the libraries it was using, the associated licenses, and policies for use. However, the process was labor-intensive, cumbersome, and prone to errors. To satisfy its investors, Learning Pool needed a tool that could automatically, comprehensively, and reliably detect open source software licenses and enforce the company’s policies.

“We needed a tool that could automatically, comprehensively, and reliably detect open source software licenses and enforce the company’s policies, quickly.” 

The investors suggested that Learning Pool use a software composition analysis (SCA) product called Black Duck, but Chief Product Officer, Mark Lynch championed Mend SCA instead because he felt that Black Duck’s older methodology was slower to produce results and more cumbersome to use. In just days, Mend set up a demo that worked on a couple of Learning Pool’s repositories. The results from the scans proved that Mend would provide fast results. So they decided to purchase Mend SCA.

Like many organizations, Learning Pool has embraced CI/CD methodologies to gain speed and efficiency. Once a developer commits his code to the GitHub repo, CircleCI takes the code and sends it to Mend to be scanned. If it passes the scan, the code is automatically built and deployed. If Mend finds that the code includes a library that isn’t compliant with the company’s policies, for example, a GPLv3 license, Mend will alert and will block the process. As Mark observes, “Mend just runs really quickly. You simply press a button and within a couple of minutes you get results.”

“What’s so good about Mend is that it has a very open API that allows us to integrate it into our CI/CD workflow and get results really quickly and automatically.”

Since the initial deployment, Learning Pool has expanded their usage of Mend SCA to include vulnerability detection and remediation.

Learning Pool wanted to apply their own rules and stipulate what policies and licenses were acceptable. And they wanted users to get an alert when unacceptable licenses are detected. Mend gives them these capabilities and more — the ability to find and fix open source software vulnerabilities.  

Achieving all of this has been very easy. Because Mend is a SaaS product, Learning Pool doesn’t have to install anything other than the Mend agent in their CI/CD pipeline. There are no concerns about data passing up to the Cloud; just hashes of files are sent to Mend for analysis. And Learning Pool doesn’t have to manage anything.

As Mark concludes, “It was just a perfect tool for us. It was a painless integration, and we were able to implement it really quickly and get a return on our investment right away.”

“I expect if any companies are looking to VCs for new investment, due diligence will be required. The company will need something to go in and scan everything \ — something that has been battle-tested with a whole bunch of other companies.  This is what Mend does perfectly.”

Learning Pool was seeking a further round of venture capital investment and the question of compliance began to arise. Its preferred investor was particularly concerned about Learning Pool’s use of open source software. They wanted assurances that Learning Pool had policies written and a process in place to safeguard its codebase from legal challenges.

Until this point, Learning Pool had manually checked its open-source usage to make sure they were not encumbered by software licenses that would discourage investors. It had a list of the libraries it was using, the associated licenses, and policies for use. However, the process was labor-intensive, cumbersome, and prone to errors. To satisfy its investors, Learning Pool needed a tool that could automatically, comprehensively, and reliably detect open source software licenses and enforce the company’s policies.

“We needed a tool that could automatically, comprehensively, and reliably detect open source software licenses and enforce the company’s policies, quickly.” 

The investors suggested that Learning Pool use a software composition analysis (SCA) product called Black Duck, but Chief Product Officer, Mark Lynch championed Mend SCA instead because he felt that Black Duck’s older methodology was slower to produce results and more cumbersome to use. In just days, Mend set up a demo that worked on a couple of Learning Pool’s repositories. The results from the scans proved that Mend would provide fast results. So they decided to purchase Mend SCA.

Like many organizations, Learning Pool has embraced CI/CD methodologies to gain speed and efficiency. Once a developer commits his code to the GitHub repo, CircleCI takes the code and sends it to Mend to be scanned. If it passes the scan, the code is automatically built and deployed. If Mend finds that the code includes a library that isn’t compliant with the company’s policies, for example, a GPLv3 license, Mend will alert and will block the process. As Mark observes, “Mend just runs really quickly. You simply press a button and within a couple of minutes you get results.”

“What’s so good about Mend is that it has a very open API that allows us to integrate it into our CI/CD workflow and get results really quickly and automatically.”

Since the initial deployment, Learning Pool has expanded their usage of Mend SCA to include vulnerability detection and remediation.

Learning Pool wanted to apply their own rules and stipulate what policies and licenses were acceptable. And they wanted users to get an alert when unacceptable licenses are detected. Mend gives them these capabilities and more — the ability to find and fix open source software vulnerabilities.  

Achieving all of this has been very easy. Because Mend is a SaaS product, Learning Pool doesn’t have to install anything other than the Mend agent in their CI/CD pipeline. There are no concerns about data passing up to the Cloud; just hashes of files are sent to Mend for analysis. And Learning Pool doesn’t have to manage anything.

As Mark concludes, “It was just a perfect tool for us. It was a painless integration, and we were able to implement it really quickly and get a return on our investment right away.”

“I expect if any companies are looking to VCs for new investment, due diligence will be required. The company will need something to go in and scan everything \ — something that has been battle-tested with a whole bunch of other companies.  This is what Mend does perfectly.”