Siemens Schweiz AG Accelerates Open Source Security With Mend

 

Siemens Schweiz AG is the Swiss regional entity of global technology giant Siemens AG. Siemens Schweiz AG creates technology solutions for several industries, including energy, logistics, mobility, healthcare, and construction. In particular, the company helps clients improve energy efficiency and sustainability by reducing the operating costs, risks, and environmental impact of their buildings. The company’s technology leverages building data to optimize energy consumption, performance, quality, procurement, and supply. Its solutions include artificial intelligence (AI)-enabled and open-platform applications for digital transformation, and cloud-based advanced analytics that monitor and optimize building performance. The company has enhanced buildings of all kinds — educational facilities, hospitals, sustainable data centers, working spaces, smart offices, hotels, historical buildings, and museums. Siemens Schweiz AG employs 5,900 people and serves more than 30,000 customers.

Markus Leutner, Siemens Schweiz AG DevOps engineer for cloud solutions, is part of an international team that provides a cloud platform offering data insights and analysis of buildings’ energy consumption.

Safeguarding code is naturally a top priority, and the team used several tools, including internal vulnerability management software and a licensing and copyright clearance process. However, the team struggled when it came to managing the huge volume of open source software that the company uses. They used a manual process to identify, analyze, and clear software components and dependencies, a task further complicated by a wide variety of sources and languages (at least eight, including C, C++, C#, Go, Java, JavaScript, Python, and Ruby.) Unsurprisingly, the team was stuck with this slow, cumbersome, and costly manual process that became unmanageable. Markus and his team wanted to reduce the manual work and increase the automation of scanning and fixing vulnerabilities. Markus summarized the challenge thus: “Manually scanning and fixing the huge amount of open source software that we use was slow and cumbersome. We needed to reduce the manual work and increase the automation to accelerate the process of managing vulnerabilities.”

Manually scanning and fixing the huge amount of open source software that we use was slow and cumbersome. We needed to reduce the manual work and increase the automation to accelerate the process of managing vulnerabilities.

To build a simpler process, the team wanted a tool that integrated easily with the company’s existing systems’ development lifecycle and tooling landscape and extended their capabilities. It also had to have full coverage of licenses to ensure the team has a comprehensive knowledge of its software’s composition. The solution needed to communicate well with the back end, based on policies that could be configured as the team needed, to ensure that they had control of the development pipeline. Finally, they wanted both significant technical support and a strong business relationship from their chosen vendor.

Markus and his team assembled a cross-functional evaluation team that included legal and business owners to look at a number of solutions. After a proof of concept, the company deployed Mend SCA in 2019.

The critical issue was speed. As Markus says, “The biggest value we get out of Mend is the fast feedback loop, which enables our developers to respond rapidly to any vulnerability or license issues. When a vulnerability or a license is disregarded or blocked and there is a policy violation, they get the feedback directly.”

Ease of adoption was also an important consideration. It is always an education process to encourage existing team members to use new software, so Mend’s ease of use was a compelling factor for Markus and his team. Mend’s dashboards made results highly visible, easily understandable, and simple to act upon.

The biggest value we get out of Mend is the fast feedback loop, which enables our developers to respond rapidly to any vulnerability or license issues. When a vulnerability or a license is disregarded or blocked, and there is a policy violation, they get the feedback directly.

Quickly detecting forbidden or blocked licenses of components, and doing so early in the software development lifecycle, was also significant. Mend SCA enables the team to speedily and easily generate software bills of materials (SBOM) that identify potentially troublesome legal issues, so they can be easily avoided.

The primary objective of deploying Mend SCA was to save time and resources in scanning, identifying, and fixing vulnerabilities, while optimizing licensing compliance. Markus says that the process has accelerated considerably since his team started working with Mend, and he highlights the way Mend points directly to affected libraries as a significant factor in making that happen.

“With Mend, the security process has shifted left so that developers can get feedback quickly and react to it,” Markus says. “It has expedited things a lot and avoids the cumbersome manual repetition of our old methodology. Now, we can work in sprints in a more agile fashion. Thanks to the speed of results we get from Mend, we can meet the challenges of a fast release cadence.” In some cases, what may previously have taken days or weeks now takes hours or just minutes.

Mend’s effectiveness extends beyond its speed to the way it has been enthusiastically adopted by the team and the company. When Mend was first deployed at Siemens Schweiz AG in 2019, the company had 60 licenses. This has grown in just over two years to 200 licenses across 10 streams within the organization. Markus cites several reasons for the rapid adoption. First, his team feels good about using Mend SCA.

It has expedited things a lot and avoids the cumbersome manual repetition of our old methodology. Now, we can work in sprints in a more agile fashion. Thanks to the speed of results we get from Mend, we can meet the challenges of a fast release cadence.

Second, they’re confident it’s comprehensive. Third, it’s self-explanatory. It’s easy for them to understand, with a UI that gives them quick insights. And finally, working with Mend within their regular workflow is a seamless experience. In fact, Markus notes that access to the tool is one of the first things new developers request when they join his team.

Markus Leutner, Siemens Schweiz AG DevOps engineer for cloud solutions, is part of an international team that provides a cloud platform offering data insights and analysis of buildings’ energy consumption.

Safeguarding code is naturally a top priority, and the team used several tools, including internal vulnerability management software and a licensing and copyright clearance process. However, the team struggled when it came to managing the huge volume of open source software that the company uses. They used a manual process to identify, analyze, and clear software components and dependencies, a task further complicated by a wide variety of sources and languages (at least eight, including C, C++, C#, Go, Java, JavaScript, Python, and Ruby.) Unsurprisingly, the team was stuck with this slow, cumbersome, and costly manual process that became unmanageable. Markus and his team wanted to reduce the manual work and increase the automation of scanning and fixing vulnerabilities. Markus summarized the challenge thus: “Manually scanning and fixing the huge amount of open source software that we use was slow and cumbersome. We needed to reduce the manual work and increase the automation to accelerate the process of managing vulnerabilities.”

Manually scanning and fixing the huge amount of open source software that we use was slow and cumbersome. We needed to reduce the manual work and increase the automation to accelerate the process of managing vulnerabilities.

To build a simpler process, the team wanted a tool that integrated easily with the company’s existing systems’ development lifecycle and tooling landscape and extended their capabilities. It also had to have full coverage of licenses to ensure the team has a comprehensive knowledge of its software’s composition. The solution needed to communicate well with the back end, based on policies that could be configured as the team needed, to ensure that they had control of the development pipeline. Finally, they wanted both significant technical support and a strong business relationship from their chosen vendor.

Markus and his team assembled a cross-functional evaluation team that included legal and business owners to look at a number of solutions. After a proof of concept, the company deployed Mend SCA in 2019.

The critical issue was speed. As Markus says, “The biggest value we get out of Mend is the fast feedback loop, which enables our developers to respond rapidly to any vulnerability or license issues. When a vulnerability or a license is disregarded or blocked and there is a policy violation, they get the feedback directly.”

Ease of adoption was also an important consideration. It is always an education process to encourage existing team members to use new software, so Mend’s ease of use was a compelling factor for Markus and his team. Mend’s dashboards made results highly visible, easily understandable, and simple to act upon.

The biggest value we get out of Mend is the fast feedback loop, which enables our developers to respond rapidly to any vulnerability or license issues. When a vulnerability or a license is disregarded or blocked, and there is a policy violation, they get the feedback directly.

Quickly detecting forbidden or blocked licenses of components, and doing so early in the software development lifecycle, was also significant. Mend SCA enables the team to speedily and easily generate software bills of materials (SBOM) that identify potentially troublesome legal issues, so they can be easily avoided.

The primary objective of deploying Mend SCA was to save time and resources in scanning, identifying, and fixing vulnerabilities, while optimizing licensing compliance. Markus says that the process has accelerated considerably since his team started working with Mend, and he highlights the way Mend points directly to affected libraries as a significant factor in making that happen.

“With Mend, the security process has shifted left so that developers can get feedback quickly and react to it,” Markus says. “It has expedited things a lot and avoids the cumbersome manual repetition of our old methodology. Now, we can work in sprints in a more agile fashion. Thanks to the speed of results we get from Mend, we can meet the challenges of a fast release cadence.” In some cases, what may previously have taken days or weeks now takes hours or just minutes.

Mend’s effectiveness extends beyond its speed to the way it has been enthusiastically adopted by the team and the company. When Mend was first deployed at Siemens Schweiz AG in 2019, the company had 60 licenses. This has grown in just over two years to 200 licenses across 10 streams within the organization. Markus cites several reasons for the rapid adoption. First, his team feels good about using Mend SCA.

It has expedited things a lot and avoids the cumbersome manual repetition of our old methodology. Now, we can work in sprints in a more agile fashion. Thanks to the speed of results we get from Mend, we can meet the challenges of a fast release cadence.

Second, they’re confident it’s comprehensive. Third, it’s self-explanatory. It’s easy for them to understand, with a UI that gives them quick insights. And finally, working with Mend within their regular workflow is a seamless experience. In fact, Markus notes that access to the tool is one of the first things new developers request when they join his team.

Mend.io offers an enterprise suite of application security tools designed to help leading organizations build and manage mature AppSec programs, enabling them to stop chasing vulnerabilities and start proactively managing application risk.

;