WTW uses Mend to reduce MTTR

 

WTW’s Insurance Consulting and Technology (ICT) business solves practical business problems by applying a powerful combination of advisory services and leading-edge technology solutions, all underpinned by unparalleled analytical capability. The client base is comprised mainly of insurance companies operating in global and domestic markets (including property and casualty, life, accident and health and reinsurers), as well as regulators and other insurance-related entities.

In addition to advising more than three quarters of the world’s leading insurers, WTW’s ICT business is the world’s largest provider of insurance actuarial and technology solutions, including leading software products and enterprise platforms. These pioneering technology products are global market leaders, and cover reserving, valuation, and financial and capital modelling, through to pricing and distribution.

When WTW’s ICT business began to investigate Software Composition Analysis (SCA) tools in 2018, its challenges revolved around open-source licensing for its enterprise products designed for the insurance industry. “Copyleft” licenses represented an area of particular concern for WTW’s legal teams.

“We recognized that we needed to improve and automate our processes,” said Andrei Ungureanu, security architect for WTW’s ICT business. “While we were building products for our clients, our processes to investigate dependencies were manual and time consuming. We also saw an opportunity to standardize our approach across all of our product families.”

WTW’s ICT business also needed a solution that would adapt to an evolving world of application development and delivery. “When we started with our software development journey, the vast majority of our products were installed on our clients’ networks. If there was a vulnerable library, the risk was primarily from insider threats only,” said Vivek Johri, WTW’s ICT director of security architecture. “Since then, our delivery approach has shifted as a result of the insurance industry’s adoption of Cloud, including SaaS and API-based applications. This makes vulnerability remediation more significant than ever before, as the attack surface is larger, and the risk of compromise is greater.”

A sense of urgency emerged as large industry players experienced breaches because of supply chain attacks, like dependency confusion, in early 2021. “The dependency confusion issue made supply chain security very real and tangible for a lot of people,” said Mr. Ungureanu. “Dependency confusion became an industrywide issue as it was not just theoretical. So, proactively, we put more emphasis on standardization and automation of this security process.”

The dependency confusion issue made supply chain security very real and tangible for a lot of people. Dependency confusion became an industrywide issue as it was not just theoretical. So, proactively, we put more emphasis on standardization and automation of this security process.

Key Solution Requirements:

  • CI/CD Integration: In order to be broadly adopted by developers, WTW’s ICT business focused on tools that would integrate easily and directly with its CI/CD pipeline.
  • Intuitive reporting: In order to report licensing usage and security information more easily to executives, WTW’s ICT security champions needed a “single pane of glass” view that could easily and effectively convey a large amount of information about risk and remediation metrics.
  • Scalability: With the number of projects and teams growing significantly and spread across multiple product families, WTW’s ICT business needed a solution that would scale to accommodate the entire ICT line of business, without costs spiraling up with increased usage.
  • Quality results: WTW’s ICT business tested multiple SCA solutions to determine which had the highest quality results, produced the least number of false positives, and included functionality such as the prioritization of the riskiest vulnerabilities.

After reviewing multiple market leading solutions, WTW’s ICT business chose Mend SCA to further mitigate its open-source licensing risk. “Initially, licensing was more of a legal requirement,” said Mr. Johri. “However, over time, due to all of the work that Andrei Ungureanu has done, we have pivoted from a use case that was primarily about licensing, to more comprehensive use cases that include both security and licensing.”

As WTW’s ICT business started delivering SaaS and web-based applications with internet-facing interfaces, it faced a new landscape of threat prioritization that led to an even greater requirement for rapid remediation.

“We want to make sure that all of our developers use best practices,” said Mr. Ungureanu. “With the way Mend works, we can do centralized templating that all the teams use, which lets us standardize how security scanning is performed in our products’ pipelines.”

One of our most indicative KPIs is the amount of time for us to remediate vulnerabilities and also the amount of time developers spend fixing vulnerabilities in our code base, which has reduced significantly. We’re talking about at least 80% reduction in time.

As the business’s needs changed, so did its approach to using Mend SCA. “Success – with any tool – starts with having the right ownership, with the right stakeholders,” said Mr. Johri. “When we started no one was assigned to manage the tool itself. Over the last two years, we have taken ownership and Andrei has focused on optimizing the Mend offering. This has improved adoption in our organization significantly.”

For WTW’s ICT business, the value of Mend started by simplifying and adding confidence to the process around meeting all necessary licensing requirements for any open-source library used by its developers. “Today, we have greater confidence that we are compliant with all license agreements,” said Mr. Ungureanu. “It used to take a lot of manual work to ensure that we were using the right licenses. Now, our confidence level is much higher, and the entire process is fully automated.”

Mend SCA has also helped WTW’s ICT business spend significantly less time on licensing and related tasks, freeing up resources for high-value projects and other business requirements. Using Mend SCA’s reporting tools, WTW’s ICT teams can get a bird’s eye overview of license use and potential sources of risk.

WTW’s ICT business has gradually increased the number of contributing developers using Mend SCA by 15 percent, with growth enabled by a positive relationship with Mend’s customer success team. “Any time we’ve had a situation, like when we had an issue with updates to our Single Sign On that locked us out, we could rely on Mend’s customer success team to hop on a call and get us back on track quickly,” said Mr. Johri. “Our customer success rep has taken a lot of time to explain things we didn’t know about and developing our relationship.”

Today, we have a greater confidence that we are not in breach of any license agreements. Previously, it wasn’t exactly guesswork, but our confidence level was low that we were using the right licenses. Now, our confidence level is way higher.

For developers in WTW’s ICT business, Mend SCA has created an opportunity to automate a previously resource-heavy and mostly manual process, reducing time spent checking the supply chain and increasing confidence in results. Mend SCA also facilitated the creation of a consistent and standardized approach across product families. “Before Mend SCA, it was a lot harder to work out where dependencies came from and the entire process was mostly manual,” said Mr. Ungureanu. “As people learned how to use the tool, their knowledge grew a lot – and our remediation time has gone down considerably. It’s been a massive improvement.”

When WTW’s ICT business began to investigate Software Composition Analysis (SCA) tools in 2018, its challenges revolved around open-source licensing for its enterprise products designed for the insurance industry. “Copyleft” licenses represented an area of particular concern for WTW’s legal teams.

“We recognized that we needed to improve and automate our processes,” said Andrei Ungureanu, security architect for WTW’s ICT business. “While we were building products for our clients, our processes to investigate dependencies were manual and time consuming. We also saw an opportunity to standardize our approach across all of our product families.”

WTW’s ICT business also needed a solution that would adapt to an evolving world of application development and delivery. “When we started with our software development journey, the vast majority of our products were installed on our clients’ networks. If there was a vulnerable library, the risk was primarily from insider threats only,” said Vivek Johri, WTW’s ICT director of security architecture. “Since then, our delivery approach has shifted as a result of the insurance industry’s adoption of Cloud, including SaaS and API-based applications. This makes vulnerability remediation more significant than ever before, as the attack surface is larger, and the risk of compromise is greater.”

A sense of urgency emerged as large industry players experienced breaches because of supply chain attacks, like dependency confusion, in early 2021. “The dependency confusion issue made supply chain security very real and tangible for a lot of people,” said Mr. Ungureanu. “Dependency confusion became an industrywide issue as it was not just theoretical. So, proactively, we put more emphasis on standardization and automation of this security process.”

The dependency confusion issue made supply chain security very real and tangible for a lot of people. Dependency confusion became an industrywide issue as it was not just theoretical. So, proactively, we put more emphasis on standardization and automation of this security process.

Key Solution Requirements:

  • CI/CD Integration: In order to be broadly adopted by developers, WTW’s ICT business focused on tools that would integrate easily and directly with its CI/CD pipeline.
  • Intuitive reporting: In order to report licensing usage and security information more easily to executives, WTW’s ICT security champions needed a “single pane of glass” view that could easily and effectively convey a large amount of information about risk and remediation metrics.
  • Scalability: With the number of projects and teams growing significantly and spread across multiple product families, WTW’s ICT business needed a solution that would scale to accommodate the entire ICT line of business, without costs spiraling up with increased usage.
  • Quality results: WTW’s ICT business tested multiple SCA solutions to determine which had the highest quality results, produced the least number of false positives, and included functionality such as the prioritization of the riskiest vulnerabilities.

After reviewing multiple market leading solutions, WTW’s ICT business chose Mend SCA to further mitigate its open-source licensing risk. “Initially, licensing was more of a legal requirement,” said Mr. Johri. “However, over time, due to all of the work that Andrei Ungureanu has done, we have pivoted from a use case that was primarily about licensing, to more comprehensive use cases that include both security and licensing.”

As WTW’s ICT business started delivering SaaS and web-based applications with internet-facing interfaces, it faced a new landscape of threat prioritization that led to an even greater requirement for rapid remediation.

“We want to make sure that all of our developers use best practices,” said Mr. Ungureanu. “With the way Mend works, we can do centralized templating that all the teams use, which lets us standardize how security scanning is performed in our products’ pipelines.”

One of our most indicative KPIs is the amount of time for us to remediate vulnerabilities and also the amount of time developers spend fixing vulnerabilities in our code base, which has reduced significantly. We’re talking about at least 80% reduction in time.

As the business’s needs changed, so did its approach to using Mend SCA. “Success – with any tool – starts with having the right ownership, with the right stakeholders,” said Mr. Johri. “When we started no one was assigned to manage the tool itself. Over the last two years, we have taken ownership and Andrei has focused on optimizing the Mend offering. This has improved adoption in our organization significantly.”

For WTW’s ICT business, the value of Mend started by simplifying and adding confidence to the process around meeting all necessary licensing requirements for any open-source library used by its developers. “Today, we have greater confidence that we are compliant with all license agreements,” said Mr. Ungureanu. “It used to take a lot of manual work to ensure that we were using the right licenses. Now, our confidence level is much higher, and the entire process is fully automated.”

Mend SCA has also helped WTW’s ICT business spend significantly less time on licensing and related tasks, freeing up resources for high-value projects and other business requirements. Using Mend SCA’s reporting tools, WTW’s ICT teams can get a bird’s eye overview of license use and potential sources of risk.

WTW’s ICT business has gradually increased the number of contributing developers using Mend SCA by 15 percent, with growth enabled by a positive relationship with Mend’s customer success team. “Any time we’ve had a situation, like when we had an issue with updates to our Single Sign On that locked us out, we could rely on Mend’s customer success team to hop on a call and get us back on track quickly,” said Mr. Johri. “Our customer success rep has taken a lot of time to explain things we didn’t know about and developing our relationship.”

Today, we have a greater confidence that we are not in breach of any license agreements. Previously, it wasn’t exactly guesswork, but our confidence level was low that we were using the right licenses. Now, our confidence level is way higher.

For developers in WTW’s ICT business, Mend SCA has created an opportunity to automate a previously resource-heavy and mostly manual process, reducing time spent checking the supply chain and increasing confidence in results. Mend SCA also facilitated the creation of a consistent and standardized approach across product families. “Before Mend SCA, it was a lot harder to work out where dependencies came from and the entire process was mostly manual,” said Mr. Ungureanu. “As people learned how to use the tool, their knowledge grew a lot – and our remediation time has gone down considerably. It’s been a massive improvement.”

Mend.io offers an enterprise suite of application security tools designed to help leading organizations build and manage mature AppSec programs, enabling them to stop chasing vulnerabilities and start proactively managing application risk.

;