Customer Stories
CyberMDX Secures its Containers using Mend
About the Company
Founded in 2017 and based in New York, NY, CyberMDX is an IoT security leader dedicated to protecting the quality care of health delivery worldwide. CyberMDX provides cloud-based cybersecurity solutions that support the advancement of The Internet of Medical Things. The CyberMDX solution identifies endpoints and assesses vulnerabilities to detect, respond to, and prevent cyber incidents. Deployed worldwide, CyberMDX is designed to integrate with our customers’ existing environments through its scalable, easy-to-deploy, and agentless solution.
The Challenge
Like many modern software companies, CyberMDX uses open source components to develop applications quickly and efficiently. Ensuring all open source components are secure and all open source licenses are compliant with company policies is a priority for CyberMDX. According to Gil Regev, Vice President of Research and Development at CyberMDX, “We need all our open source activity to be safe. We know open source has an inherent risk – both to our IP and to our customers’ data and system stability so we take that very seriously.”
CyberMDX was using a different Software Composition Analysis (SCA) solution, but found it wasn’t flexible enough to meet the company’s unique needs. CyberMDX solution runs in containers and is deployed on both on-premises sensors and cloud. Given CyberMDX’s on-prem and diverse cloud environments, the company is particularly focused on open source licensing compliance. CyberMDX required a solution with strong policies that could easily handle licenses and vulnerabilities across their varied ecosystems.
CyberMDX has a multi-faceted architecture and is deployed in a containerized environment. “Because of how we’re using containers and how we build our containers, we needed a tool that works for us, not a tool that we needed to work for. We wanted a solution that would accommodate our need for flexibility,” says Regev. CyberMDX evaluated Mend and found that Mend was able to give the company the flexibility it needed.
The Mend Solution
CyberMDX has integrated Mend into its Bitbucket Cloud CI server and scans all of its code before any final Docker images are built. Once Mend was installed, CyberMDX implemented policies to manage its open source use, for example, to define which open source licenses are allowed to be used in the company’s applications. The final step was to enforce these policies consistently throughout CyberMDX’s organization.
“We are a fully containerized environment, and we are using Mend heavily all the time. The scans are very frequent, and Mend is an integral part of our software development life cycle and DevSecOps practice,” says Regev.
Developers have their code checked as part of the CI running on every pull request. If there is a license violation or security vulnerability in an open source component, the build automatically fails. By integrating Mend at this point, CyberMDX ensures that every developer is assessing their code early in the software development life cycle, that defects are resolved when the code is still fresh in the developer’s mind, and that the code is secure before the Docker image is built. By actioning this early, CyberMDX is able to save developers’ time and company resources.
Mend’s policies have also given CyberMDX more control over its open source use to help reduce risk. “Mend policies are very flexible,” says Regev. “We have on-prem, we have cloud, we have multi-tenancy and single tenancy. Mend was able to meet all our needs. For example, with open source licensing, it is ok to use some licenses in the cloud but not with on-premises equipment. The act of distribution is a problem for some licenses. With Mend, we were able to model these constraints using policies. So, for example, if a certain license is running in the cloud, that’s fine, but if it’s running on-prem, the build automatically fails. Mend provides fine granularity into how we use and manage our open source components, and it lets us easily fine-tune our policies for better performance.”
The Results
Mend has given CyberMDX more flexibility and is optimal for the way their product works. “We are using modern frameworks and cutting edge technologies. We place tons of emphasis on networking and security. We’re a machine with a lot of moving parts,” says Regev. “We needed a tool that could accommodate a lot of flexibility and allow us to wander off the beaten path. Without Mend, we wouldn’t be doing the things that we are able to do today.”
By scanning in the CI server as part of the pull request, CyberMDX puts security in the hands of the developers. “With Mend, our security team isn’t chasing problems after they enter the system. We are giving developers the tools to fix problems as they arise. This means we are always moving forward; we are never fixing problems looking backwards.” CyberMDX also uses Mend’s prioritization and remediation advice to resolve security vulnerabilities and reduce their risk.
Regev feels confident that not only has Mend helped reduce CyberMDX’s risk, but it has also saved the company money. “With the way we integrated Mend into our CI, every developer automatically benefits from it on every pull request multiple times a day. Mend is part of our infrastructure, and we don’t have to worry about running separate queries. That saves us a lot of money because we’re saving hours and hours of developers’ time.”
Mend has also given Regev peace of mind. “With Mend, I have reached a point where I can sleep safe and sound at night knowing that my open source components are both secure and compliant – and that is worth a lot of money!”
“With Mend, our security team isn’t chasing problems after they enter the system. We are giving developers the tools to fix problems as they arise. This means we are always moving forward; we are never fixing problems looking backwards.”