Mend’s On-Premises Solution Helps DATEV Automate and Manage Their Open Source

About the Company

Founded in 1966 in Nuremberg, Germany, the cooperative DATEV eG is a software company and IT service provider that offers accounting, personnel management, business consulting, and tax computation solutions. With 350,000 customers, DATEV has an annual revenue of €1.1B and serves companies of all sizes, including large enterprises such as KPMG and PwC. DATEV currently has 8,000 employees, of which 1,800 are developers.

On-Premises Solution Helps Automate and Manage Open Source

Security is of paramount concern for DATEV, and the company cites the highest level of IT and data security as a cornerstone of its corporate culture. Over the past 10 years, DATEV has been using more and more open source code in their software solutions and needed to understand what open source components it was using both to ensure license compliance and to remediate any potential security vulnerabilities.

“We needed a solution to approve licenses and identify vulnerabilities in the open source components within our software,” says Wolfgang Wagner, DATEV’s Open Source Expert. “Our previous form-based approval process took up to three months and required approval from multiple teams including IT security and legal.”

The long approval cycle required developers to identify not only the open source library itself, but all of the library’s dependencies, a manual and time-consuming endeavor. DATEV wanted to streamline the approval of its open source components and gain greater visibility into its open source usage. “We knew we needed help to automate all the approval steps,” says Wagner.

DATEV wanted to be proactive in its approach to its open source usage and governance policies, so it compared several leading software composition analysis vendors. Mend was chosen in a head-to-head POC that included 70 developers testing the software. When DATEV selected Mend, some of the main reasons their developers chose Mend over the competition were ease of use, rich reporting with highly accurate results, and the ability to prioritize vulnerabilities.

An on-premises solution was another key requirement for DATEV. The company needed an on-premises solution for internal security compliance to maintain the integrity of its data center. “We are a financial services company. Data is our main asset, and our customers trust us to keep their data safe. An on-premises solution was a must,” says Wagner.

Mend has given DATEV a better insight into its open source usage. “Without Mend, we could not tell our management which open source software was used in certain projects,” says Wagner. “Also, the OSS components were not always up to date.”

With Mend, it is now possible to create a detailed report of all open source libraries used and their potential weaknesses. “Without Mend, we would not be able to automatically monitor the vulnerabilities in the OSS components used with regard to status ‘outdated’ and ‘update available,’ which is essential for compliance.”

Fast Approval Procedure

With the simple and effective handling of open source software vulnerabilities and compliance using Mend, DATEV has drastically reduced the time required for developers to release open source components. “Mend is hundreds of times faster than our previous form-based release process for OSS, which sometimes took several weeks. Now this can be done automatically in seconds during the development process,” says Wagner.

Using Mend enables DATEV to develop modern software efficiently and be highly compliant regarding security and licensing. “Mend’s policy management, automated monitoring, and reporting are the best reasons to use their software,” says Wagner.

Ease of Installation and Use

Mend has been easy to install and use. The installation, which was handled remotely, integrated Mend into DATEV’s Jenkins CI/CD pipeline and Kubernetes, among others. DATEV uses Mend’s APIs for automation tasks, to rollout permissions, clean up projects, and generate reports. “The deployment was fast with no problems, and the dashboard gives us everything we need to roll out permissions and generate reports. Scans are simple to execute – just one string to call the function within the Jenkins. Very easy.”

“Mend has been very responsive to our needs and answers any questions immediately,” says Wagner. “We have been extremely happy with the level of support Mend has given us.”

Prioritized Vulnerabilities to Fix What Matters Most

“One of our favorite features,” says Wagner, “is Mend Prioritize – their so-called effective usage analysis tool.” Mend Prioritize scans open source components with known vulnerabilities to assess whether DATEV’s proprietary code is making calls to the vulnerable method. It helps DATEV assess the risk involved in using an open source library as well as remediate those vulnerabilities that pose the greatest risk.

If DATEV had to describe Mend in a word, it would be ‘simplicity.’ “Mend is simple to integrate, to use. The dashboard and reporting are easy to understand for both administrators and developers,” says Wagner. “Do a proof of concept and you will see why Mend is the future for DATEV.”

“Mend is hundreds of times faster than our previous form-based release process for open source components, which sometimes took several weeks. Now this can be done automatically in seconds during the development process.”