Kärcher Deploys Mend to Safeguard Software and Assure Global Quality and Compliance

About the Company

Kärcher is the world’s leading provider of industrial, commercial, and home cleaning technology, including automated digital machines for smart cleaning solutions. Other divisions provide new technologies in the enterprise environment, including software development and public cloud transformation; diagnostic services and management consultancy; and investment, development, and incubation of innovative start-ups in the cleaning industry.

Headquartered in Germany, Kärcher employs 13,500 staff across 73 countries, and works with more than 50,000 product distribution outlets worldwide. The company is an innovator in its sector, holding 640 patents. Approximately 90 percent of all its products are five years old or younger, and more than 1,000 employees work in research and development.

Safeguard Software and Assure Global Quality and Compliance

Kärcher’s main objective was to save its developers time on security scanning and fixing vulnerabilities, while improving security in the software supply chain streamlining the software development life cycle.

Several teams work on software development for around 50 products at any one time, using a wide range of software and programming languages for mobile applications, data and analytics, and web-based projects. Kärcher’s projects involve a considerable number of dependencies, both direct and transitive. This made it challenging to identify all the issues within the company’s software supply chain, and it was not feasible to manage them manually. To identify, update, and fix all potential vulnerabilities would have been a full-time job for more than one team member. “We had many issues in our software supply chain that we couldn’t handle manually,” says DevOps Architect Torsten Mezger. “We needed a faster, thorough, and more efficient solution that offered automated detection and remediation of vulnerabilities and threats.”

So, Kärcher sought a tool to automate this process and enable the team to create a software bill of materials (SBOM) to document, itemize, and track software components. However, the company did not have a dedicated open source application security solution. It set up a team led by Torsten to manage DevOps issues and strategies, particularly the security of Kärcher’s software development lifecycle and the introduction of robust policies across the organization.

Torsten and his team ran trials on a number of software composition analysis (SCA) solutions to check the usability of their platforms. It was important for the team to feel comfortable with the chosen solution so that it would be widely adopted and frequently used. Ultimately, Torsten explained that the team chose the Mend SCA platform because, “No other solution has such a fine-grained view of what’s in an application or in the components of an infrastructure, so using Mend is a really great experience for our team.”

He outlined the primary reasons for choosing Mend as follows:

  • Automated security risk assessment and remediation capabilities. This was the most significant factor as it enabled the team to identify and fix vulnerabilities at a volume and speed that was previously impossible, thereby strengthening the security of their code base.
  • Analysis of libraries and metrics. The team at Kärcher was impressed with how comprehensive Mend was at finding and understanding anomalies and their potential impact. Mend gave them a complete and open view of the components they use and the level of their exposure to vulnerabilities.
  • Mend’s SBOM feature. Product and software quality assurance and compliance issues are a top team priority across several markets and different jurisdictions.

Developers were encouraged to use Mend’s solution and adoption soon escalated when they saw that it was easy to use and integrate into their regular workflow. Developers particularly liked the ability to customize the solution to meet their specific needs, which gave them the flexibility to tailor configurations to suit the specifications of different software projects.

Mend’s flexibility, agility, and speed proved crucial in the team’s ability to block major vulnerabilities such as Log4j and Spring4Shell. When the Log4j vulnerability was discovered, the team leveraged Mend technology and supporting research to identify the libraries, dependencies, and components that contained the Log4j vulnerability; received advisories on how to solve the issue; and quickly deployed fixes and updates.

As a result, Kärcher rapidly remediated Log4j, slashing remediation time from days to just a few hours. Today, Torsten’s team are enthusiastic users and advocates of Mend’s solution. He observes, “Now, our developers appreciate that Mend is highly effective, and they’re excited to be using the tool. As such, it plays an important part in ensuring we have strong security and compliance in which we can be confident.”

“Now, our developers appreciate that Mend is highly effective, and they’re excited to be using the tool. As such, it plays an important part in ensuring we have strong security and compliance in which we can be confident.”