Customer Stories
Vonage Integrates Mend with GitHub
About the Company
Vonage, a global cloud communications leader, helps businesses accelerate their digital transformation. Vonage’s Communications Platform is fully programmable and allows for the integration of video, voice, chat, messaging, and verification into existing products, workflows, and systems. Vonage’s unified communications and contact center applications are built from the Vonage platform and enable companies to transform how they communicate and operate from the office or anywhere, providing enormous flexibility and ensuring business continuity.
The Challenge
Vonage’s primary challenge was the lack of a holistic view into their open source use. The Vonage offering is an integration of best-in-class communications platforms. Prior to Mend, each platform had their own standards and processes for handling open source usage from both business and technical perspectives. “This ad hoc approach led to inconsistent policies on acceptable licensing and on timelines to address vulnerabilities,” says Chris Wallace, Senior Security Architect at Vonage. “Vonage Engineering’s leadership team wanted consistent policies in place across the entire organization to address any existing issues and to ensure new vulnerabilities – both technical and legal – were not introduced.”
Not only did Vonage need a solution that addressed comprehensive open source vulnerability reporting and license inventory, they also required a solution that integrated with their GitHub repository so that developers could continue to work in a familiar environment. Vonage’s codebase also contains more than 130 programming languages, so they required a tool that supported a broad range of languages.
Vonage conducted a head-to-head POC with Mend, Snyk, and FOSSA. They chose Mend because of the deep analysis of code coverage, which allows them to prioritize remediation activity, and the integrations into various IDEs to facilitate a shift-left approach to security.
The Mend Solution
Although Vonage is a GitHub customer, the company decided that GitHub’s open source scan offering was more suited to organizations at the early entry stage of managing their open source use. Vonage needed an enterprise-ready best-of-breed software composition analysis solution that would deliver greater detail and depth of data. Because of their need for more granularity, strong policies, and vulnerability prioritization, Vonage turned to Mend.
“Mend enhances our integration with GitHub and reduces the friction between our security and compliance teams and our developers,” says Wallace. “It does this by offering robust and comprehensive organizational-level security policies with automated workflows while also empowering developers to deal with security and compliance issues as early as possible. Our developers like to work within their GitHub native environment, and the security teams love Mend’s enhanced security capabilities.”
Vonage deployed Mend to 10 key global DevOps teams. The rollout was faster than expected, and Vonage was quickly able to show the value of Mend. As a result, they are already planning to expand the rollout to more teams.
Mend’s IDE integrations allows Vonage to truly employ a shift-left approach to application security. “Providing the developers with the earliest possible feedback allows them to maintain the speed of their development process while still addressing the security and compliance requirements that Vonage’s enterprise-level platform demands,” says Wallace.
One of Vonage’s main goals was to enforce security policies with automated workflows that can track their GitHub repositories and remediate vulnerabilities. “As a big enterprise company with hundreds of developers, we wanted a way to enforce organizational policies across the board. To do that, you must use a centralized tool that you can monitor,” says Idan Cohen, Penetration Tester at Vonage. Vonage enforces policies both by scanning their codebase then automatically generating Jira tickets when issues are found and by failing builds if a developer hasn’t used Mend before pulling in an open source library.
“Our goal is to make everything as automated as possible,” says Cohen. To achieve this, Vonage has integrated Mend throughout their CI pipeline. Using a script, Vonage executes the Mend Unified Agent as a GitHub action. Vonage is also connecting Mend to Jenkins, Azure DevOps, and soon JFrog Artifactory to ensure security and license compliance at every step of the software development life cycle.
The Mend solution is leveraging AWS EC2 and RDS services to scan the code at scale. Secured applications and workloads are then implemented into Vonage business cloud on AWS.
The Results
“When the product you sell is an application you develop, your teams need to be fast, secure and compliant. These three factors often work in opposite directions. Mend provides the opportunity to align these often competing factors, providing Vonage with an advantage in a very competitive marketplace,” says Wallace.
Deploying Mend has allowed Vonage to establish an enterprise-wide standard for the selection, use, and maintenance of open source within their own development environment. “It is now safe to say that our Vulnerability Management process extends to open source use. This includes timely upgrades of packages with known vulnerabilities as well as an improved decision framework for introducing new open source packages into our environment,” says Wallace.
Cohen agrees that Mend helps Vonage manage risk and handle vulnerabilities in a timely manner. “Mend gives us visibility into our open source. If someone asks me the status of a project, I can tell them day to day what the risk is and what we can do to mitigate it.”
“Large enterprises often suffer from a tsunami of tools, especially security tools. The trick is to minimize your overlap and carefully choose what new tools are introduced. When presented with an opportunity like Mend, which can support all of our security and legal requirements related to open source usage within a single platform, you have to jump.”
“Mend gives us visibility into our open source. If someone asks me the status of a project, I can tell them day to day what the risk is and what we can do to mitigate it.”