Customer Stories
WorkVision Completes Open Source Audits in Real Time Using Mend
About the Company
Based in Tokyo, Japan, WorkVision provides IT-related solutions for product planning, consulting, sales, software design and development, operations and maintenance, and support for mid-sized companies with an integrated service system. The company develops a wide range of industry-specific solutions for verticals such as distribution, manufacturing, medical/welfare, and logistics. It also offers business-specific solutions for sales management, finance/accounting, HR, and employment. Formerly part of Toshiba Digital Solutions Group, WorkVision became an independent enterprise in July 2019.
The Challenge
WorkVision®︎ Sales Management and WorkVision®︎ Goal Management Cloud software solutions are deployed via a SaaS subscription model. Because of their cloud-based delivery style, WorkVision uses open source software to improve quality and speed in development and to reduce costs. As a result, the number and types of open source components that must be tracked and managed have increased exponentially. With this surge in open source use, WorkVision needed a way to collect accurate data on their open source components, licenses, and vulnerabilities in real time.
Prior to implementing Mend, WorkVision tracked their open source components manually, which was a huge burden. WorkVision found it difficult to carry out regular audits of their open source use and often completed these audits in the final stages of development. WorkVision discovered that when open source vulnerabilities or license compliance issues are discovered in the final stage of development, it can lead to major rework. In fact, the company has had situations in which the use of open source components could affect the software’s development timeline, cost, and quality. In addition, the accuracy of manual open source audits could not be guaranteed.
WorkVision decided to investigate a software composition analysis (SCA) solution to manage their open source use. An automated SCA tool would make managing WorkVision’s open source components easier by shortening the time it took to complete an open source audit while also ensuring its accuracy.
When evaluating potential solutions, WorkVision required a tool that could handle both open source licenses and vulnerability remediation. The solution needed to automatically generate a full and accurate inventory of the open source components in their code base. It also needed to provide license compliance information including any attribution requirements. Finally, the solution needed to identify any open source vulnerabilities in their code and offer both remediation and component upgrade advice.
The Mend Solution
WorkVision chose Mend to manage their open source usage. Since its implementation, Mend has helped WorkVision streamline their open source audits by identifying any open source licenses that violate company policy and any open source security vulnerabilities. Mend is used to mitigate WorkVision’s exposure caused by open source license and vulnerability issues.
WorkVision selected Mend for many reasons. WorkVision was impressed with the accuracy of Mend’s open source inventory report, which identifies all the open source components in their code base along with license information. They were also impressed that Mend guarantees zero false positives by matching specific components with their vulnerabilities using the comprehensive Mend Vulnerability Database. WorkVision liked that when a security vulnerability is detected, Mend not only identifies the problem, but also provides a suggestion for how to remediate it.
WorkVision also appreciated that they did not need to upload their source code to the Internet because Mend scans hashed data. Furthermore, since Mend is a SaaS tool, it does not impose an operational load, which reduces WorkVision’s installation, management, and usage costs.
Since installing Mend, WorkVision regularly scans its software. In addition, the company uses Mend to perform an intellectual property review before each new service is certified and shipped according to internal corporate policy. Mend has helped WorkVision improve development efficiency by shortening the review process and reducing costs.
The Results
Prior to installing Mend, each open source component and license had to be manually examined. The number of open source components in WorkVision’s code base is very large, and some of the license requirements are very complex. Reviewing each one was a time-consuming and difficult process. In terms of man-hours, it took about 12 hours to list the open source components and about 16 hours to check each open source license. Now the same process takes a fraction of the time.
“Before Mend, completing an open source audit took about a week to complete. That process now takes only 15 minutes,” says Shota Midorikawa, Section Chief, Package Development Center, Technology Management Department at WorkVision.
Previously when a security vulnerability was detected, it took about 8 hours or more to manually verify the risk and update the component to the latest version. It was not uncommon to fill up the schedule for a week with just these remediation tasks. Using Mend, a task that took 8 hours can now be completed in about 5 minutes.
Mend allows WorkVision to generate a list of the hundreds of open source components in use in their code base with a simple click. It also provides remediation advice for detected vulnerabilities as well as suggested patches for outdated open source libraries. Mend automatically identifies security risks and visualizes alerts based on quality, policy, version, and risk level. Finally, because Mend is a cloud-based service, there are no maintenance or operational costs associated with using it.
Because Mend is so simple to use, WorkVision has not needed much support from the company’s Japanese partner Ricksoft. However, whenever they have reached out, Ricksoft has been extremely responsive. As WorkVision strengthens its DevOps and DevSecOps practices internally, they plan to leverage Ricksoft’s knowledge of products and services to further streamline their software development work by integrating Mend and other software.
“This is a great success story. WorkVision is a traditional company that has been developing sales management software for over 40 years and is an application vendor that values high-quality software,” says Kazuhiko Ohtsuka, General Manager at Ricksoft. “We are very pleased that Mend was adopted by such a company and that Ricksoft was involved by providing service and support. We will continue to provide customers in Japan with Agile, DevOps, and DevSecOps solutions based on Mend products.”
“When you actually use Mend, you immediately realize how much you can reduce the burden of managing your open source components. If you’re facing a similar challenge, give Mend a try right away”