Global ERP Software Company
Executive Summary
A modern ERP software company based in the United States, wanted a tamperproof way to distribute update components to their world-wide customer base of 18,000 customers. On average, this company sends out over 100 thousand software components to their installed base every day, and they want to be sure that their customers only install components produced and guaranteed by them.
Traditional approaches like digital certificates and GPG are not an appropriate way to guarantee the provenance of these components. With Trustcenter, the customers are able to notarize their components and then allow their installed base to very quickly verify their provenance.
Trustcenter Success Story - ERP Software Company
This software company has over 18,000 customers all over the globe using their ERP software to run all aspects of their business such as finance, HR, manufacturing, distribution, and accounting. Each installation is made, on average, of about 400,000 individual components (executables, libraries, html files, source code files, rulebooks, and much more). Due to the constant changes in global legislation, social fee structure, tax rules, and changes in the world-wide supply chain, our customer is constantly updating their very modular ERP software, resulting in many thousands of updates every day, multiplied by the number of customers.
Each component needs to be developed, maintained, updated, and safely distributed, avoiding man in the middle attacks, and the possibility of hackers submitting dangerous components under the guise of consultants, system integrators etc.
Abut 90% of the software is developed in Java, with the occasional Python code interspersed.
Our customer is required by their Federal Government clients to supply an SBOM for each and every new code update delivery.
To facilitate their extensive software development activities, this ERP software company relies on a range of tools and platforms, including GitHub Enterprise and several CD platforms like Jenkins and Circle CI. Additionally, they employ various vulnerability scanners, to ensure software security, and statistical code analysis tools.
Given the globally distributed organization and high volume of activity, any trust and integrity platform utilized must be available continuously with an uptime approaching 99.99%. The platform should also be capable of processing hundreds of thousands of objects every day and provide an easy mechanism for their installed base to run verification against components received by our customer.
Every component generated is thus notarized with a SHA-256 hash which is then written into the immutable and tamperproof database of Trustcenter (based on the award-winning, widely used immudb immutable database, http://www.immudb.io)
With each component therefore notarized and its metadata (name, type of component, who developed, when updated, which version, group and dependencies, build date, vulnerability scan date, attestations, license) being stored inside Trustcenter, any of these components can then be verified by anybody in the world by comparing its SHA256 hash with the list of hashes in Trustcenter. If a match is found, then all metadata is visible, thus providing provenance. If no match is found, then the components do not originate from our ERP software customer and must therefore not be trusted.
Evaluation
Before adopting Trustcenter as their trust and integrity platform, our solution underwent a thorough evaluation process to ensure that it met their requirements for security, maturity, and performance. Given the installed base verifies the provenance of the components distributed by our customers on a 24/7/365 basis, Trustcenter needed to be highly scalable and capable of securing all software creation and maintenance processes. For example, this requirement meant no downtime for backups, exports, or upgrades of the Trustcenter platform.
Following a successful trial period and a number of custom integrations, this ERP company deployed Trustcenter throughout their DevOps organization. The implementation of Trustcenter provided them with a significant return on investment, delivering improved security and integrity of their software, as well as reducing costs associated with distributing and guaranteeing update components to their installed base.
Especially, noteworthy for them was they could do away with the cumbersome digital certificate infrastructure which resulted in frustration with their installed base because of lack of granularity and expired certificate.
The successful adoption of Trustcenter has enabled this ERP company to maintain and improve the relationship with new and existing customers.
In addition to the security and cost benefits, the implementation of Trustcenter has also freed up their Development Compliance team to focus on more comprehensive and strategic tasks. By automating the tracking and verification process, the team is now able to tackle more complex compliance issues and contribute to more valuable initiatives, ultimately driving business growth.
Even more importantly, Trustcenter increased the overall integrity of their ERP application because it makes it impossible for bad actors to infiltrate their update components.
Deployment Characteristics
This ERP company runs a busy on-premise software development organization with people dispersed all over the USA and Europe.The customer deployment journey for Trustcenter consists of the following steps:
- Set up Trustcenter and create user accounts to establish a secure foundation for the deployment process.
- Create a comprehensive baseline catalog of all existing artifacts by allowing Trustcenter to scan existing source code management systems (SCMs) and container registries. This cataloging process ensures that all artifacts are accounted for and provides a starting point for tracking and verifying future artifacts.
- Utilize Trustcenter's automated SBOM (software bill of materials) and risk score generation capabilities to analyze the cataloged artifacts in the background. This process provides insights into potential vulnerabilities and allows for proactive measures to be taken to mitigate risks.
- Integrate Trustcenter CLI or GitHub Actions into the continuous integration and continuous deployment (CI/CD) pipelines to automate the artifact provenance and verification process for all future builds. This automation ensures that artifacts are consistently tracked, verified, and secured throughout the development lifecycle.
- Integrate Trustcenter into the Docker and Kubernetes runtime and policy enforcement to add an additional layer of security to the deployment process.
Their component verification code is built into their ERP software, so that when their installed base automatically receives new updates, it will first run a provenance check against Trustcenter running at our customer’s cloud.
The Importance of Provenance
In the success story of this ERP company, provenance played a critical role in ensuring the security and integrity of their update distribution to their customers. The old approach of using digital certificates proved to not be flexible and fast enough. Furthermore, digital certificates have a sparse granularity which makes revocation of trust not easily doable. Finally, trust is not the only status being tracked for an update component. Version, obsolete status, recalled, and context are extremely important for a smooth update operation.
Trustcenter provided the cryptographic proof required to ensure easy verification of components from anywhere in the world. Revocation, rendering an update obsolete, and tracking which customer has installed which components is now very simple, and can be done with the click of a button.
Conclusions and Return on Investment
Trustcenter has secured and at the same time made this ERP company’s software distribution process much easier and faster. Every single update being shipped to their customer is now fully verified for provenance, and validity.
As a result, they have achieved a Return on Investment (ROI) of approximately 400% in the first year based on the subscription price for Trustcenter.
With Trustcenter in place, they have been able to avoid security breaches such as those caused by fake software components since the initial deployment. Trustcenter's proactive approach to security has also increased the trust from their installed base and resulted in growth opportunities.