UD Trucks

Joining forces presents an influx of applications and some security concerns

The logistics industry expects the demand for small parcel deliveries to increase by 50 percent by 2030, due to the growth of e-commerce. However, emissions problems and driver shortages are becoming more serious. UD Trucks believes that with automation, transportation can be smarter through the evolution of connectivity and digitalization. To create new value in the commercial vehicle industry globally, AB VOLVO and Isuzu entered a strategic partnership. As part of this, UD Trucks, a VOLVO-owned brand, was transferred to Isuzu to strengthen the overseas market.

Mrs. Saritha Auti, Global Chief Information Security Officer for UD Trucks, explains further: “With the change in the business strategy and separation of UD Trucks from the Volvo Group, we needed to identify and segregate the business process and applications that are relevant to UD Trucks, including setting up a cybersecurity function to ensure that the infrastructure and applications are secure during the migration into the new UD Trucks environment. We took the opportunity to introduce a DevSecOps environment and ensure that our applications are free of exploitable vulnerabilities before being released into the production environment. Creating secure software code is an important first step to ensure that our data is secure throughout the business value chain, and we therefore prioritized application security and DevSecOps.”

I’m really pleased with the progress and impact of our AppSec program and the work we’ve done with Fortify in particular, supported by the clear expertise Micro Focus (now OpenText) has in this area. It has enabled our shift-left approach that paves the way for continuous application improvement and risk reduction as a result.

Superior Fortify functionality and effective collaboration created consistent approach

The UD Trucks team looked for a solution with a company committed to regularly updating the vulnerability reference baseline, considering the ever-fluctuating cyber threat landscape. Looking at the diversity within the applications—ranging from legacy, often mainframe-based, applications that are critical for the manufacturing process, to more modern Java or Windows-based applications on the customer and supply side—the team wanted a unified process to cover all of them. Over 2,000 robotic process automation (RPA) scripts are used on the factory assembly line, and the team needed to ensure that the new solution would support all of them.

“When we received the information on Fortify, we saw it met all our requirements and was clearly ahead of the competition, plus the solution would be supported by a team local to our security team’s main location,” says Mrs. Auti. “We felt the Micro Focus (now OpenText) team had great product knowledge and would be a good partner to help us improve our security posture. A proof-of-concept (POC) confirmed the functionality and, based on a comprehensive scoring template, Micro Focus (now OpenText) was selected.”

Fortify is designed to make AppSec part of a company’s development culture so that company growth can be accommodated securely. OpenText (formerly Micro Focus) has proven expertise to deliver a holistic, inclusive, and extensible AppSec platform spanning static and dynamic code scanning that supports the breadth and depth of a diverse application portfolio, such as that of UD Trucks.

Because the task was daunting, OpenText (formerly Micro Focus) Professional Services engineers helped the team get started with the most complex applications, such as the ones for which there was no coding insight at all; essentially ‘black box’ applications. The team scanned the code with Fortify and was able to provide insight and a thorough risk assessment. OpenText (formerly Micro Focus) supported UD Trucks in creating a quick workaround to introduce integration between UD Trucks’ environment and the platform that hosted Fortify, which will enable the application development teams to easily leverage Fortify scanning themselves.

Meanwhile, UD Trucks’ security team focused on the mammoth task of educating the internal application owners with a series of workshops to explain the importance of security, building robust code, and teaching them how to avoid code vulnerabilities during the software development process. “When a major change like this is introduced, it is vital to align process, people, and technology, and gain commitment across the board,” comments Mrs. Auti. “That is why it was also very important to create a consistent and standardized process for all applications, avoiding any confusion.”

Leveraging Fortify, we now have a stable application landscape, with effective vulnerability management processes, backed up by a comprehensive governance strategy. The importance of this should not be underestimated, especially in Japan where our commercial operations depend on our ISO security compliance.

Full ISO compliance, reduced maintenance costs, and shift left development culture

She continues: “Leveraging Fortify, we now have a stable application landscape, with effective vulnerability management processes, backed up by a comprehensive governance strategy. The importance of this should not be underestimated, especially in Japan where our commercial operations depend on our ISO security compliance. Without this we literally cannot sell our trucks, so the cost of non-compliance is very high and helped us get the board-level commitment we needed to introduce a comprehensive AppSec program.”

Another benefit clearly recognized by Mrs. Auti is the reduced maintenance costs for applications. Before Fortify was deployed, UD Trucks would continuously operate application remediation programs to address application vulnerabilities when they arose, to minimize their impact as much as possible. Since Fortify has been in use, no remediation programs have been necessary, as vulnerabilities are addressed as part of the software development lifecycle, resulting in higher quality software. Now that there is a solid baseline and a stable application landscape, the team can turn its attention to creating a ‘shift-left’ development culture that will change the behavior of application owners and development teams.

Mrs. Auti concludes: “I’m really pleased with the progress and impact of our AppSec program and the work we’ve done with Fortify in particular, supported by the clear expertise OpenText (formerly Micro Focus) has in this area. It has enabled our shift-left approach that paves the way for continuous application improvement and risk reduction as a result.”