Interneuron

BOLD STEPS

The founders of Interneuron in the United Kingdom (U.K.) have extensive experience in the healthcare industry providing IT solutions to meet the needs of both providers and patients. From that journey, they uncovered a crucial gap regarding the creation and delivery of services. “We realized that how the industry was delivering software and what was being delivered was fundamentally misguided. The number one goal should be on the betterment of the community—the patients,” says Matt Conway, company CTO. “We created Interneuron as a Community Interest Company to develop software solutions focused on the community served by the healthcare system.”

Interneuron delivers software aimed at securing the personal electronic health records of patients within the NHS—one of Interneuron’s primary customers and the majority provider of healthcare services in the U.K. Interneuron’s solutions are based on Open Source Software, something that was new to the owners of Interneuron, but critical in meeting the need to provide high quality, secure enterprise level applications.

The challenge facing Interneruon was convincing organizations to adopt their solutions and build trust in the Open Source Software supply chain. Interneuron turned to Source Code Control for guidance—a company that specializes in creating the right processes for organizations looking to manage open source throughout the software supply chain. Source Code Control recommended Interneuron become OpenChain Conformant through the Linux Foundation. As an OpenChain Conformant company, Interneuron demonstrates to customers and prospects:

1. The benefits of Interneuron’s open source solution over traditional proprietary closed source solutions.
2. The quality and rigor embedded in their software development and release management processes.
3. Full transparency they are managing the open source supply chain and not passing on risk.

Interneuron executives attended “Getting Right with Open Source,” a training course offered through Source Code Control and based on the OpenChain curriculum. “A fundamental requirement of the OpenChain Project is that organizations must identify all third-party open source software components and libraries used to build applications, including how they are licensed and other information such as copyright holders,” says Martin Callinan, Source Code Control’s founder. “Additionally, conformant organizations must demonstrate they are shipping their software with all the required license information related to their open source components, such as license notices and attribution notices, and, in addition, provide access to the source code.”

The training provided clarity to Interneuron’s leadership of the benefits of an end-to-end license compliance and risk management solution to help the company meet its most pressing business challenges. 

SOFTWARE COMPOSITION ANALYSIS FOR CONTINUOUS COMPLIANCE HEALTH

Recognizing the need to engineer open source software applications the right way, but also realizing they internally lacked open source license compliance and security skills, Interneuron’s first step was to enter into a Managed Service contract with Source Code Control. The agreement is supported by a Software Composition Analysis (SCA) automated solution from Revenera called FlexNet Code Insight. Code Insight enables Interneuron to create an environment of continuous compliance, and build solutions that are secure by design. The total Interneuron solution includes:

1. FlexNet Code Insight from Revenera for robust, deep OS scanning and reporting
2. Managed Services from Source Code Control for ongoing compliance support, developer training, and process management

FlexNet Code Insight enables deep scanning capabilities of Interneuron’s applications, identifying open source components in source code, binaries, software packages, code snippets, and more. The tool is integrated with Interneuron’s DevOps environment and allows their developers to self-manage scans and check for vulnerabilities as they initiate product builds. “We thought we were on top of our open source use,” says Matt, “but a test scan of our first product release with [FlexNet] Code Insight revealed we were using outdated components with known vulnerabilities and licenses we were unaware of. That first scan quickly showed us the real value of the tool.”

Source Code Control advises Interneuron on how to license their solutions and the creation and adoption of open source policies. By implementing policies and FlexNet Code Insight, Interneuron avoids license and security issues from the onset, as well as any unnecessary code maintenance costs. The policies guide developers on what third-party open source software components are acceptable and the agreed upon service level agreements for remediating issues. The policies are integrated within Code Insight so that only product releases that pass scans with no policy violations are made available to customers. During a build, if any third-party open source software components are used that create either a license or security risk, the issue is flagged and an actionable alert is immediately sent from the Code Insight scanning tool to the development team for remediation— proactively avoiding issues early in the development process.

In addition, before new product releases are made available to customers, Source Code Control conducts an independent audit using FlexNet Code Insight and creates a time-stamped release report and a Bill of Materials, further demonstrating the code meets all policy requirement. Interneuron can share this report as needed with customers as further evidence of open source compliance.