SBOM Starter Kit: Get Your Copy

“Night and Day Difference”: How Milliman Uses Automation to Reduce Open Source Risk

Milliman is an international consulting and actuarial firm with 60 offices around the globe. One of the company’s cornerstone products is Arius®, the award-winning insurance reserving software. Arius is a family of solutions that helps insurance analysts evaluate property and casualty insurance losses and unpaid claim reserves more efficiently and reliably than with legacy spreadsheets and workflows.  

The Milliman engineering team behind Arius® applies a similar philosophy — prioritizing efficiency and efficacy — to its software development practices. This includes its approach to managing risks when using open source software.

With FOSSA, Milliman has implemented and automated workflows to manage open source security, license compliance, and software bill of materials generation. This has created significant time savings, improved application security, and strengthened customer trust.

“We now know all of the open source components and licenses we use, including transitive dependencies,” says Charles Hoffman, Milliman’s Principal and Director of Software Development. “If there’s a new, high-severity vulnerability and our CISO sends an all-hands-on-deck email asking if we’re affected, we can tell them unequivocally in seconds. We’re able to identify and resolve vulnerabilities quickly.

“We can also generate a comprehensive software bill of materials, which is a huge benefit; we can click a few buttons and generate a report we can package with our release.”

“It’s a night and day difference now that we use FOSSA. FOSSA has been a huge time-saver.”

- Paul Erickson, Milliman Senior Software Engineer and Team Lead

Open Source Management Before FOSSA

Like most modern enterprises, Milliman uses a lot of open source software — especially .NET NuGet packages and React® libraries — to fuel application development. The Arius team has gained numerous benefits from using open source, including time savings and improved product quality.

“There’s a lot of power in leveraging open source community software,” says Milliman Senior Software Developer David Daughtrey.

But before implementing FOSSA, Milliman experienced some of the downsides of using open source. The Arius team used manual processes to manage license compliance and security, which took time and consumed valuable engineering resources.

“Manually assembling the list of the open source we used was very difficult,” Hoffman says. “It was also difficult to figure out our dependencies.”

Those challenges and an uptick in customer requests pertaining to automated vulnerability management prompted the Arius team to evaluate open source management platforms. Milliman considered several tools before deciding on FOSSA.

“We chose FOSSA because it provided everything we needed, all the core functionality: code scanning, license compliance, and vulnerability management,” Hoffman says. “And its cost was reasonable for all the value it provided us.”

Easy Implementation, Immediate Results

A common concern with open source management tools is difficulty getting up and running. For example, some solutions require extensive training, and others struggle to integrate with certain development environments.

Milliman didn’t experience any of those issues when implementing FOSSA. On the contrary, setup was quick and easy, and the Arius team was able to deploy FOSSA across all its environments and repositories.

“Integration was straightforward,” says Paul Erickson. “We easily integrated FOSSA with Azure DevOps and our GitHub. I was thrilled with how quickly we could get full coverage from FOSSA across all our platforms.”

Shortly after completing implementation, the Arius team started leveraging FOSSA to support its open source license compliance and vulnerability management initiatives.

“Every time we check in code, FOSSA scans it,” Erickson says. “Mostly, it works in the background; we’re only notified when there’s an issue. We can easily act on those notices and bring them to the larger team.”

“FOSSA helps everyone collaborate on these items. For example, our project manager has excellent visibility into any potential vulnerabilities and their severity, and she can ensure they get into the right sprint for us to address them.”

Most open source licenses require users to publish all applicable license terms as well as acknowledgments of authors and contributors. Milliman uses FOSSA to handle the time-consuming and tedious (but mandatory) compliance work of creating attribution notices for their open source licenses.

“We use FOSSA to generate a comprehensive PDF report with all our required notices,” Charles says. “We package the report and ship it with our products.”

In addition to strengthening security and ensuring compliance with open source licensing requirements, FOSSA has helped Milliman build trust and strengthen relationships with current and prospective customers.

“We occasionally have to address customer concerns about some vulnerability that shows up in the news overnight,” Hoffman says. “We can quickly reference our bill of materials and show we are not affected.”

“We also inform our clients about our processes and reports and can point to our SOC 2 certification, which FOSSA has a role in enabling.”

The Future with FOSSA

The Milliman Arius team has significantly improved its open source management program since implementing FOSSA

“FOSSA is fully integrated into our daily code development process,” Hoffman says. “And it’s an important part of our overall risk management practices.”

The Arius team’s experience with FOSSA has been so positive that they encourage other development teams within Milliman to adopt the tool.

“I tell everyone inside Milliman who will listen that they need FOSSA. My message is: Run, don’t walk, to adopt and implement it.”

- Charles Hoffman, Milliman Principal and Director of Software Development

Adds Erickson: "We couldn't do what we do now without FOSSA."