ABOUT AUSTRIAN POST GROUP
Industry: Logistics and Postal Services
Headquarters: Vienna, Austria
Customer footprint
- Austrian individuals, small- and medium-sized businesses and enterprises
Core business areas
- Logistics, mail, and parcel services
- Banking and financial services
- Retail and branch office services
- Telecommunications and digital services
Challenges
- Poor visibility into open source code
Requirements
- Integration with Microsoft Azure
Solutions
- Black Duck SCA
The Austrian Post Group (Österreichische Post AG) is a logistics provider offering postal, banking, and telecommunications services in Austria. The company operates a comprehensive network of approximately 3,000 post locations in Austria and serves 150 million people in 14 countries internationally.
Faced with a lack of visibility into its open source usage, Austrian Post Group selected Black Duck® SCA to secure its software supply chain. By integrating Black Duck SCA directly into its Azure DevOps pipelines, it quickly onboarded 30 development teams and over 385 applications, illuminating potential oversights and automating security controls for critical assets.
The Challenge: Gain Visibility into Third-Party Risks
As Austria’s logistics backbone and an international ecommerce provider, Austrian Post Group’s operations are immense.
The company processes over 500 million letters and 224 million parcels in Austria every year, and more than half a billion parcels are transported worldwide. To support this level of activity, the development teams rely on open source software to build applications faster and more efficiently.
However, prior to 2023, the organization faced a critical challenge common to many enterprises: lack of visibility into the third-party risks that are part and parcel of a complex software supply chain.
“We did not actively monitor and manage open source code prior to Black Duck,” explains Mile Bernad, specialist, IT-security at Austrian Post.
Without a dedicated software composition analysis (SCA) solution, the security and development teams faced a critical problem: they had no way to detect—let alone manage—the third-party components composing their applications. This lack of a clear inventory made it impossible to accurately assess risk or pinpoint vulnerabilities within their codebase.
Ultimately, this rendered the company’s software supply chain a black box—and a significant operational liability in a threat landscape where attacks are constantly on the rise.
Austrian Post Group decided to proactively address this issue, evaluating SCA solutions and conducting an in-house technology review without the influence of external systems integrators. The goal was to find a tool that offered robust capabilities without disrupting developer velocity.
We did not actively monitor and manage open source code prior to Black Duck.”
The Solution: Integrated Security That Enables Agile Delivery
The team chose Black Duck SCA for three primary reasons.
- Broad coverage: Black Duck SCA offered extensive support for the diverse languages and frameworks used by Austrian Post Group’s developers.
- Risk insight and fix guidance: Black Duck Security Advisories (BDSAs) provide clear descriptions of detected vulnerabilities, critical exploitability context, and precise fix and patch guidance to help developers resolve issues quickly.
- Value: The solution offered a competitive price-to-value ratio for faster ROI.
Implementation: Seamless Integration via Azure DevOps
Success in DevSecOps depends on how easily a tool fits into existing workflows. Austrian Post Group’s approach to implementation was a textbook example of prioritizing the developer experience.
Rather than forcing a new tool on developers, Michael Mosler, lead, developer experience at Austrian Post, and his team integrated Black Duck SCA directly into its Azure DevOps pipelines.
“The integration was very straightforward,” explains Mosler. “The Developer Experience team implemented a template that was then used by the development teams to integrate Black Duck SCA. The template was implemented within two sprints.”
The Deployment at a Glance
Scale: 30 development teams
Scope: 385 applications integrated
Cadence: Mandatory scans before production deployment and before merging to main, with some teams voluntarily scanning on every pull request
Results: Accelerated Development with Actionable Vulnerability Insight and Automation
Since deploying Black Duck SCA, Austrian Post Group has moved from a state of unknown software supply chain risk to active risk management.
Enhanced Visibility and Workflow
The organization now consistently maintains a complete inventory of the third-party and open source components within its applications. Black Duck SCA automatically detects new vulnerabilities impacting any associated projects and prioritizes issues for remediation. This has created a powerful audit trail that was previously nonexistent.
The BDSA Advantage
For the security champions within the organization, the standout feature has been the BDSAs. Unlike standard NVD data, BDSAs provide actionable vulnerability insight— sourced and curated by Black Duck’s Cybersecurity Research Center—that helps developers understand detected issues and take decisive, effective action.
“My favorite feature is the BDSAs. They not only give faster and deeper insights than CVEs, they also flag hidden risks and adjust severity based on real impact,” said Hahna Christian, delivery systems support engineer and security champion at Austrian Post.
Ease of Management
Features like complete single sign-on support have streamlined user management, a critical requirement for Mosler’s team, while the flexibility of Black Duck SCA’s automation templates for Azure DevOps allow development teams to customize scan parameters and pipeline triggers to balance insight and efficiency across projects.
By partnering with Black Duck, Austrian Post Group has successfully embedded application security and open source risk management into the fabric of its development life cycle. It bridged the gap between security and development, ensuring that its software supply chain remains secure, compliant, and resilient.
When asked if he would recommend Black Duck SCA to a colleague, Mile Bernad is clear: “I would recommend Black Duck SCA. The ease of implementation [is the biggest reason].”