The proliferation of attacks on the software supply chain, such as the SolarWinds hack, led to the Biden administration’s executive order last year requiring suppliers to provide a software invoice (SBOM). SBOMs can help security teams understand whether a newly revealed vulnerability theoretically affects them. But industry experts warn that they aren’t always comprehensive enough to prevent attacks or address the challenges of securing supply chains.
a startup, Ox security, continues an alternative to SBOMs it calls Pipeline Bill of Materials (PBOM), which Ox claims goes further by addressing not only the code in final software products, but also the procedures and processes that affected the software during its development. PBOM seems to be gaining momentum. Despite being founded less than a year ago, Ox has raised $34 million in seed funding — a fact it disclosed today — and has 30 clients, including FICO, Kaltura and Marqeta.
Investors to date include Evolution Equity Partners, Team8, Rain Capital and M12, Microsoft’s venture capital fund.
“When the infamous SolarWinds attack happened, I remember the amount of stress felt across the industry,” CEO Neatsun Ziv, a former chief executive of Check Point, told australiabusinessblog.com in an email interview. “When we brainstormed ideas with my co-founder Lior Arzi, we talked about the need for an end-to-end supply chain solution – something that looks not only at the code that goes into the final product, but also at all the procedures and processes that may have affected the software throughout its development lifecycle. At the end of 2021, we founded Ox Security to build this solution.”
In developing PBOM, Ziv claims that Ox has conducted “extensive” research into the root causes of more than 70 attacks over the past year. PBOM is designed to contain information that could have prevented the attacks had it been readily available at the time, he says, and to share with stakeholders so they can verify that the software they are using comes from a trusted, secure source. to build.
Ox’s platform, which leverages PBOM, integrates with existing software development tools and infrastructure to capture actions that affect software throughout its development lifecycle. It connects to an organization’s code repository and performs a scan of the “code to cloud” environment, producing a map of discoverable assets, apps, and pipelines.
Ox also seeks to identify which security tools are in use, verify that they are operational, and determine if additional tools are needed. Then, the platform highlights any security issues it found, prioritized based on their business impact, alongside automated solutions and recommendations.
“Most IT departments are understaffed, lack visibility, and struggle to prioritize security projects across engineering and DevOps. This results in ‘shadow development’ and DevOps – where software development tools and processes are beyond the control and ownership of the security teams,” continues Ziv. “There is also a severe lack of automation, resulting in manual work and high turnover of people in these roles. The Ox platform solves these problems by providing continuous insight, prioritizing risk, automating manual workflows and [software development] elements such as GitLab, Jenkins, artifact registration, and production.”
PBOM is – at least for now – a voluntary specification. And Ox competes with vendors such as Legit Security, Cycode, and Apiiro, of which Palo Alto Networks reportedly close to to be acquired for $550 million. But Ziv claims OX is gaining mindshare, pointing to the startup’s customer base of just over 30 brands.
“We are fully focused on building the business and scaling up the number of customers we serve. So far, we’ve only seen an increase in demand due to the increasing number of attacks,” said Ziv. “If you look at past recessions, there were very successful companies that started in each of them. So we’re trying to obsess about solving the security risk, rather than what might happen to the market. We embark on this journey with strong partners who want to see this vision come to life.”
M12 management partner Mony Hassid added in an emailed statement: “Supply chain attacks are on the rise and the attack surface is growing. When it comes to software security and integrity, you need to look beyond what components have been used and consider the overall security attitude throughout the development process. Ox is pioneering a standard that will transform supply chain security. We are proud to partner with OX to improve software security.”
With the proceeds from the seed round, Ox aims to double the number of employees of 30 employees by the end of 2023.