The Modern Software Supply Chain Has Too Many Weak Links. OX Security Has a Solution
Today’s software development practices would be unrecognizable to a CIO in the early 2000s: Releases have become small and ruthlessly frequent. Technical challenges are solved instantly with code plucked off open source repositories. Development processes happen across a tangle of interconnected cloud applications and microservices. Monolithic platforms have grown out of favor; software supply chains abound.
Modern paradigms allow developers to ship more software. But the cost is often an untenable security risk: as software tooling and code components grow in number, they become a black box that can hide many vulnerabilities. Exploits of 3rd party code have already caused real damage, most recently in the SolarWinds and Log4J incidents; and as adoption of new commercial and open-source software shows no signs of slowing down, these problems are likely to persist. Securing code has become a multi-faceted challenge that requires a fresh approach.
OX Security, the newest addition to the Team8 family, is pioneering the next generation of software supply chain security and integrity. Now that news of its $34M funding has been made public, we’d like to use this space to take a deeper dive. We’ll expand on the market gap we’ve identified, and explain why we believe the OX Security team will be the one to deliver the solution.
Software Supply Chain is Keeping CISOs up at Night
It’s counterintuitive, but in many ways developing software is more complex than it’s ever been. Full-stack frameworks have been replaced by system sprawl – a mix of best-in-class tools used to optimize every step of the development process, from code planning, through build management and testing, to containerized deployment and observability.
The desire to gain first-mover advantage, and an influx of capital into software initiatives, have created pressure on product teams to ship software faster. On the tech side, this has translated into a rise in microservices, APIs, and cloud-native software, alongside the raising adoption of new open-source technologies – anything that can simplify processes or produce that extra bit of efficiency.
Businesses are using more software than ever. Along the way, they’ve traded careful engineering for agility. This is good for innovation but bad for security.
When a lot of new software is implemented quickly, many things can go wrong: insecure pipelines, vulnerabilities in code, exploitable dependencies, or misconfigurations in cloud services–to name a few. The attack surface can be huge, spanning not only internal assets and software, but also ‘forward’ attacks: once malicious 3rd party code finds its way into one company’s codebase, it can spread to a host of other businesses who use that company’s tools as building blocks for their own software.
And we don’t need to look far for examples where things actually have gone wrong: The ubiquity of 3rd party code and tooling has played a central role in some of the worst cyberattacks of recent years. Some of these attacks, such as SolarWinds, caused millions of dollars worth of damage and disrupted critical infrastructure. And beyond the immediate financial damage and impact on business continuity, they cause reputational damage that lingers for years after the security hole has been plugged.
Understanding the full list and lineage of components that make up modern software has become close to impossible. This topic came up again and again in our conversations with CISOs, either as part of Team8’s CISO Village or in the meetings we have with our portfolio companies. The tangled web of dependencies and open-source components can take weeks to decipher, even for sophisticated IT teams, and is dynamic and constantly changing.
The rise of software supply chain attacks led to an executive order requiring vendors to provide a software bill of materials (SBOM) – a list of used pieces of software, which may assist security teams understand if their product may include a newly disclosed vulnerability. However, SBOM, as a static list of software components, is not sufficient to ensure the security and integrity of software supply chains.
OX Delivers a Fresh Approach That is Highly Needed
Existing attempts at automation are partial and clunky. Mitigating software supply chain threats requires businesses to build yet another supply chain of security tooling – separate systems to scan source code, manage container security, review open-source components, monitor authentication, and more. Maintaining siloed systems is costly; furthermore, it’s prone to human error and can leave many blind spots for hackers to exploit.
CISOs and businesses are looking for a holistic approach that can tackle the full complexity of securing highly-distributed software supply chains. We are convinced that OX security has built that solution.
OX’s technology is groundbreaking in its ability to scan and secure all builds from the earliest planning stages until deployment to production. OX monitors and records every action affecting software throughout the entire development lifecycle, to verify code integrity – ensuring that every line of code that gets to production legitimately belongs there. It gives security and DevOps teams complete visibility and control over the attack surface, including source code, pipeline, artifacts, container images, runtime assets, and applications. No other solution in the market today can offer this level of coverage for the entire software supply chain attack surface. Dev teams can keep releasing software at breakneck speed, without compromising security.
A Proven Track Record of Execution at Scale
Securing the software supply chain, especially for large enterprises, is a complex and multi-faceted problem that very few startups could confidently tackle.
OX is helmed by highly-skilled founders that have impressed us from day one: CEO Neatsun Ziv and CPO Lior Arzi are former executives at Check Point Software, where they managed a business unit which includes many hundreds of developers & sales teams and led several of the most known products. With a background that combines leadership positions in both cybersecurity and software development, they have a deep understanding of the problem as well as the solution space. What’s more, they have the experience to build a company that can scale and deliver on a very ambitious promise.
The fact that OX has managed to go to market quickly, with paying customers and
30 active deployments (including at Kaltura, Bloomreach and others), is testament both to the strength of its technology and the ability of this team to execute.
We are excited to continue partnering with OX in their journey to make modern software development more secure, and look forward to seeing what they can deliver next. Keep up with the latest news on their website.