An increase in software supply chain attacks, like the SolarWinds hack, prompted an executive order from the Biden administration last year to require vendors to submit a software bill of materials (SBOM). SBOM can help security teams understand if a newly identified vulnerability affects them – in theory. But industry experts caution that they are not always comprehensive enough to prevent attacks or address the challenges of securing supply chains.
Ox Security Ox Security is moving forward with a SBOM option it calls a pipeline bill of materials (PBOM), which Ox says goes further by covering not just the code in the final software product, but the processes and procedures that impact the software. The development. PBOM seems to be gaining traction. Although Oaks was founded less than a year ago, it has already raised $34 million in seed funding — a fact announced today — and has 30 clients, including FICO, Caltura and Marketa.
Investors to date include Evolution Equity Partners, Team8, Rain Capital and M12, Microsoft’s venture fund.
“I remember the level of anxiety felt in the industry when the infamous SolarWinds attack happened,” CEO Neatsun Ziv, a former Checkpoint executive, told TechCrunch in an email interview. “While brainstorming ideas with my co-founder Lior Arzi, we talked about the need for an end-to-end supply chain solution – something that includes not only the code that goes into the final product, but all processes and procedures that can affect the software throughout the entire development cycle. By the end of 2021, this We founded Ox Security to build a solution.
In developing PBM, ZivOx said it conducted “extensive” research into the root causes of more than 70 attacks last year. PBMs are designed to contain information that could have prevented an attack if it were readily available at the time, and to share it with stakeholders so they can ensure the software they use is trusted and secure. build up.
Image Credits: Ox security
The Ox platform, leveraging PBOM, integrates with existing software development tools and infrastructure to document actions that affect software throughout the development lifecycle. It connects to the enterprise’s code repository and maps the available assets, applications and pipelines by exploring the “code to cloud” environment.
Ox will try to determine which security devices are in use, verify that they are working, and determine if additional devices are needed. The platform then highlights any security issues prioritized by their operational impact, alongside automated fixes and recommendations.
“Most IT departments are understaffed, lack visibility and struggle to prioritize security projects across engineering and DevOps. This results in ‘shadow dev’ and DevOps – where software development tools and processes are outside the control and ownership of security teams,” Sive continued. “There is also a severe lack of automation that results in manual work and high abuse rates for people in these roles. The Ox platform addresses these issues by providing continuous visibility, prioritizing risks, automating manual workflows, and maintaining alignment.” [software development] Elements like GitLab, Jenkins, Repository and Production.
PBOM – at least currently – a voluntary list. And Oaks competes with vendors like Legit Security, Cycode and Apiro, the latter of which Palo Alto Networks is close to acquiring for $550 million. But Ziv Ox says it’s growing brains, pointing to its fledgling customer base of more than 30 brands.
“We’re totally focused on building the company and showing the number of customers we serve. So far, all we’ve seen is an increase in demand due to the increasing number of attacks,” Ziv said. So we try to think about solving the security risk rather than what might happen in the market. We go on this journey with strong partners who want to see this vision come to life.
M12 managing partner Moni Hasid added in an emailed statement: “Supply chain attacks are on the rise, and the attack surface is growing. When it comes to software security and integrity, you should look at which components are used and consider the overall security situation throughout the development process. Ox is pioneering a transformative standard for supply chain security. We are proud to work with Ox to improve software security.
With proceeds from the seed round, Oaks plans to double its headcount to 30 employees by the end of 2023.
