The rise in software supply chain attacks, like the SolarWinds hack, prompted last year’s executive order from the Biden Administration requiring vendors to provide a software bill of materials (SBOM). SBOMs can help security teams understand if a newly disclosed vulnerability impacts them — in theory. But industry experts caution that they aren’t always comprehensive enough to prevent attacks or address the challenges of securing supply chains.
One startup, Ox Security, is forging ahead with an alternative to SBOMs it’s calling Pipeline Bill of Materials (PBOM), which Ox claims goes further by covering not only the code in final software products but also the procedures and processes that impacted the software throughout its development. PBOM seems to be gaining traction. Despite being founded less than a year ago, Ox has raised $34 million in seed funding — a fact that it disclosed today — and has 30 customers including FICO, Kaltura and Marqeta.
Investors to date include Evolution Equity Partners, Team8, Rain Capital and M12, Microsoft’s venture fund.
“When the infamous SolarWinds attack took place, I recall the amount of stress that was felt across the industry,” CEO Neatsun Ziv, a former Check Point executive, told TechCrunch in an email interview. “When brainstorming on ideas with my co-founder Lior Arzi, we talked about the need for an end-to-end supply chain solution — something that doesn’t only look at the code that goes into the end product but also at all of the procedures and processes that could have impacted the software throughout the whole development lifecycle. At the end of 2021, we founded Ox Security to build this solution.”
In developing PBOM, Ziv claims that Ox undertook “extensive” research on the root causes of more than 70 attacks from the past year. PBOM was designed to contain information that might’ve prevented the attacks had it been readily available at the time, he says, and to be shared with stakeholders so that they can verify that the software they’re using is derived from a trusted, secure build.
Ox’s platform, leveraging PBOM, integrates with existing software development tools and infrastructure to record actions affecting software throughout the development lifecycle. It connects to an organization’s code repository and performs a scan of the environment from “code to cloud,” producing a map of detectable assets, apps and pipelines.
Ox also attempts to identify which security tools are in use, verify that they’re operational, and determine if additional tools are needed. Then, the platform highlights any security issues it found, prioritized by their business impact alongside automated fixes and recommendations.
“Most IT departments are understaffed, lack visibility and are struggling to prioritize security projects across engineering and DevOps. This results in ‘shadow dev’ and DevOps — where software development tools and processes are outside of the control and ownership of the security teams,” Ziv continued. “There is also a severe lack of automation that results in manual work and causes a high attrition rate for people in these roles. The Ox platform solves these issues by providing continuous visibility, prioritizing risks, automating manual workflows and securing the posture of [software development] elements like GitLab, Jenkins, artifact registry and production.”
PBOM is — at least at present — a voluntary spec. And Ox competes with vendors like Legit Security, Cycode, and Apiiro, the last of which Palo Alto Networks is reportedly close to acquiring for $550 million. But Ziv asserts that OX is gaining mindshare, pointing to the startup’s client base of just over 30 brands.
“We are fully focused on building the company and scaling the number of customers we serve. So far we only see an increase in demand due to the increasing number of attacks,” Ziv said. “If you look at previous downturns, there were very successful companies that got started in each one of them. So we try to obsess about solving the security risk, rather than what could happen with the market. We are going on this journey with strong partners who want to see this vision come to life.”
Added M12 managing partner Mony Hassid in an emailed statement: “Supply chain attacks are on the rise, and the attack surface is growing. When it comes to software security and integrity, you have to look beyond which components were used and consider the overall security posture throughout the development process. Ox is pioneering a standard that will be transformative for supply chain security. We’re proud to work with OX to improve software security.”
With the proceeds from the seed round, Ox plans to double its 30-employee headcount by the end of 2023.