Start-ups specializing in software supply chain security

The Endor Labs team whose project is notably financed by the Lightspeed fund. (Credit Endor Labs

Venture capital-funded startups focus on DevOps, the software supply chain, and securing the software development lifecycle. Seven of them were present at the RSA Conference (RSAC), organized in early May in San Francisco.

AppSentinels analyzes flows and processes

This comprehensive API security platform covers the entire application lifecycle. The product performs in-depth analyzes of application activities and examines its workflows in detail. Once the AppSentinels product understands the flows, it can test them against a variety of potential vulnerabilities and use this information to protect against complex business logic attacks in production environments. AppSentinels explains that its team has developed complex models capable of understanding the functionality of each of the company’s applications, as well as internal workflows and processes, in order to strengthen their protection. With this intelligent understanding of process flows, AppSentinels can thwart potential attacks. The product uses multiple AI models, including graph logic models, unsupervised cluster models, and state space models to strengthen both the workflow and the applications themselves.

Endor Labs traces all the dependencies

The main goal of this software supply chain security startup is to improve developer productivity. The startup aims to streamline developers’ workflow and save them time and money by effectively prioritizing alerts and vulnerabilities. Unlike other tools that flood developers with false positives, leading to fatigue, Endor Labs strives to provide clear guidance on which issues to prioritize and facilitate rapid resolution. Its solution uses reachability analysis to understand the functions called by packages and their dependencies, tracing the entire call path to identify specific dependencies used by different versions of a package. In addition, Endor Labs evaluates whether a piece of code with a vulnerability is actively used in the application, in order to provide precise information that goes beyond what is simply declared in the manifest file.

While some security tools focus on vulnerabilities listed in the manifest file, Endor Labs takes a different approach by performing program analysis to establish call graphs and identify statically developed code as the source of truth. By giving priority to dependencies actively used by the application, Endor Labs attempts to provide a more precise assessment of the vulnerabilities present in the developed code. In addition to treating all components as dependencies, Endor Labs extends this approach to CI/CD processes, providing visibility into the tools used in the pipeline. All of this helps coders identify sanctioned and unsanctioned tools, ensuring better security compliance. Additionally, Endor Labs assesses the position of repositories in the CI/CD pipeline and supports artifact signing for compliance attestations, further strengthening security measures.

Lineaje ensures the discovery of implicit dependencies

Led by founders, experts in the development of endpoint and runtime software, Lineaje works to provide comprehensive security management of the software supply chain. Following incidents like the SolarWinds hack and the XZ Utils backdoor, Lineaje was designed to address vulnerabilities in software chains and build pipelines, areas typically inaccessible to runtime software. Lineaje’s unified platform can dissect any object, whether source code, package, or container, to reveal its component structure or dependency tree and submit it for analysis using a variety of Lineaje’s open source and proprietary probes. The latter then aggregates this data and uses an artificial intelligence module to analyze it. Lineaje not only works within the internal CI/CD pipeline, but also extends to open source components from external CI/CD pipelines. Based on its analyses, Lineaje estimates that around 56% of vulnerabilities in the open-source ecosystem are not fixed. Often, developers unintentionally introduce obsolete or abandoned open-source components into their pipeline, leading to a cascade of vulnerabilities.

Lineaje’s depth in discovering dependencies beyond the package level – discovering implicit dependencies – is crucial. With this capability, Lineaje can perform in-depth analyzes of open source components. For each identified component, Lineaje relies on fingerprint verification to trace its origin and validate its authenticity, ensuring that the component comes from a reputable repository and a specific commit ID. Lineaje examines the entire line for possible tampering up front, then uses fingerprint-based attestation to map software integrity levels, assessing tampering risks. This meticulous process generates a comprehensive Software Bill of Materials (SBOM) and data repository that is easily accessible via Lineaje’s query capabilities. These requests can be transformed into policies, prioritizing actions, aided by Lineaje’s AI module, which helps plan the next release, while reducing vulnerabilities.

Myrror Security detects code anomalies

This startup focuses on detecting software supply chain attacks. Its solution performs a thorough comparison between the binary code and the corresponding source code, with the aim of identifying any anomalies, because ideally there should be none in the binary version ready to be deployed to production. Such an approach could have avoided incidents like the SolarWinds and XZ Utils attacks, Myrror representatives said. Myrror analyzes the source code and compares it to the binary version, using a software nomenclature generated from the source code. This process helps identify vulnerabilities within the SBOM, and therefore assess the accessibility of attacks and potential threats to the code base. Although Myrror recognizes the importance of Software Composition Analysis (SCA) and SBOM, its primary focus remains the detection and prevention of malicious code and attacks.

Scribe Security captures code-related activities

A security platform for the software supply chain, Scribe Security leverages attestation-based technology (SBOM at every stage of the development process) to detect and prevent tampering while providing signed evidence for assurance of compliance. Deployed throughout the Software Development Life Cycle (SDLC), Scribe captures comprehensive evidence of all code-related activities. This information is then synthesized into a knowledge graph, providing insight into product, pipeline, and process dynamics. Customers can effectively manage risk and trust using Scribe’s analytics, which enable automated risk mitigation within the SDLC.

Seal Security adapts patches

Focused on correcting open source vulnerabilities, this start-up provides patch remediation. However, instead of requiring developers to seek software updates to address vulnerabilities, Seal takes the latest security patches and makes them backward compatible with all previously affected versions of the library, making these standalone patches available to developers to They use them as part of the construction process. This approach streamlines the remediation process for developers and application security teams because engineers can now automatically remediate vulnerabilities during the build process, significantly reducing the time typically spent coordinating between these teams.

Tromzo aggregates data on vulnerabilities

This startup is focused on accelerating remediation, integrating security scanners, vulnerability scanners, cloud platforms and code repositories, to establish a single source of truth for all vulnerabilities present in the ‘business. Because Tromzo aggregates and correlates all of this data, it is aware of all the different assets that exist – repositories, software dependencies, SBOM, containers, microservices, etc. So, when Tromzo examines vulnerabilities, it can deduce those that present the most risk (taking into account the customer’s risk, depending on whether it is a critical application or whether it potentially contains sensitive or personally identifiable information). identifiable), giving Tromzo a view of risk across the entire software supply chain. From there, the start-up automates the triage to correct the highest risk vulnerabilities first.