Tel Aviv, Israel, 29 September 2022 — Ox Security, the end-to-end supply chain security platform for DevSecOps, emerged from stealth today with $34 million in funding led by Evolution Equity Partners, Team8 and M12, a Microsoft venture fund, with participation from Rain Capital. OX was founded less than a year ago by Neatsun Ziv and Lior Arzi, two top executives at Check Point. Its platform is now used by over 30 leading companies to secure their software supply chains, including Kaltura and Bloomreach.
An increase in software supply chain attacks, such as the SolarWinds hack, sparked last year’s executive order requiring suppliers to provide a Software Bill of Materials (SBOM). This software “ingredient list” can help security teams understand whether a newly discovered vulnerability affects them. However, the industry experts warn that it is not comprehensive enough to prevent attacks or meet the challenges of securing today’s dynamic software supply chains.
“The introduction of SBOM is an important step, but it is not enough to ensure the security and integrity of software supply chains,” said Admiral Mike Rogers, former director of the NSA. “Recent high-profile breaches – such as those affecting SolarWinds, Codecov and Log4j – could not have been detected or prevented with the static list of software components contained in SBOM. There is a real risk of providing a false sense of protection by having a compliance standard that does not equate to security.’
To address these issues, OX is developing a new open standard, PBOM, in collaboration with leading cybersecurity companies. A Pipeline Bill of Materials (PBOM) incorporates the SBOM, but goes further, encompassing not only the code in the final product, but also the procedures and processes that influenced the software during its development. OX and its partners undertook an in-depth investigation into the root causes of more than 70 attacks since last year. They specifically designed the PBOM to contain the information that would be needed to prevent any of the latest attacks.
OX’s platform is the first product to use the PBOM standard to ensure end-to-end security of the software supply chain, enabling it to cover every step of development, from the earliest stages of planning to deployment to production. OX integrates seamlessly with existing tools and infrastructure to monitor and record every action affecting software throughout the development lifecycle. It gives security and DevOps teams complete visibility and control over the attack surface, including source code, pipeline, artifacts, container images, runtime assets, and applications.
“Developers and DevOps are making constant changes to the software supply chain, adding new tools, open source components and SaaS services,” said Neatsun Ziv, CEO and co-founder of OX. “The OX platform gives DevSecOps teams real-time, end-to-end visibility into all aspects that impact software across the entire pipeline, so they have the context and control they need to ensure security.”
OX connects to an organization’s code repository and performs a code-to-cloud environment scan to automatically create a complete mapping of assets, applications and pipelines. OX identifies which security tools are in use, verifies that they are all connected and working, and determines if additional tools are needed. After scanning, OX presents all detected security issues, prioritized by business impact, along with context, automated fixes and recommendations, enabling DevSecOps teams to address their cybersecurity backlog. The PBOM, which includes SBOM, version origin, SaaSBOM, build hashes, and more, can be automatically generated and shared with internal stakeholders or customers so that they can in turn verify that the software they use is extracted of reliable, secure builds.
“Ox Security is addressing a critical challenge facing companies today and is uniquely positioned to become a leader in its space,” said Nadav Zafrir, managing partner at Team8 Group and former head of Israel’s elite 8200 intelligence unit. we are to join forces with Neasun and Lior. The revolutionary PBOM standard enables the OX platform to provide unparalleled security coverage, and I have no doubt that PBOM will be widely adopted in the industry.”
“Supply chain attacks are increasing and the attack surface is increasing,” said Moni Hassid, managing partner at M12, Microsoft’s venture fund. “When it comes to software security and integrity, you have to look beyond what components were used and consider the overall security posture throughout the development process. Ox Security is pioneering a standard that will be transformative for supply chain security. We are proud to work with OX to improve software security.”
“The cybersecurity industry has been playing catch-up until now, pursuing a never-ending process of patching production environments and chasing alerts, issues and fixes,” said Karthik Subramanian, general partner at Evolution Equity Partners. “OX’s innovative approach brings control back to DevSecOps teams by providing visibility and full control over an organization’s code.” The level of innovation in the OX platform is truly remarkable and provides value for everyone in an organization, from developers to DevSecOps teams to executives.”
“I believe the PBOM standard will turn the tide,” said Mario Duarte, vice president of security at Snowflake. “I’m proud to be involved in a project that could have such a big impact on the future security landscape, and to share our knowledge and experience.”
“OX is truly changing the way software supply chains are secured by ensuring that all code comes from secure and trusted builds,” said Naor Penso, senior director of product security at leading applied analytics company FICO. “The OX platform prevents software supply chain attacks while accelerating and streamlining development. The PBOM framework created by OX extends traditional SBOM with contextual knowledge and a true end-to-end pipeline, resulting in assurance of software security throughout its lifecycle.
Ox Security emerges from stealth with $34M to provide end-to-end software supply chain security