VC-backed up-and-comers zero in on devsecops, the software supply chain, and securing the software development life cycle. Credit: NDAB Creativity / Shutterstock The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security and devsecops caught our eye. AppSentinels AppSentinels touts itself as a comprehensive API security platform, covering the entire application life cycle. The product conducts thorough analyses of the application’s activities and examines its workflows in detail. Once the AppSentinals product understands the workflows, it can test the workflows against a variety of potential flaws, and use this information to also protect against complex business logic attacks in production environments. AppSentinels said its team has developed intricate models capable of understanding the functionality of each of your company’s applications, as well as the internal workflows and processes, to bolster their protection. Armed with this understanding of successful process workflows, AppSentinels can thwart potential attacks. The product uses multiple AI models including graph logic models, unsupervised clustering models, and state space models to fortify both the workflow and the applications themselves. Endor Labs Endor Labs operates as a software supply chain security company, with a primary focus on enhancing developer productivity. The company aims to streamline the developer’s workflow, saving both time and money by prioritizing alerts and vulnerabilities effectively. Unlike other tools that inundate developers with false positives, leading to fatigue, Endor Labs strives to provide clear guidance on what issues to address first and facilitate swift resolution. Endor Labs employs reachability analysis to understand the functions called by packages and their dependencies, tracing the entire call path to identify specific dependencies used by different versions of a package. Furthermore, Endor Labs assesses if a piece of code with a vulnerability is actively used in the application, offering accurate insights beyond what is merely declared in the manifest file. While some security tools focus on vulnerabilities listed in the manifest file, Endor Labs takes a different approach by conducting program analysis to establish call graphs and identify statically developed code as the source of truth. By prioritizing the dependencies actively utilized by the application, Endor Labs aims to provide a more accurate assessment of vulnerabilities present in the developed code. In addition to treating all components as dependencies, Endor Labs extends this approach to CI/CD processes, offering visibility into tools utilized in the pipeline. This helps developers identify sanctioned and unsanctioned tools, ensuring better security compliance. Moreover, Endor Labs evaluates the posture of repositories within the CI/CD pipeline and supports the signing of artifacts for compliance attestations, further enhancing security measures. Lineaje Lineaje aims to provide comprehensive software supply chain security management, driven by founders with expertise in endpoint and runtime software development. Stemming from concerns over incidents such as the SolarWinds hack and the XZ Utils backdoor, Lineaje was conceived to address vulnerabilities within software chains and build pipelines, areas typically inaccessible to runtime software. Lineaje’s unified platform can dissect any object—be it source code, package, or container—to unveil its component structure or dependency tree and subject it to analysis using a variety of scanners, including both open source and Lineaje’s proprietary ones. It then aggregates this data and employs an AI module to scrutinize it. Lineaje operates not only within the internal CI/CD pipeline but also extends to the consumption of open-source components sourced from external CI/CD pipelines. One alarming discovery by Lineaje is that approximately 56% of vulnerabilities in the open-source ecosystem remain unaddressed. Often, developers unwittingly introduce outdated or abandoned open-source components into their pipelines, resulting in a cascade of vulnerabilities. Lineaje’s depth in discovering dependencies beyond the package level—uncovering implicit dependencies—is crucial. This capability enables Lineaje to conduct thorough scanning and analysis of open source components. For each component identified, Lineaje employs fingerprint-based verification to trace its origin and validate its authenticity, ensuring that the component originates from a reputable source repository to a specific commit ID. Lineaje reviews the entire lineage to detect potential upstream tampering, then utilizes fingerprint-based attestation to map software integrity levels, gauging tamperability risks. This meticulous process generates a comprehensive SBOM (software bill of materials) and data repository easily accessible via Lineaje’s querying capabilities. Queries can be transformed into policies, prioritizing actions, aided by Lineaje’s AI module, which assists in planning the company’s next release, while concurrently reducing vulnerabilities. Myrror Security Myrror Security focuses on detecting software supply chain attacks. It conducts a thorough comparison between binary code and its corresponding source code, aiming to identify any discrepancies, as ideally there should be none in the binary version ready for production deployment. This approach could have prevented incidents such as the SolarWinds and XZ Utils attacks, Myrror representatives said. Myrror analyzes the source code and compares it with the binary version, using a software bill of materials generated from the source. This process helps identify vulnerabilities within the SBOM, enabling the assessment of attack reachability and potential threats to the code base. While Myrror recognizes the importance of software composition analysis (SCA) and SBOM, its primary focus remains on detecting and preventing malicious code and attacks. Scribe Security Scribe Security provides a software supply chain security platform, leveraging attestation-based technology (SBOM at every stage of the development process) to detect and prevent tampering while providing signed evidence for compliance assurance. Deployed across the entire software development life cycle (SDLC), Scribe captures comprehensive evidence of all code-related activities. This information is then synthesized into a knowledge graph, offering insights into product, pipeline, and process dynamics. Customers can effectively manage risk and trust using Scribe’s analytics, which enable automated risk mitigation within the SDLC framework. Seal Security Seal Security focuses on open-source vulnerability patching. However, instead of having developers chase software updates to remediate the vulnerabilities, Seal takes the latest security patches and makes them backwards compatible with all previously affected versions of the library, making those stand-alone patches readily available to developers to consume as part of the build process. This streamlines the patching process for developers and application security teams, as engineers can now automatically address vulnerabilities during the build process. Consequently, the time typically spent coordinating between these teams is significantly reduced. Tromzo Tromzo focuses on accelerating remediation, integrating with security scanners, vulnerability scanners, cloud platforms, and code repositories to lay out a single source of truth for all the vulnerabilities you may have in your enterprise. Because Tromzo aggregates and correlates all that data, they know all the different assets that you have—repos, software dependencies, SBOMs, containers, microservices, etc.—and who owns them. Thus, when Tromzo looks at the vulnerabilities, it can help deduce which ones have more risk (along with customer input to the risk, based on whether it’s a business-critical application, or potentially has sensitive or personally identifiable information), which gives Tromzo a risk view of the entire software supply chain. From there Tromzo automates the triage to fix the riskiest vulnerabilities first.