Some of the most well-known cyber-attacks in recent years have come from the same arena – supply chain attacks. These attacks put many products at risk. It is very difficult to defend against them and they usually take advantage of popular tools – such as Log4j or SolarWinds. A new Israeli startup thinks it has the solution; they are announcing new fundraising. a
A new standard to prevent supply chain attacks
The new Israeli startup Ox Security has developed a platform designed to protect companies from supply chain attacks by using a new standard it has developed. The product they developed secures the CI/CD on all its components and includes four stages: identification, prioritization, prevention of the attack, and security of the system. Ox's development performs automation designed to ensure that new problems do not enter the product, prioritizes the problems already assigned by importance in a way that simulates the work of an analyst, and independently discovers "shadow" activities of the attackers.
"Until now, there were no good tools to deal with this type of attack, so the AppSec and DevSecOps teams had to deal with the attacks manually, with scripts or try to draw partial conclusions from endless reports from the tools they already have. Since hundreds of attacks on the software supply chain have been recorded, the task of defending against them becomes almost impossible," says Neatsun Ziv, the company's CEO and one of the founders, in a conversation with Geektime.
Ox, as mentioned, is developing a new standard - called PBOM (or Pipeline Bill of Materials) which is supposed to improve the currently existing standard (SBOM) in which companies have to transfer a long list of all their software materials in order to secure them properly. “SBOM is like a big excel doc that contains four columns: the name of the software product, its version, what license it requires, and whether there are known vulnerabilities. But these details aren't enough to help deal with software supply chain issues. The new standard that we are working on with several strategic partners contains thousands of 'columns' of information that enable the best coverage against this type of attack," says Ziv.
According to Ziv, famous supply chain attacks from recent years such as that of SolarWinds, Log4Shell and the likes, are attacks that until now could only be dealt with partially. He claims that there are no tools that can prevent attacks where the penetration is done through the CI/CD asides from theirs. Since such a tool is lacking, many organizations have built one for themselves. But Ziv adds that "for every component in production, we make sure that every piece of code that is released goes through a HASH test that guarantees the integrity of the code from the first line until release in production. We still see a lot of LOG4J in production even though it is an attack that has been documented for over 9 months. But since the code has been fixed, but never fully deployed, organizations are still exposed.”
A massive seed round
Ox Security was founded just this year by Ziv (CEO) and Lior Arzi (CPO); the two managed Check Point's cyber division. Last week (Thursday), the startup came out of stealth with a huge seed round of $34 million led by Team8, the investment arm of Microsoft (M12) and Evolution Equity Partners. Rain Capital fund also participated in the round. Ox has about 30 employees and as of today, more than 30 companies are already using their development.