• Ox Security claims to have developed a new open standard, the PBOM, which catalogs not only the software’s source code but also the methods and processes of its development.

The security of the software supply chain is one of those problems that will persist. In light of an increase in software supply chain assaults by 300% in 2021, businesses must be concerned not only about the vulnerabilities in their environments but also those inside the systems of trusted suppliers.

As a result of Biden’s executive order in May 2021, some businesses are attempting to build software bills of materials (SBOMs) to take inventory of their environments and boost transparency over possible vulnerabilities to avoid compliance liabilities. However, Ox Security, a vendor of an end-to-end software supply chain security platform, maintains that this is insufficient.

Ox Security, which announced that it had secured USD 34 million, claims to have developed a new open standard, the pipeline bill of materials (PBOM), which catalogs not only the software’s source code but also the methods and processes of its development.

For companies, PBOMs can safeguard the development pipeline from end to end, from planning to deployment and production, monitoring each stage of the software supply chain development life cycle for vulnerabilities.

So how do PBOMs work? 

Ox Security’s solution to PBOMs is centered around a platform that can connect to a company’s code repository and scan the environment to take inventory of everything from the first line of code written until production.

In reality, this entails mapping assets, applications, and pipelines, identifying the security tools in use and highlighting any security vulnerabilities discovered; and prioritizing the remedy of security issues depending on their severity.

One of the core ideas driving the PBOM is automation: Providing users with automatic patches and remediations to handle security vulnerabilities at scale.

Neatsun Ziv, co-founder and CEO of Ox Security, said, “Most security teams are severely understaffed, don’t have proper visibility, and have a large backlog of issues that they struggle to prioritize and address. You end up with dev tools and processes outside the control and ownership of the security teams — shadow dev and DevOps. This leaves the software supply chain exposed to risks, and security teams do not have the visibility, context or automation necessary to ensure the security and integrity of every build at scale.”

By maintaining continuous visibility, developers can prioritize resolving the most significant software supply chain issues and safeguard the security of CI/CD elements such as code repositories, build servers, and artifact registries.

The SBOM market 

Primarily, Ox Security computes against firms that offer a means to create SBOMs.

Legit security, which provides a platform with a risk score for CI/CD pipelines, is one of the provider’s primary rivals. The platform can automatically find software development life cycle (SDLC) assets, dependencies, and pipeline flows, show them in graph form, and provide a comprehensive software inventory.

At the beginning of this year, Legit Security announced a series A funding round of USD 30 million.

Apiiro, with Apiiro Risk Assessment, is another rival that enables the user to develop an application inventory and automated risk assessment questionnaires that can be used to evaluate the security of the software supply chain.

Apiiro’s solution can also automatically find and rank vulnerabilities like design flaws, code secrets, IaC misconfigurations, and vulnerable APIs. The startup announced it would get USD 35 million in series A investment in 2020.

The primary distinction between Ox Security’s platform and its competitors is its emphasis on PBOMs.

Neatsun Ziv further stated, “Most tools generate SBOMs — which may be sufficient for compliance in the future. But our mission is to prevent attacks across the software supply chain, and consuming an SBOM is not enough to ensure the security and integrity of each build.”