Software supply chain attacks continue to be the soft underbelly of cybersecurity
by David Fairman, Venture Partner, SixThirty
In 2021, $21.8 billion in venture capital poured into cybersecurity companies. As we connect and collaborate, we are ever expanding the attack surface of our data, our work and identity. A cloud-first, mobile-first, API-first world, with constantly evolving DevOps and a hybrid work environment requires that we urgently transform our security programs and capabilities that protect our data and technology assets and support our digital strategies. Overlay this with an ever-increasing threat landscape where the volume and sophistication of attacks continues to grow at an exponential rate and this creates a perfect storm where threat actors can thrive and organizations struggle to keep pace.
Digital transformation has changed how organizations develop their applications and write code. The way in which code is developed today, is drastically different than in the past. Open-source software has enabled developers to accelerate release schedules and DevOps processes assist developers through standards enforcement, testing and build automation. This combination enables automated use of untrusted software via dependencies from unknown authors on the Internet, increasing the security teams’ burden to manage risk at the same pace. Recent attacks have shown that we can no longer solely rely on software composition analysis products that are focused on software vulnerabilities to defend the complete attack surface of the open-source software supply chain.
Recent attacks and high-profile vulnerabilities such as SolarWinds, Kaseya and Log4j have highlighted just how vulnerable the supply chain is. The May 2021 Biden executive order highlighted supply chain attacks as an area of concern. More recently, on January 13, 2022, a White House summit involving representatives of the U.S. government and major tech companies discussed open source software security. The 2021 Software Supply Chain Security Report, written by Argon, an Aqua Security Company, suggest that software supply chain tripled in 2021 when compared to 2020. It is expected that this trend will continue and remain part of criminal activity.
Phylum’s mission is to secure the universe of code, starting with the open-source supply chain. The company leverages an offensive-security mindset that enables the best defensive products for its customers.
Phylum is differentiated from other solutions in the application security space by the broader view it takes on software supply chain risks. Where software composition analysis tools largely focus on reporting known vulnerabilities and licensing risks, Phylum understands the provenance of package components, accounts for author interactions that lead to package releases, and proactively scans for malicious code.
Phylum, headquartered in Evergreen, Colorado, was founded in 2020 by Aaron Bray, Louis Lang and Peter Morgan, who are all career security researchers and developers with an accomplished history in cyber offense.
Experienced in both commercial and government sectors, the team observed the rise in open-source usage and associated risk in the software supply chain, and created Phylum to combat the threats that continue to go unaddressed using traditional methods.
As the software supply chain continues to be a high-risk area of concern for both organizations and governments, and with threat actors increasingly exploiting this attack vector, the cyber industry requires much needed focus and innovative solutions, and it needs it fast! Phylum has the team, the expertise, and the solution to take on this challenge, and SixThirty will be here to support them in this time of critical need.