Forget SBOM, DevSecOps teams need PBOM to stop cyber attacks 

Software supply chain security is one of those concerns that won’t go away. With software supply chain attacks increasing 300% in 2021, it’s clear that organizations not only have to worry about the vulnerabilities in their own environments, but those that reside within the systems of trusted suppliers too. 

In light of Biden’s executive order in May 2021, many organizations are looking to build Software Bill of Materials (SBOM) to take inventory of their environments and increase transparency over potential vulnerabilities to avoid compliance liabilities. Yet end-to-end software supply chain security platform provider, OX Security argues this isn’t enough. 

OX Security, which today announced it has raised $34 million, claims to have created a new open standard, the Pipeline Bill of Materials (PBOM), which not only inventories the code of the final product, but also the procedures and processes that contributed to the software’s development. 

For enterprises, PBOM has the potential to secure the development pipeline from end-to-end, through planning to deployment and production, monitoring each stage of the development lifecycle to identify vulnerabilities in the software supply chain. 

So how does PBOM work? 

OX Security’s approach to PBOM centers around a platform that can connect to an organization’s code repository, scanning the environment to take inventory of everything from the first line of code produced to production. 

In practice, this involves mapping assets, apps, and pipelines, identifying what security tools are in use, while highlighting any security issues found, and prioritizing their remediation based on severity.

One of the key underlying principles of PBOM is automation, and offering users automatic fixes and remediations so they can address security issues at scale. 

“Most security teams are severely understaffed, don’t have proper visibility, and have a large backlog of issues that they struggle to prioritize and address. You end up with dev tools and processes that are outside of the control and ownership of the security teams – Shadow Dev and DevOps,” said Co-Founder and CEO of OX Security, Neatsun Ziv. 

“This leaves the software supply chain exposed to risks and security teams do not have the visibility, context or automation necessary to ensure the security and integrity of every build at scale,” Ziv said. 

By maintaining continuous visibility developers can prioritize addressing the most important risks in the software supply chain and ensure the security of CI/CD elements like code repos, build servers, and artifact registry.

The SBOM market 

OX Security is mainly computing against organizations that provide a way to generate SBOMs. 

One of the provider’s main competitors is Legit Security , which offers a platform with risk scoring for CI/CD pipelines. The platform offers the ability to automatically discover SDLC assets, dependencies and pipeline flows, to display them in graph form and offer a complete software inventory. 

At the start of this year, Legit Security announced raising $30 million as part of a Series A funding round. 

Another competitor is Apiiro, with Apiiro Risk Assessment, which enables the user to build an application inventory, automated risk assessment questionnaires they can use to assess the security of the software supply chain. 

Aiiro’s solution can also automatically identify and prioritize risks such as design flaws, code secrets, IaC misconfigurations and exploitable APIs. The company most recently announced raising $35 million as part of a Series A funding round in 2020. 

The main differentiator between OX Security’s platform and these competitors is its focus on PBOM. 

“Most tools generate SBOMs – which may be sufficient for compliance in the future. But our mission is to prevent attacks across the software supply chain and consuming an SBOM is not enough to ensure the security and integrity of each build,” Ziv said.