Image Credit: Andriy Onufriyenko // Getty Images

Securing the software supply chain is one of the security industry’s top priorities at the moment. Since President Biden’s Executive Order on Improving the Nation’s Cybersecurity in 2021, vendors of all sizes have begun to invest in improving the open-source software ecosystem. 

One of the challenges of securing software development is ensuring that developers have the automated capabilities necessary to assess the security of code before they push it live. 

>>Don’t miss our new special issue: Zero trust: The new security paradigm.<<

Providers like DevSecOps automation platform, BoostSecurity, which announced it has raised $8.5 million as part of a funding round led by Sorenson Capital, enable developers to identify vulnerabilities and misconfiguration in their code, so they can optimize the CI/CD pipeline without putting the software supply chain at risk. 

Automating vulnerability discovery 

The announcement comes as many organizations are continuing to ship insecure software components, with research showing that 50% of apps have security vulnerabilities. 

By providing developers with a solution to automatically identify vulnerabilities and misconfigurations, BoostSecurity is designed to help verify the integrity of the software supply chain. 

“BoostSecurity helps customers easily and rapidly transform their existing software supply chains into more secure software supply chains,” said founder and CEO at BoostSecurity, Zaid Al Hamami. 

“It does so by injecting the right security technologies at the various layers in the technology stack, implementing the various necessary workflows for dealing with security issues as they emerge daily, and providing security champions and teams the control and visibility they need to ensure that the software supply chain is indeed secure,” Hamami said. 

Hamami also notes that the solution directly addresses weaknesses in the software chain itself, identifying vulnerabilities in Development, Build, Test and Release infrastructure so that developers can harden the software development lifecycle against potential threats. 

Solutions securing the software development lifecycle 

However, BoostSecurity isn’t the only provider aiming to secure the software development lifecycle. Competitors like Legit Security confront this challenge with an SaaS-based solution that provides risk scoring for vulnerabilities across CI/CD pipelines, code and SDLC systems. 

Legit Security’s solution offers the ability to automatically discover SDLC assets, dependencies and pipeline flows, and most recently raised $30 million as part of a series A funding round. 

Another competitor is Apiiro, which offers its own CI/CD security platform, designed to visualize the software development lifecycle. Through a single risk graph, users can monitor application components, developer identities and pipelines to view a map of their entire attack surface, while scanning code with artificial intelligence (AI) to identify potential risks. 

Apiiro most recently raised $100 million as part of a series B funding round. 

One of the key differentiators between BoostSecurity and other competitors is its focus on the developer experience. 

“The developer does not have to create new accounts, log in to portals, use an IDE plugin or run a tool locally. They continue to work the way they did in the past. With BoostSecurity, they can expect to get relevant information in a timely manner, with very low false positives, and easily understandable, actionable documentation,” Hamami said.