Lexumo, developer of the world’s first automated cloud-based service for continuously monitoring software for vulnerable open source components, has closed $4.89M in seed funding from Accomplice, .406 Ventures, and Draper. Lexumo continuously searches and indexes software to immediately identify publicly-known open source vulnerabilities that can cause theft of sensitive data, failure of critical systems, and brand damage. Lexumo’s cloud-based service integrates transparently with existing software development workflows, does not require access to source code, and provides specific, actionable recommendations for remediation. Lexumo’s new funding will be used to further develop and commercialize the platform and build the company’s sales and marketing teams.
“To gain speed and agility, the vast majority of development organizations today assemble software from reusable software ‘building blocks’ which are downloaded from open source repositories. Yet many of these components contain published vulnerabilities which are extensively described in public forums and vulnerability databases – providing cyber attackers with a clear roadmap to attack critical systems, devices, and enterprise applications,” said Brad Gaynor, Ph.D., CEO and co-founder of Lexumo. “The funding is a validation of our scalable, cloud-based approach to identifying and eliminating open source vulnerabilities in a new and innovative way.”
According to industry analysts, open source software (OSS) is now used for mission-critical IT by 95 percent of all mainstream IT organizations, as well as in 85 percent of all commercial software packages. Yet, in 2014, there were approximately 52 million downloads of vulnerable components from the Central Repository, which supplies widely-used shareable components developed by open source organizations such as The Apache Software Foundation, Atlassian, RedHat (JBoss), and Oracle (Java). When these vulnerable components are integrated into a company’s software, their products and applications are at risk.
Originally developed at Draper with DARPA funding, Lexumo’s “Big Code” technology combines big data analytics with software analysis techniques for the first time. This unique approach uses indexed search techniques to continuously identify deep commonalities between the hundreds of millions of lines of open source code available today and the software used in a particular system, device or application. It then identifies exactly which open source components and versions are present in the code – with a high level of granularity and accuracy. Drill-downs provide detailed information about each vulnerability and its location in the code, along with automatically-generated instructions to patch them.
Lexumo’s cloud-based service is easy to use and does not slow down development because it integrates with existing build and ticketing systems, and no developer interaction is required to analyze the code.
“The premise of Lexumo’s Big Code technology is ambitious and its implementation is both elegant and impressive, which is a reflection of the team’s deep domain expertise and passion for solving security-related problems,” said Jeff Fagnan, General Partner at Accomplice. “The Lexumo platform makes it incredibly simple for software developers to securely use open source software, raising the bar for application security.”
“Security for the Internet of Things has been largely overlooked and, given the pace of IoT deployments, it presents a massive risk to technology developers, businesses and consumers,” said Maria Cirino, Managing Partner at .406 Ventures. “Recent research cites that security solutions for IoT are at least two years away, but Lexumo has the right technology and business model to tackle this problem today.”
“The IoT is vulnerable because humans are fallible,” said Kaigham J. Gabriel, president and CEO of Draper and former acting director of DARPA. “The Lexumo team applied automated big data analysis to eliminate open-source security vulnerabilities across all sectors of critical national infrastructure and commercial enterprises. The team built the first implementation of the initial concept at Draper, and we are thrilled to spin out Lexumo.”
For more information about how Lexumo secures open source software used in IoT and embedded devices, critical infrastructure, and enterprise applications, visit www.lexumo.com.