Log4j, maybe more than any other security issue in recent years, thrust software supply chain security into the limelight, with even the White House weighing in. But even though virtually every technology executive is at least aware of the importance of creating a trustworthy and secure software supply chain, most continue to struggle with how to best implement a strategy around it.
The number of CVEs (Common Vulnerabilities and Exposures) continues to increase at a steady pace and there’s nary a container out there that doesn’t include at least some vulnerabilities. Some of those may be in libraries that aren’t even used when the container is in production, but they are vulnerabilities nevertheless.
Image Credits: Slim.ai
According to Slim.ai‘s latest Container Report, the average organization now deploys well over 50 containers from their vendors every month (and almost 10% deploy more than 250). Yet only 12% of the security leaders who responded to Slim.ai’s survey said they were able to achieve their own vulnerability remediation goals. Everybody else says they are “greatly” struggling or see significant room for improvement. And while those organizations are all pressuring their vendors to improve their security stance and deliver, the vendors and buyers often can’t even agree on which CVE’s actually need patching in a container.
As Ayse Kaya, Slim.ai’s VP for Strategic Insights and Analytics told me, the interaction between buyers and vendors is often still driven by the exchange of spreadsheets and ad hoc meetings between security groups. According to the company’s report, which it created in partnership with research firm Enterprise Strategy Group, that’s still how 75% of organizations exchange information with their vendors, even as virtually all security leaders (84%) would look to see a centralized collaboration platform for managing vulnerabilities. For the time being, though, it seems like emailing spreadsheets back and forth remains to be the state of the art.
Image Credits: Slim.ai
All of this inevitably leads to inefficiencies. The majority of organizations that responded to the survey said they employ six or more specialists who focus on vulnerability remediation (with a quarter of respondents employing more than 10). One of the major problems in the industry is that more than 40% of the alerts these teams get are false positives — often for libraries that may be part of a container but aren’t used in production. Because of this, Kaya for example greatly advocates for creating minimal container images. One could argue that this should be a best practice anyway, since it creates a smaller attack surface and reduces false positives.
It’s not just security teams that have to deal with these vulnerabilities, though, of course. All of these efforts slow down the overall development process, too. Most companies see some disruptions multiple times a week because they detect a vulnerability in a production container, for example. According to Slim.ai’s report, the average container now sees a new release roughly every 11 days and the average container is now affected by 311 CVEs (up from 282 in 2022). All of that means more work, more interruptions and more effort expended in working with vendors to get them fixed.
Log4j, maybe more than any other security issue in recent years, thrust software supply chain security into the limelight, with even the White House weighing in. But even though virtually every technology executive is at least aware of the importance of creating a trustworthy and secure software supply chain, most continue to struggle with how to best implement a strategy around it.
The number of CVEs (Common Vulnerabilities and Exposures) continues to increase at a steady pace and there’s nary a container out there that doesn’t include at least some vulnerabilities. Some of those may be in libraries that aren’t even used when the container is in production, but they are vulnerabilities nevertheless.
Image Credits: Slim.ai
According to Slim.ai‘s latest Container Report, the average organization now deploys well over 50 containers from their vendors every month (and almost 10% deploy more than 250). Yet only 12% of the security leaders who responded to Slim.ai’s survey said they were able to achieve their own vulnerability remediation goals. Everybody else says they are “greatly” struggling or see significant room for improvement. And while those organizations are all pressuring their vendors to improve their security stance and deliver, the vendors and buyers often can’t even agree on which CVE’s actually need patching in a container.
As Ayse Kaya, Slim.ai’s VP for Strategic Insights and Analytics told me, the interaction between buyers and vendors is often still driven by the exchange of spreadsheets and ad hoc meetings between security groups. According to the company’s report, which it created in partnership with research firm Enterprise Strategy Group, that’s still how 75% of organizations exchange information with their vendors, even as virtually all security leaders (84%) would look to see a centralized collaboration platform for managing vulnerabilities. For the time being, though, it seems like emailing spreadsheets back and forth remains to be the state of the art.
Image Credits: Slim.ai
All of this inevitably leads to inefficiencies. The majority of organizations that responded to the survey said they employ six or more specialists who focus on vulnerability remediation (with a quarter of respondents employing more than 10). One of the major problems in the industry is that more than 40% of the alerts these teams get are false positives — often for libraries that may be part of a container but aren’t used in production. Because of this, Kaya for example greatly advocates for creating minimal container images. One could argue that this should be a best practice anyway, since it creates a smaller attack surface and reduces false positives.
It’s not just security teams that have to deal with these vulnerabilities, though, of course. All of these efforts slow down the overall development process, too. Most companies see some disruptions multiple times a week because they detect a vulnerability in a production container, for example. According to Slim.ai’s report, the average container now sees a new release roughly every 11 days and the average container is now affected by 311 CVEs (up from 282 in 2022). All of that means more work, more interruptions and more effort expended in working with vendors to get them fixed.
The software supply chain, which comprises the components, libraries and processes companies use to develop and publish software, is under threat.
According to one recent survey, 88% of companies believe that software supply chain security presents an “enterprise-wide risk” to their organizations, while nearly two-thirds (65%) believe their organizations’ software supply chain security program isn’t as mature as it should be. A separate poll found that the mean number of supply chain breaches increased to around four incidents per company in 2023, up from roughly three incidents in 2022 — a 25% increase.
Now, you might point out — and not wrongly — that there’s a number of vendors large and small out there tackling the supply chain security challenge. And you wouldn’t be wrong. But a new entrant, Kusari, thinks it can do better with a team hailing from the financial services and defense industries.
Investors seem willing to buy in. This month, Kusari — whose namesake is the Japanese feudal weapon kusari-fundo — raised $8 million across pre-seed and seed funding rounds that had participation from J2 Ventures, Glasswing Ventures and Unusual Ventures. The cash will be put toward building out Kusari’s software-as-a-service (SaaS) platform, co-founder and CEO Tim Miller said, and growing the startup’s team from eight people to about 15.
“There’s a real lack of education regarding software supply chain management and the tooling, specifications and standards within that space,” Miller told TechCrunch in an email interview. “The Kusari platform acts like a GPS for navigating supply chain issues, helping chief information security officers understand and reason about the software risks they’re facing — and helping DevOps folks easily and automatically fix those issues.”
Miller co-founded Kusari with Michael Lieberman and Parth Patel in 2022. Prior to Kusari, Miller was an engineering director at Citi, where he met Lieberman, while Patel was a senior cybersecurity systems engineer at Raytheon.
Miller says that he, Lieberman and Patel were spurred to launch Kusari by a shared problem: knowing which software and dependencies are being used by a particular app or system at a given moment.
“Being in the dark causes lots of issues, like being slow to react to security vulnerabilities, knowing if there’s licensing or compliance issues and even basic maintenance like ‘Who should I go to if this breaks?’” Miller said. “We founded Kusari to bring transparency and security to software supply chains by making it easy to reason about what is in an organization’s software — and show you what to do about it.”
To that end, Kusari leverages the open source project Guac — to which Miller, Lieberman and Patel contributed — to find the most-used components in a software supply chain and identify exposures to risky dependencies. Kusari — powered by Guac — can also determine the ownership of apps in an organization, make sure that apps meet an organization’s policies and determine changes between different versions of software.
On the remediation side, Guac — and Kusari by extension — can determine the “blast radius” of a bad package or vulnerability and provide a plan toward patching it. It can also trace the origin point of exploits, pinpointing when — and where — they were introduced.
Miller sees Legit Security, Ox Security and Snyk as Kusari’s most formidable competitors. But he emphasizes Kusari’s open source approach, which he believes is unique.
“We have an open source plus SaaS business model,” he said. “Our initial strategy was to bring validation to the approach through the open source product; our SaaS product will be released later this year. We believe that we can significantly reduce the cost of dealing with software vulnerabilities while increasing the confidence in doing so, allowing technology decision-makers to understand the health of their software supply chain and quickly determine if there are unaddressed risks.”
Future capabilities in the works include a ChatGPT-like chatbot that’ll let users “chat” with Guac (through Kusari) to inspect and get a better handle on an organization’s supply chain — for example, by asking questions like “Which running containers have such and such vulnerability?”
Miller says that the team is taking pains to run “lean” for now, focusing on hiring a “handful of experts” who can help Kusari build out quickly. The platform still hasn’t launched — but the startup’s targeting later this year for general availability.
“As a result of the slowdown, we’re seeing some potential design partners pull back a bit from collaboration as they focus on more critical business initiatives,” Miller added, “but the slowdown hasn’t affected us as much as others. We’re using the latest and greatest tech built on open source to make building out and scaling our platform cost-effective.”
Image Credits: Diagon / Diagon co-founders Shri Muthu and Will Drewery
It’s not everyday that you get to sharpen your skills with Elon Musk as your boss. It was while sourcing manufacturing equipment for Tesla factories that Will Drewery drew inspiration for Diagon, a startup that helps manufacturers procure equipment.
“Big projects companies are building now, like battery manufacturing, need very specific types of process equipment and automation equipment to build a factory and automate,” co-founder and CEO Drewery told TechCrunch. “I’d been hearing and seeing the trends toward nearshoring and reshoring of American manufacturing. As a supply chain manager, I’ve been taking a critical eye at how that’s actually going to happen. People intuitively understand that they want to source batteries for the cars they’re making in the U.S. or near the U.S., but they have no idea if that capacity doesn’t exist anywhere, then there’s no way you’re going to find a qualified supplier or have the right infrastructure to make those products.”
In January 2023, he started Diagon with former Snackpass vice president of engineering Shri Muthu so that companies of all sizes could tap into his expertise of having sourced equipment for Tesla’s electric vehicle and battery facilities. Companies in fields like automotive and aerospace can identify qualified suppliers from Diagon’s network of equipment suppliers, system integrators and service providers, then leverage a toolkit to manage those complex projects.
Diagon also uses artificial intelligence to get answers to questions like, what type of infrastructure will companies need in order to become a qualified iron-based battery provider in the U.S.?, or what types of things will the company need in order to make those products?
East Coast origins
The journey to Diagon for Drewery, who spent most of his career as an equipment buyer, started in Pittsburgh. When Drewery was growing up, his father and uncles worked in the steel industry. It was a “great way to make a living for a long time” until globalization shifted manufacturing centers elsewhere, he said.
“It impacted me to see not only the industry, but the businesses that supported it, being affected,” Drewery said. “I had this intuition that there was a much bigger significance to being able to manufacture to support a local economy.”
A few years later, Drewery joined PwC as a consultant before joining the U.S. Department of Defense as a contractor. This position took him to Baghdad, where one of his projects was to help companies procure machinery and equipment to rebuild facilities damaged during the war.
After graduating from business school in 2012, Drewery moved to the Bay Area, where a friend told him about Tesla. The company had just bought an old factory in Fremont and was stripping out the old equipment and needed someone to help source new equipment to make the Tesla S, X and 3 models.
His friend brought a Tesla to a party Drewery was at, and after taking joy rides up and down the freeway, Drewery recalls thinking, “I don’t know what this company is doing, but I’ll do anything to work there.”
A glimpse inside Tesla’s super secretive Gigafactory
Working for Elon
Tesla, Drewery learned, was similar to most organizations when it came to the supply chain.
“They’re not really focused on buying the infrastructure for the factory — that tends to be left to engineers and other people within the organization,” Drewery said. “When I came in, I was the first person, really the first formal buyer, the company ever hired to source this type of machinery and equipment. Up until then, the engineers and shop managers were sourcing their own stuff.”
It was Drewery’s job to source all the industrial robots, the metal presses and plastic molding machines. That grew into sourcing for the entire scope of Tesla’s manufacturing footprint, both in Fremont and Buffalo, New York, and also in the gigafactory in Reno, Nevada.
It was quite an education, Drewery recalls. It was difficult to identify suppliers and where they were located. How to pay for those materials, and how to actually source everything. This is because a lot of the equipment didn’t fall into the norms of things that most supply chain managers buy, he said.
Drewery ended up getting a crash-course education in supply chain. He learned which suppliers made which type of equipment, all the pricing, lead times and other negotiations.
Also during this time, Drewery gained experience building out a pretty substantial team to tackle all of that. He grew his team to 30 people that was managing about $700 million a year in capital expenditure, Drewery said. During his time at Tesla, that was about $3.5 billion.
“One of the coolest jobs — hands down — that I’ve ever had, and I was awestruck at how few tools there were to help me do that job,” he said.
And what was it like working with Elon Musk? “I’ve never learned more than I learned in that role, but it was the hardest thing that I’ve ever done. Up until starting this company, I’d say that,” Drewery said.
Here’s a little sample of what that involved. Trade shows are the top place to find companies that make these types of equipment. However, how do you take off a day of work to attend conferences when your boss is Elon Musk?
“A lot of times I would have to do it under the radar,” Drewery said.
Putting those skills to work for others
Drewery worked at Tesla between 2013 and 2018. During that time, he also had to manage delivery of all of that equipment and the testing and installation of it. This could take anywhere from a few months to a few years, he said. Drewery had a substantial team working with him but thought much about companies that don’t have the team or tools to do the same.
“This is why I felt the market needs a Diagon,” Drewery said.
Diagon launched its equipment sourcing and procurement platform in November 2023 after being a part of startup accelerator Techstars. It grew to six employees and a half-dozen customers, including Mitra Chem, Zeno Power and Mighty Buildings.
The company will deploy its software platform as a pilot program with its professional services customers first and do a broader release this summer, Drewery said.
The company also recently raised $5.1 million that includes a previous $800,000 SAFE (simple agreement for future equity) round. The Westly Group led the round and was joined by Valia Ventures, Techstars, Foster Ventures, Foxe Capital, Anthemis and ReFashiond Ventures.
The funding gives Diagon a good runway for the next two years and will enable the company to actively hire, including for a head of product and go-to-market.
“Now we are developing tools that help customers find suppliers better or help them interpret and summarize quotes better,” Drewery said. “We will roll those out as we develop them. We’ve also got some runway to acquire new customers and build more of the product until we raise our Series A, which we haven’t started fundraising for yet.”
Northvolt’s $5B debt deal should be a wake-up call for the US battery industry
