New cloud platform leverages “Big Code” analytics to continuously search, index and monitor code for open source vulnerabilities such as Heartbleed and Shellshock.
Cambridge, Massachusetts – February 1, 2016 – Lexumo, developer of the world’s first automated cloud-based service for continuously monitoring software for vulnerable open source components, has closed $4.89M in seed funding from Accomplice, .406 Ventures, and Draper. Lexumo continuously searches and indexes software to immediately identify publicly-known open source vulnerabilities that can cause theft of sensitive data, failure of critical systems, and brand damage. Lexumo’s cloud-based service integrates transparently with existing software development workflows, does not require access to source code, and provides specific, actionable recommendations for remediation. Lexumo’s new funding will be used to further develop and commercialize the platform and build the company’s sales and marketing teams.
“To gain speed and agility, the vast majority of development organizations today assemble software from reusable software ‘building blocks’ which are downloaded from open source repositories. Yet many of these components contain published vulnerabilities which are extensively described in public forums and vulnerability databases – providing cyber attackers with a clear roadmap to attack critical systems, devices, and enterprise applications,” said Brad Gaynor, Ph.D., CEO and co-founder of Lexumo. “The funding is a validation of our scalable, cloud-based approach to identifying and eliminating open source vulnerabilities in a new and innovative way.”
According to industry analysts, open source software (OSS) is now used for mission-critical IT by 95 percent of all mainstream IT organizations, as well as in 85 percent of all commercial software packages. Yet, in 2014, there were approximately 52 million downloads of vulnerable components from the Central Repository, which supplies widely-used shareable components developed by open source organizations such as The Apache Software Foundation, Atlassian, RedHat (JBoss), and Oracle (Java). When these vulnerable components are integrated into a company’s software, their products and applications are at risk.
Originally developed at Draper with DARPA funding, Lexumo’s “Big Code” technology combines big data analytics with software analysis techniques for the first time. This unique approach uses indexed search techniques to continuously identify deep commonalities between the hundreds of millions of lines of open source code available today and the software used in a particular system, device or application. It then identifies exactly which open source components and versions are present in the code – with a high level of granularity and accuracy. Drill-downs provide detailed information about each vulnerability and its location in the code, along with automatically-generated instructions to patch them.
Lexumo’s cloud-based service is easy to use and does not slow down development because it integrates with existing build and ticketing systems, and no developer interaction is required to analyze the code.
“The premise of Lexumo’s Big Code technology is ambitious and its implementation is both elegant and impressive, which is a reflection of the team’s deep domain expertise and passion for solving security-related problems,” said Jeff Fagnan, General Partner at Accomplice. “The Lexumo platform makes it incredibly simple for software developers to securely use open source software, raising the bar for application security.”
“Security for the Internet of Things has been largely overlooked and, given the pace of IoT deployments, it presents a massive risk to technology developers, businesses and consumers,” said Maria Cirino, Managing Partner at .406 Ventures. “Recent research cites that security solutions for IoT are at least two years away, but Lexumo has the right technology and business model to tackle this problem today.”
“The IoT is vulnerable because humans are fallible,” said Kaigham J. Gabriel, president and CEO of Draper and former acting director of DARPA. “The Lexumo team applied automated big data analysis to eliminate open-source security vulnerabilities across all sectors of critical national infrastructure and commercial enterprises. The team built the first implementation of the initial concept at Draper, and we are thrilled to spin out Lexumo.”
Accomplice (FKA Atlas Venture) is an early-stage venture capital firm that invests in technology startup companies, with specialties in cybersecurity, eSports, data analytics, SMB class software, emerging hardware platforms, and marketplaces. Our partners are Jeff Fagnan, Christopher P. Lynch, and Ryan Moore. For more information, visit www.accomplice.co.
About 406 Ventures
.406 Ventures is an early stage technology venture capital firm investing in enterprise technology companies founded by visionary entrepreneurs. .406 Ventures was founded in 2005 and has ~$600M under management. The .406 Ventures team is comprised of entrepreneurs and operators who became investors to apply real world experience and strong company-building skills to create value for entrepreneurs and LPs. The firm leads, or co-leads, first institutional investment rounds in market-changing Enterprise IT companies and world-class operators, who move quickly and embody successful entrepreneurial DNA with their passion, creativity and endurance. www.406ventures.com
As a not-for-profit engineering research and development company, Draper focuses on the design, development and deployment of advanced technological solutions for the world’s most challenging and important problems. We provide engineering services directly to government, industry, and academia; work on teams as prime contractor or subcontractor; and participate as a collaborator in consortia. We provide unbiased assessments of technology or systems designed or recommended by other organizations — custom designed, as well as commercial-off-the-shelf. www.draper.com
Lexumo protects the world’s open source software. Originally developed with DARPA funding, Lexumo’s Big Code technology combines big data analytics, machine learning and software analysis to detect vulnerabilities in software built with open source. Lexumo’s automated cloud-based service continuously searches, indexes and monitors open source code and known vulnerabilities to provide the fastest, most effective way for identifying and patching even the most recently discovered security threats. For more information about how Lexumo secures open source software used in IoT and embedded devices, critical infrastructure, and enterprise applications, visit https://lexumo.com.