Oligo’s efficient use of run time monitoring lets users much more easily identify and remedy open source code vulnerabilities.
Today, Israeli-based Oligo Security is exiting stealth with $28 million in funding for its innovative runtime application security and observability solution that lets enterprises detect and prevent open source code vulnerabilities in their applications without impairing performance.
Detecting open source code vulnerabilities today is certainly possible, but the process is a clunky one, which bogs down the user in a sea of false alerts and reduced performance. Given that open source is used in between 85 and 90% of modern software, these are critical issues.
“Today, 85% of alerts around open source code are false alerts,” said Nadav Czerninski, Oligo Security’s CEO and co-founder. “People understand that this security is important – but today there is too much noise and too much alerts. This is why we took a new approach, with run time, where we can make sure which open source application is being used and is the source of the problem. This unique approach using run time lets us focus on each and every library at one time.”
Oligo’s co-founder and CTO Gal Elbaz discovered that a widely used app like Instagram could be easily compromised by misusing an open source library.
“This one open source app, Instagram, which is commonly used in all Facebook infrastructure, can cause a lot of damage with just one vulnerability,” Elbaz said. “You need to look at an application and into its pieces of code and look at what they are doing.”
This is where the run time monitoring comes in.
“Today, there are scanners which scan code, and that’s the current approach to handling this,” Czerninski said. “But because they don’t have the run time information, they can’t determine what code is actually relevant, so they have to manually figure out which needs to be fixed, and there is also a compromise on performance. Getting to the run time monitoring in a very efficient way lets you figure out what libraries you need to fix. This can help with application security because in run time, we know which applications are relevant.”
Oligo’s dynamic library-level analysis and behavior monitoring technology instantly identifies vulnerabilities in running packages and prioritizes fixes based on application context. It also provides alerts only when there is a deviation from a library’s permission policy, indicating suspicious activity, without causing alert overboard. The solution uses a proprietary eBPF-based engine to precisely detect vulnerabilities and prevent attacks while maintaining application stability.
This is a problem which impacts all sizes of companies.
“From startups to Fortune 500s, everyone understands how important it is to secure open source,” Czerninski said.
“The problem is that it is so painful,” Elbaz added. “We know how the problem feels for customers because we suffered ourselves when we were part of these organizations that confronted these issues,”
Out of the gate in their proof of concept stage, Oligo will be selling direct, but the plan is to expand this with a multi-channel strategy.
“We have abilities to expand selling in many ways – through security teams, to dev/ops, and to engineers,” Czerninski indicated.
The Seed and Series A funding rounds were raised in nine months from Lightspeed Venture Partners, Ballistic Ventures, TLV Partners, cybersecurity entrepreneur and investor Shlomo Kramer, and a roster of prominent angel investors including Eyal Waldman, CEO and founder at Mellanox Technologies, Adi Sharabani, CTO at Snyk, and Eyal Manor, former GM/VP at Google Cloud and now Chief Product and Engineering Officer at Twilio.