Software development is a $2 trillion industry – yet today’s “software supply chains” have become increasingly challenging to govern and secure as agile development practices have evolved in the modern cloud era. Legit Security, a recent addition to TCV’s portfolio family, is on a mission to change that by providing end-to-end governance and security throughout the entirety of the software development lifecycle. 

Software now plays an important role in nearly every business; it is one of the most critical assets empowering organizations to create efficiencies and competitive differentiation. Software development practices are constantly evolving to improve business agility and enable new digital business models, but as a result, software supply chains are also changing, have become highly complex, and are increasingly difficult to govern and secure. Too often, the code, pipelines, development infrastructure, and third party resources within the software development lifecycle (SDLC) are left insecure, exposing the organization to potential breaches and software supply-chain attacks. 

The damage inflicted by software supply-chain attacks has gained publicity following events such as log4j and Solarwinds. However, these attacks were not isolated, and it’s estimated that software supply chain attacks are increasing at a rate of two to six times per year. As a result, the importance of bringing security and governance to the entirety of the software supply chain is becoming top of mind for businesses globally. 

Introducing Legit Security: Security for software supply chain environments

Legit Security, an Israeli-based security company founded in August 2020, aims to address this acute pain point by providing a security platform that protects the pipelines, infrastructure, code, and people within software supply chains so that businesses can stay safe while releasing software quickly. The platform provides security and developer teams with a “single pane of glass” to secure the SDLC by scanning development pipelines for gaps and leaks, the SDLC infrastructure and systems within those pipelines, and the people and their security hygiene as they operate within it.

Legit Security’s platform aims to remove blind spots and automate governance and compliance for the software supply chain. The platform uses an automated discovery and analysis engine to identify vulnerabilities, measure and track the security posture of teams and development pipelines, and ensure compliance to regulatory and governance frameworks in real-time. By using Legit Security, security and development teams can manage risk more effectively and increase efficiency by focusing on what’s most important.

“Legit provides a single pane of glass to mitigate software development risk. We’re now able to inventory all our SDLC systems and security tools, view developer activity, and detect and remediate vulnerabilities across them fast. Legit’s security scoring also allows me to measure the security posture of different teams and show progress improving it.” – Bob Durfee, Head of DevSecOps at Takeda Pharmaceutical Company

Deep cyber security expertise 

TCV is investing in Legit Security through its recently-announced Velocity Fund, which aims to invest in expansion-stage companies in its sectors of interest.

The founders and executive team of Legit Security have deep experience in cybersecurity. The founders all came from Checkmarx, a leading application security testing business, and had initially met in the Israeli military’s intelligence unit. As cybersecurity researchers and team leads for the renowned Israeli Defense Force’s Unit 8200, they gained real-world security experience with the offensive and defensive tactics specific to software delivery pipelines.

CEO & Co-Founder Roni Fuchs was formerly Senior Director and Head of Software Composition Analysis at Checkmarx, after his previous startup Lumobit was acquired by Checkmarx less than a year after its launch in 2018. Previously, Roni was a senior software engineer at Microsoft. Liav Caspi, CTO & Co-Founder of Legit Security, and Lior Barak, the company’s VP of R&D and Co-Founder, share similar backgrounds: all three overlapped at the Israeli military, Lumbobit, and Checkmarx. Chris Hoff, VP for Worldwide Sales was most recently Regional VP of Sales at Duo Security, having previously held sales roles at EMC, Kaspersky, Cognos, Watchfire/IBM, and CA Technologies. Derick Townsend, VP of Marketing, was most recently VP of Product Marketing at Ping Identity, with prior marketing leadership roles at UnboundID, DXC, ServiceMesh, CA Technologies, iTKO, and IBM.  

Shifting left: The vast “DevSecOps” opportunity

So why are we so excited? Well, on top of the deeply relevant and honed skills that run through the company from its highest level, we believe that Legit Security is on to something big and important in the application security space. Over the past five years, as application development practices have evolved, the notion of “DevSecOps” (development, security, and operations) or “shifting left” has become increasingly popular. 

“Shifting left” aims to make security more agile, repeatable, and automated, ultimately empowering DevOps teams to bring products to market faster. Existing application security solutions generally operate in isolation, resulting in silos throughout the pipeline. Further, blindspots can exist along development pipelines and SDLC systems and infrastructure, including GitHub / GitLab repos, which are not covered by traditional application security tools. In addition, the disparate nature of traditional AppSec tooling requires security teams to navigate across the numerous point solutions to try and stitch together insights into potential vulnerabilities, often leading to “alert fatigue.” 

Legit Security bridges this gap by spanning the SDLC with automated discovery and analysis capabilities that include auto-detection of code repositories, build servers, artifact repositories, and deployed security products such as Snyk and Veracode along with their security coverage. When your SDLC changes, it’s automatically detected by Legit. The platform provides hundreds of best practice software supply chain security policies that can be enforced directly in the product, as well as a unique Legit Security Score to manage risk, track security posture, and monitor compliance to regulatory and governance frameworks in real-time.

This holistic, end-to-end insight enhances governance at various checkpoints, empowering enterprises to derive greater value from existing security tools. It’s no coincidence that customers frequently describe the Legit Security Platform as their “application security command center.”

Where are we now?

Legit Security has now emerged from its pre-launch phase, during which the company has been busy acquiring customers (from Fortune 500 companies to fast moving software-driven businesses), building a platform for demanding enterprise environments, and securing funding from top-tier investors, including TCV. The business has already grown significantly with new offices in the U.S. and Israel, and an expanded team, as well as connections with important partners and advisors.

I’ve known co-founders Liav and Lior for many years, since our time working for the Israeli Defense Forces. We gained invaluable experience there, but perhaps most important was learning that ‘anything is possible’ in cybersecurity with the right talent, focus, and resources.”

Roni Fuchs, CEO & Co-Founder, Legit Security

After military service, the founding team members worked in leading cyber security companies across Israel and recognized a growing gap between traditional AppSec tools and a new generation of rapidly evolving, modern software development environments. The gap was growing and traditional security tools and vendors were unable to catch up.

“Because of the adoption of agile development, cloud, and modern development pipelines, the approach needed to secure software releases has fundamentally changed. It’s no longer just about ‘the code’. Software is now assembled in multiple steps across a supply chain leveraging many trusted contributors, pulling artifacts from countless repositories, built, and assembled on underlying infrastructure that must be securely configured, and all the while providing speed, agility, and efficiency. These modern supply chain environments created a sprawling new attack surface – one that is increasingly exploited by over 2x-6x a year, depending upon the analyst, government agency, or vendor report you read.” – Roni Fuchs, CEO & Co-Founder, Legit Security

TCV team members Matt Brennan (TCV General Partner), Tim McAdam (TCV General Partner), Mark Smith (TCV Venture Partner), and Alex Gorgoni (Investor) are excited to partner with Legit Security, helping to guide the company through its next critical phase of growth. Our team has witnessed first-hand the enthusiastic response of customers as they learn about the unique positioning and scope of the Legit Security platform, and its ease of deployment.

This is a sector we expect to be active in over the coming months, too, and we look forward to being a part of it. 

***

The views and opinions expressed are those of the author and do not necessarily reflect those of TCMI, Inc. or its affiliates (“TCV”). TCV has not verified the accuracy of any of the data or statements by the author and disclaims any responsibility therefor. This blog post is not an offer to sell or the solicitation of an offer to purchase an interest in any private fund managed or sponsored by TCV or any of the securities of any company discussed. The TCV portfolio companies identified above are not necessarily representative of all TCV investments, and no assumption should be made that the investments identified were or will be profitable. For a complete list of TCV investments, please visit www.tcv.com/all-companies/. For additional important disclaimers regarding this interview and blog post, please see “Informational Purposes Only” in the Terms of Use for TCV’s website, available at http://www.tcv.com/terms-of-use/.