Safeguarding the modern software supply chain: Legit Security

Software development is a $2 trillion industry – yet today’s “software supply chains” have become increasingly challenging to govern and secure as agile development practices have evolved in the modern cloud era. Legit Security, a recent addition to TCV’s portfolio family, is on a mission to change that by providing end-to-end governance and security throughout the entirety of the software development lifecycle. 

Software now plays an important role in nearly every business; it is one of the most critical assets empowering organizations to create efficiencies and competitive differentiation. Software development practices are constantly evolving to improve business agility and enable new digital business models, but as a result, software supply chains are also changing, have become highly complex, and are increasingly difficult to govern and secure. Too often, the code, pipelines, development infrastructure, and third party resources within the software development lifecycle (SDLC) are left insecure, exposing the organization to potential breaches and software supply-chain attacks. 

The damage inflicted by software supply-chain attacks has gained publicity following events such as log4j and Solarwinds. However, these attacks were not isolated, and it’s estimated that software supply chain attacks are increasing at a rate of two to six times per year. As a result, the importance of bringing security and governance to the entirety of the software supply chain is becoming top of mind for businesses globally. 

Introducing Legit Security: Security for software supply chain environments

Legit Security, an Israeli-based security company founded in August 2020, aims to address this acute pain point by providing a security platform that protects the pipelines, infrastructure, code, and people within software supply chains so that businesses can stay safe while releasing software quickly. The platform provides security and developer teams with a “single pane of glass” to secure the SDLC by scanning development pipelines for gaps and leaks, the SDLC infrastructure and systems within those pipelines, and the people and their security hygiene as they operate within it.

Legit Security’s platform aims to remove blind spots and automate governance and compliance for the software supply chain. The platform uses an automated discovery and analysis engine to identify vulnerabilities, measure and track the security posture of teams and development pipelines, and ensure compliance to regulatory and governance frameworks in real-time. By using Legit Security, security and development teams can manage risk more effectively and increase efficiency by focusing on what’s most important.

“Legit provides a single pane of glass to mitigate software development risk. We’re now able to inventory all our SDLC systems and security tools, view developer activity, and detect and remediate vulnerabilities across them fast. Legit’s security scoring also allows me to measure the security posture of different teams and show progress improving it.” – Bob Durfee, Head of DevSecOps at Takeda Pharmaceutical Company

Deep cyber security expertise 

TCV is investing in Legit Security through its recently-announced Velocity Fund, which aims to invest in expansion-stage companies in its sectors of interest.

The founders and executive team of Legit Security have deep experience in cybersecurity. The founders all came from Checkmarx, a leading application security testing business, and had initially met in the Israeli military’s intelligence unit. As cybersecurity researchers and team leads for the renowned Israeli Defense Force’s Unit 8200, they gained real-world security experience with the offensive and defensive tactics specific to software delivery pipelines.

CEO & Co-Founder Roni Fuchs was formerly Senior Director and Head of Software Composition Analysis at Checkmarx, after his previous startup Lumobit was acquired by Checkmarx less than a year after its launch in 2018. Previously, Roni was a senior software engineer at Microsoft. Liav Caspi, CTO & Co-Founder of Legit Security, and Lior Barak, the company’s VP of R&D and Co-Founder, share similar backgrounds: all three overlapped at the Israeli military, Lumbobit, and Checkmarx. Chris Hoff, VP for Worldwide Sales was most recently Regional VP of Sales at Duo Security, having previously held sales roles at EMC, Kaspersky, Cognos, Watchfire/IBM, and CA Technologies. Derick Townsend, VP of Marketing, was most recently VP of Product Marketing at Ping Identity, with prior marketing leadership roles at UnboundID, DXC, ServiceMesh, CA Technologies, iTKO, and IBM.  

Shifting left: The vast “DevSecOps” opportunity

So why are we so excited? Well, on top of the deeply relevant and honed skills that run through the company from its highest level, we believe that Legit Security is on to something big and important in the application security space. Over the past five years, as application development practices have evolved, the notion of “DevSecOps” (development, security, and operations) or “shifting left” has become increasingly popular. 

“Shifting left” aims to make security more agile, repeatable, and automated, ultimately empowering DevOps teams to bring products to market faster. Existing application security solutions generally operate in isolation, resulting in silos throughout the pipeline. Further, blindspots can exist along development pipelines and SDLC systems and infrastructure, including GitHub / GitLab repos, which are not covered by traditional application security tools. In addition, the disparate nature of traditional AppSec tooling requires security teams to navigate across the numerous point solutions to try and stitch together insights into potential vulnerabilities, often leading to “alert fatigue.” 

Legit Security bridges this gap by spanning the SDLC with automated discovery and analysis capabilities that include auto-detection of code repositories, build servers, artifact repositories, and deployed security products such as Snyk and Veracode along with their security coverage. When your SDLC changes, it’s automatically detected by Legit. The platform provides hundreds of best practice software supply chain security policies that can be enforced directly in the product, as well as a unique Legit Security Score to manage risk, track security posture, and monitor compliance to regulatory and governance frameworks in real-time.

This holistic, end-to-end insight enhances governance at various checkpoints, empowering enterprises to derive greater value from existing security tools. It’s no coincidence that customers frequently describe the Legit Security Platform as their “application security command center.”

Where are we now?

Legit Security has now emerged from its pre-launch phase, during which the company has been busy acquiring customers (from Fortune 500 companies to fast moving software-driven businesses), building a platform for demanding enterprise environments, and securing funding from top-tier investors, including TCV. The business has already grown significantly with new offices in the U.S. and Israel, and an expanded team, as well as connections with important partners and advisors.

I’ve known co-founders Liav and Lior for many years, since our time working for the Israeli Defense Forces. We gained invaluable experience there, but perhaps most important was learning that ‘anything is possible’ in cybersecurity with the right talent, focus, and resources.”

Roni Fuchs, CEO & Co-Founder, Legit Security

After military service, the founding team members worked in leading cyber security companies across Israel and recognized a growing gap between traditional AppSec tools and a new generation of rapidly evolving, modern software development environments. The gap was growing and traditional security tools and vendors were unable to catch up.

“Because of the adoption of agile development, cloud, and modern development pipelines, the approach needed to secure software releases has fundamentally changed. It’s no longer just about ‘the code’. Software is now assembled in multiple steps across a supply chain leveraging many trusted contributors, pulling artifacts from countless repositories, built, and assembled on underlying infrastructure that must be securely configured, and all the while providing speed, agility, and efficiency. These modern supply chain environments created a sprawling new attack surface – one that is increasingly exploited by over 2x-6x a year, depending upon the analyst, government agency, or vendor report you read.” – Roni Fuchs, CEO & Co-Founder, Legit Security

TCV team members Matt Brennan (TCV General Partner), Tim McAdam (TCV General Partner), Mark Smith (TCV Venture Partner), and Alex Gorgoni (Investor) are excited to partner with Legit Security, helping to guide the company through its next critical phase of growth. Our team has witnessed first-hand the enthusiastic response of customers as they learn about the unique positioning and scope of the Legit Security platform, and its ease of deployment.

This is a sector we expect to be active in over the coming months, too, and we look forward to being a part of it. 

***

The views and opinions expressed are those of the author and do not necessarily reflect those of TCMI, Inc. or its affiliates (“TCV”). TCV has not verified the accuracy of any of the data or statements by the author and disclaims any responsibility therefor. This blog post is not an offer to sell or the solicitation of an offer to purchase an interest in any private fund managed or sponsored by TCV or any of the securities of any company discussed. The TCV portfolio companies identified above are not necessarily representative of all TCV investments, and no assumption should be made that the investments identified were or will be profitable. For a complete list of TCV investments, please visit www.tcv.com/all-companies/. For additional important disclaimers regarding this interview and blog post, please see “Informational Purposes Only” in the Terms of Use for TCV’s website, available at http://www.tcv.com/terms-of-use/.


Legit Security Launches Out of Stealth with Series A Investment to Secure Software Supply Chains

TEL AVIV, Israel, Feb. 10, 2022 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise SaaS solution to secure an organization’s software supply chain, today announced its launch out of stealth mode with a Series A $30 million funding announcement with leading venture capital firms Bessemer Venture Partners and TCV. Prior seed funding was provided by CyberStarts, the premier cybersecurity venture capital firm in Israel. Legit Security protects software supply chains from attack by automatically discovering and securing the pipelines, infrastructure, code and people so that businesses can stay safe while releasing software fast. The company will use the funds to expand its engineering team and continue building its go-to-market organization in the United States with offices in Austin and Palo Alto.

According to Gartner®, 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021. Companies can no longer rely solely on traditional security tools and code scanners for protection as more organizations adopt modern applications, agile development, and DevOps. These complex software supply chains at the heart of digital business and critical infrastructure are now prime targets for cyber-attacks, and require new security solutions.

“Enterprises increasingly rely on software to do business, and they’re adopting cloud, DevOps, CI/CD and agile techniques to move fast,” said Roni Fuchs, CEO of Legit Security. “However, this has created a huge new, unprotected attack surface that cybercriminals have targeted, and their attacks are escalating. Right now, enterprises don’t need another code scanner. They need a holistic security solution for the broader software supply chain environment. That’s why we founded Legit Security and brought on world-class cybersecurity experts that share the same vision.”

“Legit provides a single pane of glass to mitigate software development risk,” said Bob Durfee, Head of DevSecOps at Takeda Pharmaceutical Company. “We’re now able to inventory all our SDLC systems and security tools, view developer activity, and detect and remediate vulnerabilities across them fast. Legit’s security scoring also allows me to measure the security posture of different teams and show progress improving it.”

Legit Security helps companies protect their end-to-end software supply chain environment and software releases through automated vulnerability discovery and analysis, security policy enforcement, and continuous assurance. The platform scans software development pipelines for gaps and leaks, development infrastructure and systems within those pipelines, and the people and their security hygiene as they operate within it. The solution doesn’t interfere with existing development tools and workflows, and includes continuous assurance and governance capabilities to monitor adherence to regulatory requirements and compliance frameworks in real-time.

“Legit helps us secure our CI/CD pipelines including tracking the security posture of our different teams and workspaces, addressing SDLC configuration drifts, and helping us apply security resources where it can help us most,” said Erik Bataller, VP of Security, ACV Auctions. “Legit’s platform enables our developers to maintain high velocity with minimal security friction and allows us to identify risk factors and adjust accordingly.”

“Legit is providing us with visibility across the entire supply chain, which helps us minimize risk and raise analyst productivity,” said James Robinson, Deputy Chief Information Security Officer at Netskope. “Legit’s platform nicely complements our existing investments in application security tools and allows us to make better decisions in allocating our security controls and resources.”

“Legit Security’s platform visualizes and analyzes our software pipelines quickly to help ensure security compliance with regulatory frameworks, as well as the unique compliance requirements of some of our large financial services partners,” said Or Cohen, Principal Engineer at Melio. “Legit’s solution saves us time and resources and allows us to manage risk better.”

“Software supply chain attacks will continue to grow until new solutions are available to close diverse security gaps across these environments,” said Amit Karp, Partner at Bessemer Venture Partners. “We love how Legit developed an enterprise solution that is easy to deploy and delivers value in a couple hours.”

Legit Security is led by CEO Roni Fuchs, CTO Liav Caspi, and VP of R&D Lior Barak and has assembled a team of security experts from the renowned Israeli Defense Force’s Unit 8200, Checkmarx, Ping Identity, Duo/Cisco, Microsoft and other leading cybersecurity firms in the U.S. and Israel. For more information, visit legitsecurity.com.

About Legit Security
Legit Security protects software supply chains from attack by automatically discovering and securing the pipelines, infrastructure, code and people so that businesses can stay safe while releasing software fast. Legit provides an easy to implement SaaS solution that supports both cloud and on-premises resources and combines automated discovery and analysis capabilities with hundreds of security policies developed by industry experts with real-world SDLC security experience. This integrated solution keeps your software factory secure and provides continuous assurance that your applications are released without vulnerabilities.

Media Contact
Tony Keller, Legit Security
tkeller@outvox.com

Katja Gagen, TCV
kgagen@tcv.com