The software supply chain, which includes the components, libraries, and processes that companies use to develop and publish software, is under threat.
According to a recent overview, 88% of companies believe that software supply chain security presents a “business risk” to their organizations, while nearly two-thirds (65%) believe that their organizations’ software supply chain security program is not as mature as much as it should. A special one voting found that the average number of supply chain breaches increased to about four incidents per company in 2023, from about three incidents in 2022 — a 25% increase.
Now, you can point out – and not wrongly – that there are a number of large and small vendors out there facing the challenge of supply chain security. And you wouldn’t be wrong. But a newcomer, Kusarihe believes he can do better with a team drawn from the financial services and defense industries.
Investors seem eager to buy in. This month, Kusari — its namesake is the Japanese feudal weapon kusari-fundo — raised $8 million in pre-seed and seed funding rounds with participation from J2 Ventures, Glasswing Ventures and Unusual Ventures. The cash will go toward building out Kusari’s software-as-a-service (SaaS) platform, co-founder and CEO Tim Miller said, and growing the startup’s team from eight people to about 15.
“There is a real lack of education about software supply chain management and the tools, specifications and standards in this space,” Miller told TechCrunch in an email interview. “The Kusari platform acts like a GPS for navigating supply chain issues, helping information security managers understand and justify the software risks they face — and helping DevOps people easily and automatically fix those problems.”
Miller co-founded Kusari with Michael Lieberman and Parth Patel in 2022. Prior to Kusari, Miller was director of engineering at Citi, where he met Lieberman, while Patel was a senior cybersecurity systems engineer at Raytheon.
Miller says he, Lieberman, and Patel were motivated to start Kusari by a common problem: knowing what software and dependencies are being used by a particular application or system at a given time.
“Being in the dark causes a lot of problems, like being slow to react to security vulnerabilities, knowing if there are licensing or compliance issues, and even basic maintenance like ‘Who do I turn to if it breaks?’ Miller said. “We founded Kusari to bring transparency and security to software supply chains, making it easy to reason about what’s in an organization’s software — and show you what to do about it.”
To that end, Kusari leverages the open-source Guac project—to which Miller, Lieberman, and Patel contributed—to find the most used components in a software supply chain and identify exposure to dangerous dependencies. Kusari — powered by Guac — can also determine application ownership within an organization, ensure that applications meet an organization’s policies, and identify changes between different software versions.
On the remediation side, Guac — and Kusari by extension — can determine the “blast radius” of a bad package or vulnerability and provide a plan to fix it. It can also trace the point of origin of exploits, determining when — and where — they were introduced.
Miller sees Legit Security, Ox Security and Snyk as Kusari’s most formidable competitors. But he emphasizes Kusari’s open source approach, which he believes is unique.
“We have an open source plus SaaS business model,” he said. “Our initial strategy was to validate the approach through the open source product. Our SaaS product will be released later this year. We believe we can significantly reduce the cost of addressing software vulnerabilities while increasing confidence by enabling technology decision makers to understand the health of their software supply chain and quickly identify undetected risks.”
Future features in the pipeline include a ChatGPT-style chatbot that will allow users to “convers” with Guac (via Kusari) to better inspect and manage an organization’s supply chain, for example by asking questions such as “Which containers running have such and such a vulnerability?’
Miller says the team is working hard to run “lean” for now, focusing on hiring a “handful of experts” who can help Kusari build quickly. The platform hasn’t launched yet — but the startup is aiming for general availability later this year.
“As a result of the slowdown, we’re seeing some potential design partners pull back a bit from the collaboration as they focus on more critical business initiatives,” Miller added, “but the slowdown hasn’t affected us as much as others. We use the latest and greatest technology based on open source to make building and scaling our platform cost-effective.”