The software supply chain, which comprises the components, libraries and processes companies use to develop and publish software, is under threat.
According to one recent survey, 88% of companies believe that software supply chain security presents an “enterprise-wide risk” to their organizations, while nearly two thirds (65%) believe their organizations’ software supply chain security program isn’t as mature as it should be. A separate poll found that the mean number of supply chain breaches increased to around four incidents per company in 2023, up from roughly three incidents in 2022 — a 25% increase.
Now, you might point out — and not wrongly — that there’s a number of vendors large and small out there tackling the supply chain security challenge. And you wouldn’t be wrong. But a new entrant, Kusari, thinks it can do better with a team hailing from the financial services and defense industries.
Investors seem willing to buy in. This month, Kusari — whose namesake is the Japanese feudal weapon kusari-fundo — raised $8 million across pre-seed and seed funding rounds that had participation from J2 Ventures, Glasswing Ventures and Unusual Ventures. The cash will be put toward building out Kusari’s software-as-a-service (SaaS) platform, co-founder and CEO Tim Miller said, and growing the startup’s team from eight people to about 15.
“There’s a real lack of education regarding software supply chain management and the tooling, specifications and standards within that space,” Miller told TechCrunch in an email interview. “The Kusari platform acts like a GPS for navigating supply chain issues, helping chief information security officers understand and reason about the software risks they’re facing — and helping DevOps folks easily and automatically fix those issues.”
Miller co-founded Kusari with Michael Lieberman and Parth Patel in 2022. Prior to Kusari, Miller was an engineering director at Citi, where he met Lieberman, while Patel was a senior cybersecurity systems engineer at Raytheon.
Miller says that he, Lieberman and Patel were spurred to launch Kusari by a shared problem: knowing which software and dependencies are being used by a particular app or system at a given moment.
“Being in the dark causes lots of issues, like being slow to react to security vulnerabilities, knowing if there’s licensing or compliance issues and even basic maintenance like ‘Who should I go to if this breaks?,’” Miller said. “We founded Kusari to bring transparency and security to software supply chains by making it easy to reason about what is in an organization’s software — and show you what to do about it.”
To that end, Kusari leverages the open source project Guac — to which Miller, Lieberman and Patel contributed — to find the most-used components in a software supply chain and identify exposures to risky dependencies. Kusari — powered by Guac — can also determine the ownership of apps in an organization, make sure that apps meet an organization’s policies and determine changes between different versions of software.
On the remediation side, Guac — and Kusari by extension — can determine the “blast radius” of a bad package or vulnerability and provide a plan toward patching it. It can also trace the origin point of exploits, pinpointing when — and where — they were introduced.
Miller sees Legit Security, Ox Security and Snyk as Kusari’s most formidable competitors. But he emphasis Kusari’s open source approach, which he believes is unique.
“We have an open source plus SaaS business model,” he said. “Our initial strategy was to bring validation to the approach through the open source product; our SaaS product will be released later this year. We believe that we can significantly reduce the cost of dealing with software vulnerabilities while increasing the confidence in doing so, allowing technology decision-makers to understand the health of their software supply chain and quickly determine if there are unaddressed risks.”
Future capabilities in the works include a ChatGPT-like chatbot that’ll let users “chat” with Guac (through Kusari) to inspect and get a better handle on an organization’s supply chain, for example by asking questions like “Which running containers have such and such vulnerability?”
Miller says that the team is taking pains to run “lean” for now, focusing on hiring a “handful of experts” who can help Kusari build out quickly. The platform still hasn’t launched — but the startup’s targeting later this year for general availability.
“As a result of the slowdown, we’re seeing some potential design partners pull back a bit from collaboration as they focus on more critical business initiatives,” Miller added, “but the slowdown hasn’t affected us as much as others. We’re using the latest and greatest tech built on open source to make building out and scaling our platform cost-effective.”