Digital business growth is an imperative across a broad range of companies and industries. But one thing common, is that digital business strategies overwhelmingly rely on safe, secure software applications. Unfortunately, there is a rapidly growing threat from cyber criminals, hackers, and state-sponsored groups to attack the “software factories” that make these applications so they can embed vulnerabilities that are passed on to end-users, disrupt business operations of the software providers, or steal their valuable intellectual property. Legit Security has developed a new cyber-security solution to address this rapidly growing risk category so that organizations can secure the software factory, also known as software supply chains, that are used to develop and build software itself. 

According to Gartner^®, 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021. Other industry and government sources predict up to a 6X increase in these types of attacks in the years ahead. Earlier this year, Legit Security launched out of stealth development mode with an enterprise SaaS platform that provides automated discovery and analysis of an organization’s software supply chain environment along with the ability to identify vulnerabilities and address security incidents. With the backing of top tier investors and an experienced executive team, the company’s mission statement is to, “secure every organization’s software factory by protecting the pipelines, infrastructure, code and people for faster and more secure software releases.”

The company is bringing a modern perspective to the application security market, and has made a significant early impact by providing a free Rapid Risk Assessment, responsibly disclosing new vulnerabilities that the company has found, and making significant contributions to standards bodies to promote better software supply chain security globally.  

Legit Security announced a free Rapid Risk Assessment shortly after launch to help organizations get insights into vulnerabilities across their software supply chain including guidance on how to mitigate future attacks. The company claims that the majority of security organizations are not fully aware of the complexity or the existence of some systems setup by software developers within their software factory. These risk assessments frequently uncover a varied range of vulnerabilities previously unknown to both the security and application development teams, such as vulnerable misconfigurations, missing security controls, publicly exposed code repositories, and more. 

Legit Security has also contributed back to the broader cyber security community by the “responsible disclosure” of vulnerabilities it finds in other software development tools and systems. In these types of disclosures, the vulnerable system provider is notified first of the security issue so that they can address it with a security patch and notify affected customers. Afterwards, Legit Security typically publishes a notification to warn the broader community of the issue for education and awareness, as well as information on how to determine if an organization is still vulnerable, and if so, how to address it.  

Legit Security has become an active participant in standards bodies and industry organizations as well. These organizations are dedicated to bettering secure software development and the software supply chain, including but not limited to OpenSSF and the Linux Foundation. “Attacks on software supply chains are estimated to increase between 3-6X per year and are a global threat,” Liav Caspi, CTO of Legit Security, stated.  “We look forward to working with OpenSSF and others to publish security research and contribute tools and code for more secure software delivery and consumption across the entire community.”

Legit Security customers include large enterprises from financial services, hospitality, and healthcare, as well as other software providers that have a business critical need to secure their own internal software factories from attack. The company says that their platform appeals not just to security leaders, but also to software development leaders, many of whom are also highly interested in increasing the security “hygiene” and practices of their teams. The platform’s risk scoring capabilities allows organizations to compare security parameters across teams, product lines, and development pipelines and can act as a vehicle to improve overall security across an enterprise. 

“Legit Security provides a single pane of glass to mitigate software development risk,” said Bob Durfee, Head of DevSecOps at Takeda Pharmaceutical Company. “We’re now able to inventory all our SDLC systems and security tools, view developer activity, and detect and remediate vulnerabilities across them fast. Legit’s security scoring also allows me to measure the security posture of different teams and show progress improving it.”

“Legit is providing us with visibility across the entire supply chain, which helps us minimize risk and raise analyst productivity,” said James Robinson, Deputy Chief Information Security Officer at Netskope. “Legit’s platform nicely complements our existing investments in application security tools, and allows us to make better decisions in allocating our security controls and resources.”

Legit Security is expanding their sales and marketing capabilities across North America and is steadily expanding their platform to address more scenarios and use cases to secure the complex software supply chains found in large enterprises. The company is also growing their in-house security research team to better analyze emerging threats and promote safe, optimized countermeasures to the community at large.For more information on Legit Security and their thought leader in this important emerging category of software cyber-security, please visit https://www.legitsecurity.com/.