In 2022, we launched Manifest to address software supply chain visibility through software bills of materials (SBOMs). Today, we’re incredibly proud to announce that we have built an amazing team, pushed our product into production with incredible customers, and raised $6 million in funding led by First Round Capital.
Software is the only thing we buy that we don’t know what’s in it
Our groceries come with lists of ingredients. Our t-shirts tell us they’re 80% cotton and 20% polyester. We get home inspections before we buy a house. But when we buy a piece of software, it just shows up on our desktops and in our workplaces, and we more or less hope for the best.
Software in 2023 is less code writing than it is assembly. By some accounts, 78% of code in 2022 was open source. Every major enterprise relies on open source and third-party software components that power their internal applications and third-party vendors. Worryingly, 88% of those open source components are unpatched, and adversaries have taken notice.
Software supply chain vulnerabilities are escalating rapidly. Software supply chain attacks have grown 300% since 2020, and an astonishing 62% of enterprises say they were hit with software supply chain attacks in 2021. Cybersecurity is often referred to as the “horizontal vertical,” touching every industry and every enterprise. The problem of understanding what’s in the software we build and buy is something that has been overlooked for too long, and in recent years, headline-making and business-disrupting cybersecurity vulnerabilities such as Log4shell, Solarwinds, and Apache Struts have brought it front and center.
The Log4j problem
On December 9, 2021, security professionals at virtually every major enterprise woke up to the nightmare scenario: a reputable, widely-adopted piece of open-source software was discovered to contain a vulnerability, and what was worse, that vulnerability was actively being exploited in the wild. This began a harried, manual, terrifyingly ad hoc process to call tens of thousands of vendors and scan codebases to
figure out where each organization was impacted. All nighters, frantic emails and phone calls, conditionally formatted Excel sheets, and hastily written memos to boards of directors and shareholders ensued. Nobody seemed to know what the exposure was. We were working at the Department of Defense and Palo Alto Networks — two of the world’s most advanced and mission critical organizations — and we watched with concern as even our colleagues struggled to answer the basic question, “Where do I have Log4j in my ecosystem?”
In sophisticated enterprises, it took five weeks to find all the Log4j. In less sophisticated ones, it never happened at all. Log4shell cost an estimated $10 billion in overtime, lost revenue, opportunity cost, and damages. And unfortunately, virtually none of that work to determine exposure to a given component was reusable in the event of the next major software supply chain vulnerability. There was simply no way to inventory every application’s components.
To address this problem, public and private sector enterprises are turning to software bills of materials, or SBOMs. SBOMs are effectively a list of ingredients — not unlike a list of ingredients on a box of cereal — that spell out the components inside a given application. The Biden administration, through legislation such as Executive Order 14028 and policy memos like the National Cybersecurity Strategy, has made it clear that SBOMs will be a critical part of federal cybersecurity policy going forward. SBOM management capabilities will be needed to extract insights from this novel dataset, and according to Gartner®, “by 2026, at least 60% of organizations procuring mission-critical software solutions will mandate SBOM disclosures in their license and support agreements, up from less than 5% in 2022.”1
Tools have emerged to help developers generate SBOMs, but there’s almost nothing to help security professionals consume SBOMs. And without a method of consumption, SBOMs remain uncontextualized bits of JSON files stored on desktops and in Google Drive folders.
Enter Manifest
Using SBOMs to solve the “Log4j problem” has become the fundamental north star for Manifest. We hold ourselves to turning that six-week, hair-on-fire nightmare scenario into a proactive notification by addressing the entire SBOM lifecycle:
- Generation: Automatically generate SBOMs without developer intervention from within your organization’s CI/CD pipeline.
- Solicitation: Securely share SBOMs between vendors and customers with AskBOM, an automated SBOM solicitation tool.
- Ingestion: Drag-and-drop SBOMs into Manifest, irrespective of format (CycloneDX or SPDX) or file type (XML, JSON, etc.).
- Vulnerability and exploitability assessment: Match known components with several industry-leading vulnerability databases, and enrich that data with exploitability information from EPSS and KEV.
- Action: Create SIEM tickets, export PDF reports, or configure Slack/email alerts for proactive notification of new vulnerabilities.
Early customers, $6M in funding, and ambitious plans
Today, we are proud to announce customers in the healthcare, aerospace, and defense industries. We are also pleased to report that Manifest has been selected by the Department of Homeland Security’s Science and Technology Directorate’s Silicon Valley Innovation Program (SVIP). DHS SVIP had the foresight to develop a Software Supply Chain Visibility Tools topic call, which promotes innovative solutions for SBOM consumption and ensures those solutions meet the needs of the United States Government. We are honored to have been selected to work with DHS, and we look forward to supporting their important missions.
Building on that public sector traction, we were recently selected for a contract through the Air Force AFWERX program, through which we will bring SBOM management to Air Force programs and explore applicability throughout the Department of Defense via the Air Force Research Laboratory (AFRL). The Department of Defense, with its vital mission and incredible purchasing power, has the capability to lead on third party SBOM requirements in a way that many small enterprises currently cannot, and it has been encouraging to see forward-leaning units and commands making SBOM a first-order priority.
We have also closed a seed round led by First Round Capital, with participation from other great investors including XYZ, Palumni VC, Homebrew, BoxGroup, Silver Buckshot, Twelve Below, and Huge if True Ventures (Zachariah Reitano and Cleo Abram), as well as individual investors Diede van Lamoen (Stripe), Oren Falkowitz (Area One), Barry McCardel (Hex), Leif Dreizler (Twilio), and Pete Zimmerman (Ro).
This funding will help us define the future of software supply chain management, including greater visibility into component provenance, integrations with leading SCA/asset inventory/vendor management tools, and world-class service and support. If you’re interested in joining the cause, check out our careers page or learn more at manifestcyber.com!
1 Gartner, Emerging Tech: A Software Bill of Materials Is Critical to Software Supply Chain Management, September 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.