Luxemo, Cloud Security Alliance and Others Ramp Up Secure Cloud Solutions

As open source-centric cloud deployments have proliferated, so have concerns about the security of those deployments. Have you heard of the cloud access security broker (CASB) space? If not, we covered it here. Keeping cloud deployments and tasks secure is a big deal at many organizations, and CipherCloud, which focuses on data protection, and the Cloud Security Alliance (CSA) have formed a Cloud Security Open API Working Group to jointly define protocols and best practices for implementing cloud data security.

Meanwhile, securing open clouds is becoming big business. As a case in point, Lexumo, a Massachusetts cloud services firm that monitors open source code to determine if it has the latest security updates, has announced a $4.89 million venture funding round.

The $4.89 million in seed funding comes from Accomplice, .406 Ventures, and Draper. Lexumo continuously searches and indexes software to identify publicly-known open source vulnerabilities that can cause theft of sensitive data, failure of critical systems, and brand damage. The company’s cloud-based service integrates with existing software development workflows, and the company claims it does not require access to source code. 

Lexumo’s new funding will be used to further develop and commercialize the platform and build the company’s sales and marketing teams. 

“To gain speed and agility, the vast majority of development organizations today assemble software from reusable software ‘building blocks’ which are downloaded from open source repositories. Yet many of these components contain published vulnerabilities which are extensively described in public forums and vulnerability databases – providing cyber attackers with a clear roadmap to attack critical systems, devices, and enterprise applications,” said Brad Gaynor, Ph.D., CEO and co-founder of Lexumo. “The funding is a validation of our scalable, cloud-based approach to identifying and eliminating open source vulnerabilities in a new and innovative way.” 

According to industry analysts, open source software is now used for mission-critical IT by 95 percent of all mainstream IT organizations, as well as in 85 percent of all commercial software packages. Yet, in 2014, Lexumo reports there were approximately 52 million downloads of vulnerable components from the Central Repository, which supplies widely-used shareable components developed by open source organizations such as The Apache Software Foundation, Atlassian, RedHat (JBoss), and Oracle (Java). When these vulnerable components are integrated into a company’s software, their products and applications are at risk. 

According to Lexumo:

"Originally developed at Draper with DARPA funding, Lexumo’s 'Big Code' technology combines big data analytics with software analysis techniques for the first time. This unique approach uses indexed search techniques to continuously identify deep commonalities between the hundreds of millions of lines of open source code available today and the software used in a particular system, device or application."

 Separately, according to an announcement post for the Cloud Security Alliance (CSA):

"The Cloud Security Open API Working Group will provide guidance on vendor-neutral data-security implementation to help accelerate cloud services adoption. Collaboration on these guidelines will also further accelerate security integrations across multiple clouds and with third-party technologies. This initiative will enable enterprises to leverage standards-based APIs to protect data via encryption, tokenization and other technologies across cloud environments, helping eliminate the need for custom integration for each cloud. The working group plans to produce API specifications and a reference architecture to guide cloud data protection."

"Standards are an important frontier for the cloud security ecosystem," said Jim Reavis, CEO of CSA. "The right set of working definitions can boost adoption. This working group will help foster a secure cloud-computing environment – a win for vendors, partners and users. Standardizing APIs will help the ecosystem coalesce around a universal language and process for integrating security tools into the cloud applications."

"Cloud is the killer app for security innovation," said Pravin Kothari, founder and CEO of CipherCloud. "But currently, inefficiencies at the technical level in the form of custom connector protocols can hold back innovations in cloud security. Defining a uniform set of standards can enable us all to operate from the same playbook. As a pioneer in CASB, we are excited to co-lead this initiative with CSA to accelerate security across clouds."