Lexumo Enables Developers to Securely Adopt the Best Open Source Available, So They Can Ship Great Products Faster

Most of the world’s embedded software incorporates reusable open source components such as OpenSSL. Unlike commercial products such as Microsoft Windows and Apple iOS, open source components are managed by an informal, decentralized community. There are no standard patching mechanisms and no single information source for tracking new public vulnerabilities such as Heartbleed.

Over 8,000 open source vulnerabilities are publicly-disclosed every year. Lexumo saves time and reduces risk by helping developers quickly eliminate open source vulnerabilities in their code, while also ensuring they’re in compliance with licensing requirements. It offers the first automated service that continuously monitors your embedded code for public open source vulnerabilities such as Heartbleed.

Based in Burlington, Massachusetts, Lexumo was formed by a team of computer and data scientists who developed the company’s core technology for DARPA. Privately held and funded by leading cyber-security investors .406 Ventures and Accomplice, it has been recognized as an IoT Company to Watch and a Machine Learning Startup to Watch.

Built on a massively-scalable cloud stack, the service uses patent-pending graph analytics and machine learning technology to precisely identify vulnerable code. This radical new architecture eliminates the false positives and negatives of previous approaches — enabling development teams to ship and maintain secure code, faster.

What sets Lexumo apart from its competitors?

Lexumo is the only automated service that continuously monitors your code for the latest public vulnerabilities. Using automated crawlers, data science and a team of security analysts, it continuously curates it vulnerability and remediation intelligence — over each commit of each open source project. As a result, it delivers ongoing guidance that’s much more reliable — and relevant to your code — than generic, community-owned databases.

The company doesn’t just find vulnerabilities; it also gives you instructions to patch them. And because it analyzes the essential functionality of your code — rather than relying on superficial package IDs or version strings —it won’t waste your time flagging vulnerability if you haven’t even compiled it into your product.

Lexumo’s automated service integrates with your existing CI/CD workflows (Jenkins, JIRA, etc.) — so you can ship secure code, faster. It also saves time by automating tedious tasks such as tracking open source component usage and monitoring issue trackers for the latest public vulnerabilities.

Accurate and actionable insight

Bill of materials: Know precisely which open source components are in your code, based on graph analytics and machine learning technology developed for DARPA.

Risk dashboard: See all public vulnerabilities affecting your code, including which functions are vulnerable and why — even if you’ve modified the component.

Patching instructions: Implement code-level fixes to quickly address new vulnerabilities and avoid version upgrades that can break other dependencies.

Immediate alerts: Know immediately whenever new vulnerabilities are discovered that affect your code (such as Heartbleed), based on its Curated vulnerability intelligence.

Mechanism

Index: Lexumo crawls the Internet, continuously indexing the world’s open source software. We ingest every package and library, every version, ever. It stores an abstracted representation of each component that captures its essential functionality as features, rather than relying on source code or binary representations. The result is a searchable graph of the entire open source ever written, stored in a massively-scalable, AWS-based cloud stack. This enables its platform to accurately identify both vulnerable and patched components in your code, even when the source has been modified.

Curate and Annotate: Using machine learning algorithms, its team of security analysts continuously curates its vulnerability and remediation intelligence. The Company continuously monitor data sources beyond CVE, such as product advisories and mailing lists. The company crawl its graph of the world’s open source software and run analytics over every branch of every package to identify vulnerable code. It then annotates its graph with each vulnerability for each version of each component, along with patch and license information. The result is complete knowledge of publicly-disclosed vulnerabilities in open source software.

Search: Lexumo searches annotated graph for your code, precisely identifying all open source components and versions compiled into your product. Lexumo also reports on vulnerabilities and licenses for each component. And because its platform is based on indexed-search, newly-discovered vulnerabilities trigger an immediate alert when they apply to your code (no rescanning required).

Remediate: By analyzing both safe and previously-vulnerable versions of code in open source repositories, Lexumo identifies exactly how the vulnerable code was fixed by the open source community. It then provides patch instructions so you can quickly fix your code without a full upgrade that can break other dependencies. It also tells you the minimum version required to eliminate the vulnerability, so you can upgrade at a later date.

Meet the Key Executive

Dan McCall, CEO: McCall is a Boston area technology executive who started his career during the mini-computer boom of the early 80’s. He blends a mix of technical, marketing and business savvy and has become a top executive and active board member across a variety of industries including networking, storage, information security and virtualization. He is an alumnus of the University of Connecticut.

“Our code security platform is being used by leading Global 2000 brands including global service providers and both consumer and industrial IoT manufacturers.”