What’s Really in Your Software? Turns Out There Are Plenty of Hidden Risks Lurking in Your Code Supply Chain

TL; DR: “Assume nothing. Question everything.” It’s a saying that reminds us to stay vigilant and not take things at face value. And when it comes to creating and selling software, Lineaje exemplifies. Led by CEO and Co-Founder Javed Hasan, Lineaje is dedicated to uncovering and addressing hidden risks in the software supply chain with automatic solutions.

Did you know that 8 out of 10 surveyed consumers check where their food comes from before buying it?

Their reasons vary, but they often revolve around safety concerns, ethical practices, and freshness — like when you see pears harvested in Argentina, packaged in Thailand, and sold in the UK.

But just as we’re cautious about the origins of our food, we should also be vigilant about where our software comes from. OK, it may sound odd to compare your food to software, but think about it: You use software every day, right? (Hint: You’re using it right now.)

As for me, it’s not something I ever really considered — at least before learning about Lineaje. Like the average consumer, I assumed that all my tech went through the proper steps in the supply chain — from development to release — before going to market.

But Lineaje highlighted something pressing, and it’s that many organizations have experienced a cybersecurity breach in their supply chain — 98% of them, to be exact.

There are solutions, though.

Lineaje’s CEO and Co-Founder, Javed Hasan, shared some of those insights, starting with a crucial piece of advice: “If you’re developing new software, assess your supply chain. If you’ve already deployed software, know what’s inside of it.”

Lineaje, pronounced like lineage, is obviously a clever name.

But I think Javed explained its origin best when he said, “Lineaje is not just about the lineage of your software; it’s also about recognizing your own legacy and taking responsibility for it.”

I think what Javed means is that it’s up to all of us to be conscious of what we’re producing and consuming — from food to software and everything in between.

With that in mind, Lineaje was founded with a mission to tackle those hidden risks in the software supply chain.

But the idea of Lineaje is also personal for Javed.

Living in Silicon Valley, Javed has witnessed firsthand how many startups have blossomed over the years.

In fact, Javed’s son founded his own data startup not too long ago. Javed recalled thinking that because of his son’s success, he too finally believed he was capable of bringing an idea to life.

“So I followed in his footsteps,” Javed said. “He’s still my number-one advisor.”

It’s a young company, but within a year of existing, Lineaje secured $7 million in funding from Tenable Ventures. The round also includes participation from Dreamit Ventures, Veear Capital, Richard Clarke’s Belltower Fund Group, and other prominent cyber security executives.

By 2023, more customers joined the platform, including some of the biggest government organizations, such as the U.S. Marines, Air Force, and Department of Education.

By 2024, Lineaje raised an additional $20 million in a Series A funding round.

If you’re not familiar with venture capitalism or Silicon Valley, Series A financing is the first round of funding for startups that have shown progress in their business model. If all goes well, Series B and Series C aptly follow.

Making it to Series A is an accomplishment in itself because getting funded is a very competitive game. Lineaje, though, had a good foundation to build on — the facts.

“What we discovered was that, in about 20 years of attacks, no supply chain attack had been detected and prevented,” Javed said.

As the Lineaje team looked deeper, they realized that if people can tamper with software without knowing what’s inside or its lineage, it can go unnoticed.

“That’s why we believe there’s a crucial need for a company that can detect tampering of software components,” Javed explained, “But to do that, you first need to understand the software’s lineage.”

As your average Joe consumer, I don’t think about software supply chain security management. I would wager that you probably don’t, either. Javed likened it to a car company.

“BMW assembles the final product, but it relies on thousands of parts from other suppliers, whether it’s seats, carburetors, or windshields. It’s up to BMW to specify the quality and functionality of each part to ensure the car meets its standards,” Javed explained.

He went on to say that with software specifically, the trend has shifted toward assembling software from open-source and third-party components rather than building it entirely in-house, especially over the past decade.

“The software supply chain is largely unmanaged. Most companies don’t even know what’s in the software they ship, let alone their customers,” said Javed. “When building new software, you need to understand the components you’re using: where they come from, their vulnerabilities, code quality, and security.”

I’ve seen firsthand how popular open-source software (OSS) is. It’s a great thing — a sign of a more collaborative and open internet.

Countless companies use open-source code in one way or another, whether it’s part of their projects or for their entire operations. In fact, about 96% of all code bases incorporate open-source software.

But, as its name suggests, OSS can also pose some security risks.

Or, as Javed said: “OSS tends to age like milk instead of wine.”

Why? Since OSS isn’t regulated by any one entity, it may not receive regular updates because it relies on inconsistent community support. It’s also publicly disclosed to anyone who wants access.

It’s similar to a community garden. Anyone can reserve a plot and plant whatever they’d like. But what if someone in the community garden planted Japanese knotweed — an aggressive plant that smothers surrounding plants through its root system?

The same thing can happen with software.

Take SolarWinds, for example. In 2020, it uncovered a cyberattack that enabled hackers to slip through a back door into the company’s software updates. This move gave the attackers full access to a wide range of organizations, including sensitive U.S. government agencies and Fortune 500 companies.

Had SolarWinds used a company like Lineaje, maybe it would have known about it sooner. Or better yet, the software developer would have identified the attack long before any damage was done.

OK, I’ve talked enough about the importance of cybersecurity and software in the supply chain. Now, I want to dive into how Lineaje is designed to help.

Since Lineaje focuses on continuous integration and continuous deployment and delivery (CI/CD) — which involves merging code and deploying changes to users quickly — it has four main products, all of which leverage artificial intelligence and machine learning (AI/ML):

• SBOM360: Think of this as a tool that tracks every piece of software you use, create, or sell throughout its entire life cycle. You can also create policy gates at each stage so all code is up to…well, code!
  • SBOM360 Hub: Manage, create, publish, and share your software here. This hub also has compliance and risk assessment, so you can make sure it meets all necessary regulations (such as Executive Order 14028, better known as “Improving the Nation’s Cybersecurity”).
• Third-Party Risk Manager: If you purchase software from other companies, this tool helps you understand what’s inside and manage any potential risks. It essentially gives you a clear view of where the software comes from and even auto-detects policy violations from vendors you’re working with.
• Open-Source Manager: Designed for managing any and all of your open-source software, this auto-detects risks in all open-source components. Using Lineage AI, you can also get intelligence maintenance plans.
• BOMBots: Powered by Lineaje AI, BOMBots analyzes the software and provides recommendations across the supply chain where needed. It also assesses software applications for compatibility and prioritizes vulnerabilities based on severity — which can save you up to 40% in maintenance costs.

AI is a major player in identifying software vulnerabilities, Javed said. Lineaje AI automatically detects everything from security risks to the potential impact of new upgrades on your entire system.

“There are companies updating software a million times a day. Some of those changes are breaking changes, some aren’t. What our AI can do is figure out which ones will break things and which won’t, and then group them separately,” he explained. “It basically ensures your software doesn’t break.”

Another neat tool that Lineaje recently integrated is its own generative AI chatbot. If you just want quick answers across your multiple applications, this is the tool that will do it for you.

Javed explained it similarly to the ChatGPT platform where you can type in a question, such as, ‘Do I have any vulnerabilities that could be exploited through network connections?’ and get a quick answer.

“It’s interesting and helpful because before, project managers would need to check with each development team about vulnerabilities, compile long spreadsheets, and wait two weeks to drive remediation,” Javed said. “Now, you can get the answer in 10 seconds, all in plain English.”

In a world where technology touches nearly every aspect of our lives, taking these precautionary steps isn’t just important — it’s the right thing to do. Ask any developer and they’ll tell you clean code is good code, and good code is ethical code.

Or as software engineer Robert C. Martin, AKA Uncle Bob, said: “Clean code always looks like it was written by somebody who cares.”

So whether you’re developing software in-house or outsourcing, knowing the security of your supply chain is a step closer to upholding those standards.

And, to be honest, with cyberattacks at an all-time high, it’s just another reason to stay vigilant.

Book a demo with Lineaje today.