Xeol - Modern platform for software supply chain security
blog2

Unveiling Xeol: Revolutionizing Software Supply Chain Security

In the ever-evolving landscape of technology, innovation knows no bounds. Startups continually emerge, each with a unique vision aimed at addressing contemporary challenges. One such trailblazing startup, Xeol, has burst onto the scene with its mission to fortify software supply chain security. But what exactly is Xeol, and how does it plan to reshape the security landscape? Join us on a journey to discover the answers to these questions and more as we delve into the world of Xeol.

Who Are the Visionaries Behind Xeol?

Behind every great startup, there are visionary founders who propel their dreams into reality. In the case of Xeol, this dynamic duo consists of:

ShiHan Wan - CEO and Backend Engineer

ShiHan Wan, the CEO of Xeol, brings a wealth of experience to the table. Having previously played a pivotal role in building two startups from their early stages to unicorn status, Wan is no stranger to the startup world. Now, he's channeling his expertise into making Xeol a security powerhouse.

Benji Visser - CTO with a Rich Background

Benji Visser, the CTO at Xeol, is a seasoned professional who hails from a background at notable tech giants. His previous stints at Datadog and Ada have equipped him with valuable insights into the tech industry. Notably, Visser was a Senior DevOps Engineer at Datadog, where he led the service catalog project, boasting nearly a decade-long career in DevOps.

These founders first crossed paths six years ago as early engineers at Ada, where they spearheaded backend development, cloud infrastructure, and security. Now, their journey has led them to the creation of Xeol, where they're determined to empower AppSec engineers in identifying, remediating, and enforcing security measures efficiently.

What Is Xeol All About?

Xeol's mission is clear: to modernize software supply chain security. But what does that entail, and how does Xeol aim to achieve it?

Xeol's Core Functionality

Xeol serves as a modern platform designed to enhance software supply chain security. It doesn't just aim to detect vulnerabilities; it goes several steps further. Here's how:

Contextual Graph Representation: Xeol renders your software supply chain as a contextual graph, enriching it with vital information such as vulnerabilities, end-of-life status, OSSF (Open Source Security Foundation) scores, attestations, and licensing data.

Policy Enforcement: Once your supply chain is visualized, Xeol enables you to enforce security policies at various stages, from the build process to runtime. This ensures comprehensive protection against supply chain attacks, similar to those witnessed in incidents like SolarWinds.

Developer-Friendly: Xeol understands the importance of product development timelines. As developers themselves, the founders have ensured that Xeol enhances security without sacrificing product/engineering lead time. Moreover, it's designed to be agentless and effortless to set up, allowing you to get started within minutes.

Who Benefits from Xeol?

Xeol isn't just a niche solution; it caters to a broad spectrum of users, including Fortune 500 companies. But why are these companies turning to Xeol, and how does it address their specific needs?

The Problem: A New Attack Vector

Before we delve into Xeol's solutions, let's first understand the problem it seeks to address. Imagine asking someone on the street to plug in a random USB drive – the idea seems ludicrous. Yet, developers unwittingly expose their software supply chain to risks every day by incorporating open-source packages. To put things into perspective, the typical npm package boasts a staggering 86 dependencies. Moreover, supply chain attacks have surged by a whopping 600% in just a year, expanding the attack surface significantly.

What's Not Working?

Several factors contribute to the growing problem:

Too Much Noise: Existing tools inundate users with every possible Common Vulnerability and Exposure (CVE) without providing contextual runtime information. This makes prioritization nearly impossible and leads to alert fatigue.

Rising Attacks: Generative AI has empowered malicious actors, making it easier for them to launch attacks, putting software supply chains at greater risk.

Huge Attack Surface: The supply chain involves multiple stakeholders, including open-source maintainers, their code, Continuous Integration/Continuous Deployment (CI/CD) systems, container orchestrators, and in-house developers. Each of these components represents a potential entry point for attackers.

The Solution: Complete Ontological Visibility

Xeol emerges as a beacon of hope in a landscape fraught with risks. This agentless solution scans your software artifacts during both the build and runtime phases, creating a contextual graph of your software supply chain. This graph empowers AppSec engineers in several ways:

Answering Questions:
  • Where Am I Using Package X? Xeol provides a precise view of package dependencies, enabling you to identify where specific packages are utilized within your software.
  • Which Software Are End-of-Life? Knowing which components are at the end of their lifecycle is crucial for maintaining a secure supply chain.
  • Which Packages Are Missing SLSA Attestations? Security-conscious organizations can track packages that lack crucial SLSA (Supply Chain Levels for Software Artifacts) attestations.
  • Which Software Artifacts Are Produced from Repo X? Traceability is key, and Xeol offers insights into the origins of your software artifacts.
Enforcing Policies:
  • Ensure All Docker Images Were Built by My Organization from Our CI Pipeline: With Xeol, you can enforce policies that mandate your organization's involvement in image creation, enhancing security and accountability.
  • Prevent Software X, Which Is End-of-Life, from Being Packaged in Our Docker Images: Xeol helps you prevent the inclusion of outdated and vulnerable software in your Docker images, mitigating risks.
  • Ensure All Packages Meet a Minimum OSSF Score: Prioritize secure packages by enforcing a minimum OSSF score.
  • Prevent Any Dependencies Using a GPL License: Enforce licensing policies to ensure compliance and avoid licensing conflicts.

Conclusion: A New Era in Software Supply Chain Security

Xeol is not just another startup; it represents a paradigm shift in software supply chain security. With its visionary founders, innovative approach, and commitment to providing ontological visibility, Xeol stands poised to revolutionize the way organizations protect their software assets.

As supply chain attacks continue to rise, the need for comprehensive security solutions has never been more critical. Xeol's contextual graph representation, coupled with its policy enforcement capabilities, empowers organizations to take control of their software supply chains, mitigating risks and ensuring the integrity of their products.

In an era where cybersecurity is paramount, Xeol offers a glimmer of hope, ushering in a new era of software supply chain security. As the tech world continues to evolve, Xeol will undoubtedly play a pivotal role in safeguarding the digital landscape. With founders like ShiHan Wan and Benji Visser at the helm, the future of Xeol is as bright as the promise it holds for secure software supply chains.