Israel-based startup Oligo Security is exiting stealth mode with the public launch of its namesake software, offering a new wrinkle in library-based application security monitoring, observability, and remediation. Utilizing a technology called extended Berkeley Packet Filter (eBPF), it is able to provide agentless code security coverage.
Given the prevalence of open source code in modern software — Oligo contends that it accounts for something like 80% or 90% — there is a need for software composition analysis solutions that can check code for potential vulnerabilities. The current generation of solutions, however, is “noisy,” according to Oligo. It tends to produce a lot of false positives, and doesn’t contextualize alerts within a given runtime. The latter tendency is unhelpful for setting remediation priorities.
Most security monitoring tools of this kind are based on runtime application security protection (RASP), which requires an agent that lives in the application, according to Jim Mercer, IDC research vice president for devops and devsecops.
eBPF, on the other hand, allows programs to run inside the operating system, acting as an in-kernel virtual machine that enables data collection from applications and network resources, offering a granular level of observability and allowing for the creation of a dynamic SBOM (software bill of materials).
“So a key benefit of the Oligo solution is that it is agentless and leverages eBPF,” Mercer said. “A traditional knock on the RASP technology is that the agent does introduce some overhead into your application.”
Oligo contextualizes security alerts
Moreover, since the agentless, eBPF-based Oligo offering works on the operating system level, can put alerts into context — prioritizing fixes for vulnerabilities that are active deviations from a given code library’s permission policy, the company said. This saves on development time by keeping the focus on actual attack surfaces, not just known potential vulnerabilities.
The Oligo approach, however, isn’t without potential pitfalls, according to Mercer. For one thing, it is designed only to catch known vulnerabilities, whereas some types of RASP-based system can identify new insecurities in both natively written and open source code. Moreover, the more selective alerting system has the potential, if it is configured inexpertly, to miss potentially serious issues.
“I suspect the key here is sound policy management, and it might behoove Oligo to provide content that can help organizations write secure but not noisy policies,” Mercer said.
Nevertheless, Mercer noted, the Oligo approach is likely to appeal to a wide variety of potential customers, given the aforementioned ubiquity of open source code, and could even be used to search out vulnerabilities in commercial software.
“Overall, [Oligo’s more selective approach] is likely a good thing, since there are open source libraries you may use that have vulnerabilities, but you are not using them in a vulnerable manner,” he said.
The company’s technology is already in use by businesses in the computing, analytics software and real estate markets, though current pricing and availability data was not immediately available.
Other cybersecurity companies have also been tapping eBPF. For example, in August last year, Traceable AI added eBPF to its security platform for deeper API observability and visibility.