News, news analysis, and commentary on the latest trends in cybersecurity technology.

The four finalists tackled firmware security, cloud infrastructure, open source software, and vulnerability remediation.

Mikala Vidal (l) of 2022 winner Phylum presents Eitan Worcel (r), CEO/co-founder of Mobb, the 2023 Startup Spotlight award
Mikala Vidal, VP of Growth at 2022 winner Phylum, presents Eitan Worcel, CEO/co-founder of Mobb, the 2023 Startup Spotlight awardSource: Black Hat USA

BLACK HAT USA – Las Vegas – Wednesday, Aug. 9 Vulnerability remediation startup Mobb won the Startup Spotlight competition at Black Hat USA 2023, beating out others focused on firmware security, cloud infrastructure security, and software security.

The four finalists – Binarly, Endor Labs, Gomboc.ai, and Mobb – were selected after a video pitch competition in June. Each one received booth space in the Black Hat Business Hall, a consultation with an Omdia analyst, and the opportunity to make a 10-minute presentation during the conference at the Startup City theater in front of the judges. To be considered for the competition, companies had to be less than 2 years old and have fewer than 50 employees.  

After the presentations, the panel of judges asked three to four questions to clarify some points they felt had not been addressed in the pitches. The judges were Ketaki Borade, senior analyst in Omdia's infrastructure security research practice; Trey Ford, deputy CISO at Vista Consulting Group; Hollie Hennessy, senior analyst in Omdia's IoT cybersecurity practice; Lucas Nelson, founding partner at Lytical Ventures; and Robert J. Stratton III, principal and strategist at Polymathics and venture partner at Nextgen Venture Partners.

"In the startup market, sometimes companies are trying to do too much, but Mobb was confident about its capabilities," Hennessy says. "One of the real challenges of cybersecurity is to bring together different parts of the business – in this case, developers and security. Mobb's product bridges that gap, improves security, and increases productivity."

Artificial intelligence (AI) was a common thread throughout all of the presentations. Some startups were very upfront about their use of AI ("Gomboc.ai, the AI is in our name," Amit told the judges), while others touched on their AI use when explaining their technology capabilities.

"In reality, most cybersecurity companies are using AI to some extent, [but] now we're hearing about the intricacies of it more given the current hype," Hennessy says. "I think it showcases the value of AI in the latest cybersecurity solutions, and I'm interested to see how we continue to see innovation in this space."

Finalists Pitch the Judges

Alex Matrosov, CEO and founder of Binarly, laid out his case for firmware security, noting that if the firmware is broken, "everything else is compromised." Firmware issues require an ecosystem approach because the vulnerability exists in every device that uses that vulnerable component. Binarly created a binary-analysis tool that finds known and unknown vulnerabilities in firmware and works with device manufacturers, such as Dell, vendors making the components, and enterprises looking for transparency in their environments. According to Matrosov, it can take 171 days for firmware vulnerabilities to be fixed.

"Focusing on firmware security as a first point of call is a necessary approach for device protection, and it's promising that Binarly is seeing interest from across the ecosystems of operators, makers, and firmware developers," Hennessy says.

Varun Badhwar, CEO and co-founder Endor Labs, focused on open source code security – about helping developers make better choices with code and fixing vulnerabilities in open source components. Badhwar referred to the "developer productivity tax" – the amount of time developers spend investigating vulnerability reports to identify what they need to fix. While 80% to 90% of modern software development may consist of open source components, Badhwar says just 12% of the code is actually used in the application itself. So a vulnerability in a function in the open source library that is not being used in the application may not be as high of a priority to fix.

Endor Labs also has a recommendation engine to help developers make better decisions about which libraries and components to use, since there will be fewer issues to fix if the package itself has been vetted for vulnerable code.

Endor Labs – also an Innovation Sandbox finalist at this year's RSA Conference – was voted the audience favorite.

"What I liked was they are paying attention to the open source code security," says Omdia's Borade. "I see them getting acquired by the big fishes who struggle to grow organically in this domain."

Ian Amit, CEO and co-founder of Gomboc.ai, focused on remediating cloud infrastructure issues, noting that it was not possible for security engineers to learn every possible configuration across every cloud environment.

Gomboc.ai was founded by cloud infrastructure veterans; Amit and his co-founder are both former Amazon Web engineers. Gomboc.ai has human analysts define security policies and uses AI to apply those policies. Security teams use regular language to define policy, such as "public-facing assets can't be written to." The AI engine identifies the code required to turn that policy into the proper cloud configuration.

"Humans are good at saying what they want," Amit said. "AI is good at finding solutions."

Gomboc.ai relies on deterministic AI, not generative AI. Generative AI can give different answers each time, while deterministic AI will always give the same answer every time for the same set of inputs, which is important when trying to address vulnerabilities and apply policy.

Eitan Worcel, CEO and co-founder of Mobb, focused on how to save organizations money using the following illustration: A vulnerability report may list four issues, but three of them may not be exploitable. It may take a developer 30 minutes to investigate the report to identify which of the issues need attention and 15 minutes to open a ticket with all of the relevant information. It may take four hours to actually fix the issue. If the organization spends $200 an hour for the developer's time, that is about $1,000 being spent – and organizations have thousands of issues.

Mobb accepts vulnerability-scanning reports from a range of static application security testing (SAST) tools and assigns a confidence score to various parts of the code. Mobb provides recommendations based on best practices on how to fix those issues. When the developer accepts the recommendation, Mobb then applies the fix, Worcel says. The company currently supports Java, Node.js, and .NET support is on the way.

"[Mobb] made a good case of how they will save money for the organizations," Borade says, noting that one of the findings from the Omdia Decision Maker Survey 2023 was that high costs were among the top three cloud security challenges for enterprises. "Mobb had a very straightforward answer about how it will solve part of the vulnerability remediation issue and save time for developers."

Three of the finalists – Endor Labs, Gomboc.ai, and Mobb – touched on vulnerability prioritization and their approaches for helping security teams understand which issues were the most pressing. Software security is obviously an area of high interest in the startup ecosystem – last year's winner, Phylum, was also a software security startup.

Read more about:

Black Hat News

About the Author(s)

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights