In response to widespread and dangerous vulnerabilities, such as Log4j and the exploited GoAnywhere remote-code execution flaw, savvy organizations are continuing to scan their code bases for vulnerabilities on a weekly or even daily basis. But turning up more vulnerabilities means more decisions about which problems to fix and how to do so.
"A single, first-party code scanning report may include dozens to hundreds of thousands of findings. A manual fix for each vulnerability takes anywhere from 30 minutes to several hours or even days, costing hundreds or thousands of dollars," says Eitan Worcel, CEO and co-founder of Mobb, a finalist in the Black Hat USA Startup Spotlight Competition this year. "By fixing more vulnerabilities faster, organizations produce more secure applications and keep resources focused on new innovations."
That's what Mobb aims to do. After running a vulnerability scan with any of a wide range of static application security testing (SAST) tools, the developer uploads the results to Mobb's platform. The "fix engine" combines artificial intelligence (AI) with static code analysis and deterministic security algorithms to find the problematic sections of code and recommend a fix based on its knowledge of best practices. When the developer accepts the recommendation, Mobb fixes the code and feeds the decision into its AI to improve future decisions. Mobb implements the fix, Worcel says, but not without the developer's OK.
"Mobb doesn't find vulnerabilities — it fixes them," he says.
What Makes Mobb Run
Worcel attributes his company's success to the team's years of experience at all levels of application security, from research to implementation.
"We know firsthand where and why appsec programs fall short on both the user and vendor sides," he says.
Because the team knew how developers think and work, Worcel says, they could build a fix engine that developers would trust and actually use. The tool provides a fix assurance score, as well as information on the stability of each fix, to help developers decide whether to implement that fix.
"Developers don't want to fix security vulnerabilities and are not well-trained for it," he says. "They want to write new features, innovate, and have someone else do that dirty work of fixing for them."
One piece of the remediation puzzle that can be overlooked is that some scan results are missing details that could shed more light on what the ideal fix would be. By checking for such details and then asking the developer to provide any that are missing, Worcel says, Mobb improves both developer buy-in and the ultimate accuracy of the fix.
Ahead of Black Hat USA, Mobb will add the ability to automatically consume generated fixes into its IDEs or Git repos, and it will allow users to connect scanning tools directly to Mobb for a smoother onboarding experience. Over the next few months, Mobb will also be updating its AI-powered fix engine to increase available fixes, improve accuracy, and support additional languages.
Where Is Mobb Going?
The four finalists in the Black Hat Startup Spotlight — Mobb, Endor Labs, Gomboc, and Binarly — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begins at 4:30 p.m. PT.
Mobb will be hosting live demos in its booth at Black Hat, showing how it fixes vulnerabilities from security reports by leading SAST providers, such as Checkmarx, GitHub, Fortify, and Snyk. Attendees can also upload their own Java or Node.JS projects and run the tool on the floor. In addition, Mobb plans to present its open source fixer Bugsy at the Arsenal area.
The company's rather dramatic name was inspired by the character of Winston Wolf in Pulp Fiction, who introduces himself by saying, "I'm Winston Wolf. I solve problems." Worcel says that his Mobb "does the dirty work of fixing vulnerabilities to solve security backlog problems."
Founded: November 2021
Funding stage: Seed
Total funding raised so far: $5.4M
Number of employees: 9
If the company were a band, what would its band name be, and what kind of band would it be: "Mobb is a great name for a band, so we would keep it, and we would be a rock band — more precisely, grunge. Pearl Jam rules!!!"
Pineapple on pizza, yea or nay?: Yea