Understanding the security health of your software supply chain is hard. Too hard.
The founders of Ensignia wondered what it would look like if software came with a label like the nutrition labels we find on food. How much risk would be revealed? How much risk could be mitigated before an incident happened?
They’ve set out to build a product that not only reveals software supply chain security exposure, but provides pathways to security an organisation’s supply chain.
A savvy trio
Sam “Frenchie” Stewart has been friends with his co-founders Ivan Vanderbyl and Lainie Vinikoor (separately) for years. Ivan and Lainie met for the first time in person at the start of the CyRise Accelerator. Luckily, they got along instantly.
Ivan has worked on seven startups, and unfortunately knows first-hand the impact a software supply chain security incident can have. He’s keen to help organisations understand their exposure and avoid incidents caused by exposure via their software supply chains.
Lainie is technical program manager who’s successfully brought together engineering, product, and operations folks to prioritise and execute security initiatives. As a result, she has empathy for key security stakeholders and understands the impact a tool like Ensignia can have.
Calming SLSA seas
There has been a 742% average annual increase in software supply chain attacks over the past three years. “Ensignia exists to help companies build trust around software,” explains Frenchie.
Ensignia’s product allows users to secure organisations’ software supply chains by providing:
- Automated framework controls with checklists for each step of delivery pipeline, along with actionable guidance for implementation and automated checks to ensure compliance
- Tamper-proof build pipelines to facilitate software being built correctly
- Verified visibility into all dependencies and steps used to build software
The company’s name, Ensignia, was inspired by common security lingo. “There are a lot of nautical terms in security. ‘Kubernetes’ means helmsman in Greek. There’s ‘docker’ — a lot of nautical themes. A ship’s ensign is a flag on the back of the boat, and we ‘flag’ security issues. An ensign establishes authority. And signing is one thing that we do — we cryptographically sign the different assets that are built,” explains Frenchie.
What’s next
The Ensignia team have worked in and around startups locally and in the US for years, but they’re still learning a lot from CyRise Accelerator. “Coming back to it with a beginner mindset is really interesting. Being open to learning new things is really exciting,” says Frenchie.
The product is in its early days. “Immediately, we want to talk to companies who are aware of software supply chain security challenges,” says Frenchie. Generally, these will be Series B and beyond companies.
Meet the team
CyRise Demo Day will be held at Aerial UTS Function Centre on 9 May 2023 at 6pm. RSVP here to get your free ticket.
Learn more about Ensignia at: Ensignia.dev
