Building a Fortress in Shifting Sands: How Security Engineers Can Conquer Software Security Uncertainty

Posted by Jenny Kenyon on February 06, 2025 · 6 mins read

Security teams are being held more accountable than ever before to bring order to chaos, uncertainty to certainty, and lead the charge for stability and security across the organization. However, as every security team can attest- this is much easier said than done.

A CISO we recently consulted shared a concerning experience. Following a successful cyberattack against their organization in late 2024, the board of directors swiftly engaged external consultants. While the consultants effectively addressed the immediate crisis and mitigated further risk, their approach inadvertently left the CISO in a precarious position. Although still accountable for the financial and reputational ramifications of future breaches, the CISO now lacks clear visibility into the intricacies of their own IT environment.

So now what? Knowing precisely what software is deployed, understanding vulnerability trends, and acting decisively to mitigate risks are paramount. Yet, a lack of visibility into deployed software creates automatic exposure- how do you build a fortress on shifting sands? This is where Spice Labs comes in.

At Spice Labs, we’re building a platform that enables you to do just that. We’re dedicated to helping you reclaim control and inject certainty into your software security practices. Our platform offers a single, irrefutable source of truth for all your deployed software- giving you a clear and accurate view of your entire software ecosystem both historically, and at present.

You may ask yourself: “how on earth is this possible at scale?” Such skepticism is understandable given a typical modern enterprise will build and deploy software artifacts thousands of times per day to thousands of servers in the cloud. There is no company in the market today that can keep track of what has been deployed, where, and when at that scale. But we can- which is why we call ourselves the ‘hyperscale’ system of record.

We have cataloged about a third of all open source on our artifact dependency graphs (ADG)s. And we run it for pennies on the dollar, and at speeds that take less time than making a cup of coffee. The key to our breakthrough is our underlying technology: we’ve borrowed a page from the playbook of successful software development. Just as GitHub uses cryptographic hashing to ensure the integrity of source code, Spice Labs applies this same powerful technique to deployed software artifacts. This means we can definitively identify - at any time, anywhere - every piece of software running in your environment, regardless of where it came from or how it was deployed. This cryptographic fingerprinting allows us to provide security teams with an unparalleled level of accuracy and granularity.

In less than 50 days, when we come out with our first product, you’ll be able to:

  • Uncover every deployed artifact: Forget scrolling through logs and engaging in tedious-backs-and-forths with engineering trying to turn guesswork into confidence. Spice Labs automatically discovers and catalogs all your software assets, down to the specific version and build, giving you a comprehensive picture of your attack surface. This includes even the shadow IT lurking in the corners of your network.

Now what can you do with this information? We’ll give you access to our data APIs so you can leverage your own data for your unique needs- whether it be compliance reports or running your organization’s playbooks. But we’ll also provide you with pre-created dashboards to help you:

  • Identify New CVEs: Hundreds of new CVEs are issued every day. How does this impact what’s currently in production? Get alerted to new CVEs and CVSS upgrades based on what’s in the cluster and prioritize conversations with engineering teams.
  • New Open Source Tracking: Was a new Open Source package added to an artifact? Is the package’s name similar to an existing package and is that a potential malicious package squatting issue? What’s the OpenSSF scorecard for the new package? Have the conversation early so security and engineering can align.
  • Golden Image Tracking: for orgs mandating Golden Images for Docker and VMs, track implementation trends as well as flagging exceptions. Help guide engineering to align with security goals and controls.
  • Proactively Manage Cluster Trends: we provide security teams visibility of cluster trends based on tying known vulnerabilities to the precise software versions running in your environment. Obtaining this data allows security leaders to have effective trend-based conversations with engineering teams vs. debating arbitrary vuln counts or relying on hunches.
  • Make Informed Decisions with Confidence: Armed with accurate data, you can make informed decisions and facilitate healthy, fact-based and focused conversations across security and engineering.

In a world of constant change and uncertainty, Spice Labs provides the bedrock for a robust software security program. We empower security engineers to take charge, minimize risk, and bring much-needed certainty to a chaotic landscape …. all in less than 4 hours from purchase to complete installation and with no CI/CD pipeline integration.

Ready to experience the Spice Labs difference? We’re 50 days away from launching our first product, but contact us today for a demo and to discover how we can help you navigate the complexities of software security and build a more secure future.