RapidFort: Streamlining Open-Source Vulnerability Management

Mehran Farimani, Co-Founder and CEO, RapidFortMehran Farimani, Co-Founder and CEO After nine months of extensive efforts, the team of 12 software developers finally heaved a sigh of relief. Their cloud-native, microservices-based software passed the QA tests and was ready for release, handling more than 50 billion hits a day. Everybody was excited for the launch, but the catastrophe struck at the twelfth hour.

Just before the deployment of the product, the Infosec team scanned the system and reported 4500 OSS vulnerabilities in the set of 12 containers, with more than 1000 high and critical severity issues. The release was put on hold until the vulnerabilities were remediated or justified as inapplicable.

Needless to say, the incident delayed the software release for another six months. During this time, new vulnerabilities were reported against the OSS components, and a small handful was addressed by newer versions of the OSS packages. Though the software was later deployed successfully, this incident unfolded a new requirement in the software development space—providing developers with greater visibility into the vulnerabilities that pop up during software development.

As seasoned software engineers, Mehran Farimani and his cofounder, Rajeev Thakur, were quick to identify this critical need. “Deploying code into production presents inherent risks as the majority of software is built using trusted open-source components,” says Farimani. Unfortunately, this is not just the case with one developer but an issue that plagues the entire software development industry.

Solving a Long-Standing Problem

A software application typically utilizes a fraction of the functionalities provided by open-source packages and about 50-90 percent of the software components in the production workloads are left unused. They can readily be exploited even in high security environments with golden base images and advanced policy enforcement tooling. An intruder who has access to an organization’s infrastructure can use these unused software components to facilitate their lateral movement and gain deeper access to critical data. This poses a significant threat to enterprises’ security framework and weighs down their critical operations. The proliferation of microservice-based, containerized architecture has also escalated the software supply chain risk.

To alleviate these challenges, Farimani and Thakur started pondering over ways to help developers gain meaningful insights on what their workload does and how to mitigate associated vulnerabilities. This is the very idea behind the inception of RapidFort, a California-based software attack surface optimization platform provider.

Founded in 2020, RapidFort adopts a comprehensive “shift left” approach to design and develop an intuitive platform that continuously monitors and minimizes clients’ software attack surfaces. The solution profiles clients’ containers without disrupting the software production workload, automatically removes vulnerabilities that are not in the execution path of the workload, and identifies packages that they need to maintain. It creates optimized workloads by removing 50-90 percent of unused components.

“The elimination of vulnerable elements from clients’ workload helps improve their security posture, optimize infrastructure, and enhance organizational nimbleness,” says Farimani, who is currently donning the role of the CEO at RapidFort.

The Right Way to Reduce Vulnerabilities

The traditional way of securing network perimeters to protect organizational infrastructure is not enough as the software itself presents a huge attack surface. “Today, when you talk about attack surface management in the industry, you’re always referring to the network attack surface, and there are many great solutions available in the market to manage your network attack surface. But the software itself presents a large attack surface that an organization needs to manage, and there are no tools available to understand and manage that, until now,” says Farimani. The RapidFort Platform, to this end, has been designed to empower developers, infrastructure, and security teams to quickly build, test, and deliver optimized workloads while staying secure a new category that Farimani calls a “Software Attack Surface Management” platform (SASM).

“We’re creating a paradigm shift in the vulnerability management space with our robust platform”

The solution provides teams with a holistic view of all the open-source packages in use and associated vulnerabilities even before they go to production by leveraging its scanning component. It performs a static scan every time a workload is introduced to the system. The process enables the platform to understand the Software Bill of Materials (SBOM), components installed, vulnerability associated with the components and file structure. It then goes further to create a Real Bill of Materials (RBOM) that includes only the components that are used. “Optimizing the BOM is an essential practice in manufacturing. Yet when it comes to software, we put no emphasis on this practice. The RBOM achieves this, and RapidFort generates it automatically,” says Farimani.

The RapidFort Platform has a statistical model incorporated within to evaluate the workload and provide an estimate on possible software bloat, optimization, and reduction in vulnerabilities, packages, and attack surface. The solution’s profiling component encompasses a complete suite of effective and efficient techniques that help instrument clients’ workloads. By gathering behavioral information about the workloads as they run in their natural runtime environment, the solution delivers deep insights into the components used in the operation.

The optimization module, on the other hand, includes a set of powerful tools that clients can leverage to repackage their workload based on this critical information in a way that best suits their operations. As a result, they can reduce the size of their workload and package the necessary components to achieve their goals. All these ultimately get integrated into automatic build and release cycles, where each workload gets optimized before it goes into the production systems. An optimized workload means fewer vulnerabilities and less zero-day attack exposure. Smaller workloads also boot significantly faster and move along the different parts of the pipeline efficiently.

Outperforming the Competition

“We’re creating a paradigm shift in the vulnerability management space with our platform,” adds Farimani. Primarily, from a vulnerability and patch management perspective, clients can decrease the number of packages used by 60-90 percent, while narrowing down known vulnerabilities and subsequently, software attack surface by 80 percent, depending on the languages and frameworks used to build the workload.

This plays a vital role in eliminating software supply chain risks, decreasing zero day exploit risk, and reducing patch management backlog. Needless to say, security teams can now focus on eliminating threats, achieving required certification, satisfying compliance requirements, and accelerating their container load times.

RapidFort’s new deployment model enables clients to spend their time improving test cycles rather than just chasing down vulnerabilities. As such, they can stay competitive in terms of business operations. In other words, the company's offerings allow developers to redirect their focus on designing and building new software, adding features to existing ones, and addressing customer needs. Being able to reduce the number of packages, vulnerabilities, and unused components in the production workload, the RapidFort Platform allows clients to be more nimble.

RapidFort is also sought after for its ability to offer the workload in a secure way so that clients can easily and safely load their investigation debugging tools into production workloads. To leave these tools in the production workloads presents a significant threat for organizations as they can facilitate cyber criminals’ lateral movement within clients’ infrastructure. The company goes the extra mile to make sure these debugging tools are no longer available for use once the investigation process has been completed by authorized people.

The elimination of vulnerable elements from clients’ workload helps improve their security posture, optimize infrastructure, and enhance organizational nimbleness


With undivided attention to individual customer problems and a proven platform, RapidFort has gleaned a broad customer base since its beginning. The company recently collaborated with one of its mid-range clients that operated about 50 containers across a few applications. The client had recently leveraged the RapidFort platform to optimize their workloads for a new deployment model. As a result, they were able to reduce 38,000 vulnerabilities to a mere 4,000, a 90% improvement.

These instances of client success always drive RapidFort to explore new avenues of innovation and growth. The company continues to up its ante in the market by accumulating feedback from its customers and utilizing these valuable insights in its product development endeavors to provide better operational efficiency and excellence. It also works in liaison with several industry experts, advisors, and partners to identify the latest trends and challenges in the vulnerability management space. This helps in building more practical solutions and adding new features and functionalities to its platform to rapidly align with the ever evolving market dynamics.

The coming year will witness RapidFort adding new service to its portfolio supporting the optimization of VM workloads. It’s also putting the best foot forward to understand and solve zero-trust problems in containerized environments, intending to position itself as a one-stop vulnerability management and workload optimization expert. Intending to pioneer in the “Software Attack Surface Management” space, team RapidFort is on a tireless effort to bring it to the mainstream as quickly as possible.
Share this Article:
RapidFort

Company
RapidFort

Headquarters
San Francisco, CA

Management
Mehran Farimani, Co-Founder and CEO and Rajeev Thakur, Co-Founder and CTO & Russ Anderssen, CCO

Description
Founded in 2020, RapidFort adopts a comprehensive “shift left” approach to design and develop an intuitive platform that continuously monitors and minimizes clients’ software attack surfaces. The solution profiles clients’ containers without disrupting the software production workload, automatically removes vulnerabilities that are not in the execution path of the workload, and identifies packages that they need to maintain. It creates optimized workloads by removing 50-90 percent of unused components. The RapidFort Platform has been designed to empower developers, infrastructure, and security teams to quickly build, test, and deliver optimized workloads while staying secure—a new category that Farimani calls a “Software Attack Surface Management” platform (SASM).