Fianu Labs secures $2M in seed funding from DataTribe to expand into DC

DataTribe, a startup investor based in Fulton, Maryland, launched its 2023 Startup Challenge application process in August. In addition to this, it’s extended support to Fianu Labs, a cybersecurity and data science-focused company, with a seed investment. Its aim remains unaltered: to bring a fresh perspective to software regulation.

Founded in South Carolina and also currently headquartered in Fulton, Fianu Labs secured a $2 million seed round from the aforementioned, self-described “startup foundry.” According to the DataTribe website, its mission is to co-build the next generation of cybersecurity and data science companies. Fianu Labs, meanwhile, has created tech for software governance automation.

During a phone interview with Technical.ly, Michael Edenzon, CEO and cofounder of Fianu Labs, refrained from disclosing the current employee headcount but shared the company’s aspirations for its seed round.

“Our plan is to really become the category-defining product in the space of automated governance,” Edenzon said. “Given our location, access to talent and growing customer base, I think we’re on track to achieve that.”

With this money, the company, which was founded in August 2022, will also be bringing more of its operations into DC, according to Edenzon.

The Food and Drug Administration and other government agencies primarily concentrate their oversight on companies operating in fields such as life sciences, healthcare and technology. In some cases, this oversight can pose substantial regulatory challenges for these companies. Specifically in the technology sector, these regulatory demands add layers for software developers during each release, leading to extended release timelines. Recent security breaches like the malicious cyberattack against SolarWinds in 2020 and others targeting vulnerable points in the supply chain have triggered increased regulatory attention. This process made it clear to Fianu Labs leaders that a compliance solution is needed to streamline software release processes.

Edenzon pointed to experience as the reason DataTribe made sense as the company’s first investor.

“From the very beginning, we were in alignment on the vision and where we thought this was going,” Edenzon said. “Everyone at DataTribe has a technical background. They have a great understanding of where software regulation is going. And I think we’re completely aligned on a vision and with their experience and know-how. It puts us in the very best position possible to succeed on our plan.”

In the Q&A below, Edenzon delved into the complex world of software regulation, offering a glimpse into the evolving landscape. He emphasized the need to move beyond traditional software bills of materials (SBOMs) and embrace software bills of attestations (SBOAs), shedding light on their pivotal role in providing comprehensive insights into the intricacies of software development. Edenzon also discussed Fianu’s expertise in automated governance and elaborated on the reasons behind choosing DC as the ideal location for the company’s expansion. This interview has been edited for length and clarity.

How big is your company right now in terms of headcount?

We’re a small company, but we’re going to be growing real fast over the next year.

Could you tell us more about your company’s move to the DC area and what drove this decision? How do you see this move benefiting your company and its mission in the context of software regulation and governance?

I do want to really emphasize that we were a company that was founded in Charleston, South Carolina. But with this investment from DataTribe, it’s given us the opportunity to move to the DC area, which is where we really want to be. I think there’s a really rich engineering talent pool. These engineers have experience writing software in regulated environments. So they know very well the pain of some of our customers, which helps towards greater product empathy. And that’s a real goal of ours. And there’s a culture of innovation that you just can’t match in many other regions. 

Additionally, the proximity: We really want to be a part of this regulatory community and contribute to the conversation as regulations roll forward because it’s been clear over the last three or four years, given the events that have happened in the cyber community, that the way that we were developing software before needs to be changed. We need to have more safeguards in place for end users. And although we’re not a cybersecurity company — we’re an automated governance company — we’re very adjacent to a lot of the cyber community that’s really evolved in the DC area, and I think it’s a natural fit for us. So I think being in DC and growing our company in this area is really a part of our long-term strategy.

What are some of the challenges and developments in software regulation, particularly regarding the software bill of materials, and how is your company, Fianu, addressing these challenges?

One of the challenges with regulation now is — and the White House has made this pretty clear, as well as agencies tasked with defining these [regulations] like CISA — the software bill of materials has been all the rage the past couple of years, and it’s been an important piece for developing more secure software. We’re looking to move beyond the software bill of materials to a software bill of attestations. What that means is that a software bill of materials, SBOM, is like a list of ingredients that went into the software. We’re looking to move beyond that to the software bill of attestations to provide the whole recipe on how the software is made.

Existing regulations that have gone in have started to mandate SBOMs, but the White House has made it very clear, and the agencies have made it clear, that they’re looking to move beyond the SBOM to a software bill of attestations that provides governance and visibility into the entire recipe of the software. Fianu is an automated governance company, and our product is designed to generate attestations throughout the development lifecycle to provide all of the governance needed, so that when an executive is asked to sign on the dotted line, that the software that they’re shipping is the software that they’ve sold. They’re able to sign that with confidence using Fianu, and they can know that everything that’s going out the door has been fully compliant with all the regulations that come — the ones that’re in existence now, and the ones that have been signaled to come in the near future.

Could you please explain how Fianu’s attestation process works throughout the software development pipeline and how it provides transparency and context to show compliance with both regulatory requirements and company policies?

That’s a great question. So Fianu provides attestations throughout the pipeline. We integrate with the entire DevSecOps toolchain to provide visibility from code commit to production release. And when we capture evidence, we capture that all of the different scans have been run, the tests have been run, the reviews have been had, the artifact has been signed. And we’re able to provide complete visibility on each of the requirements that’s established, from the time the code is written to the time that it’s shipped to a customer. Each attestation includes all of the rich context that’s needed to show to an auditor or a regulator not only what happened, but how you know that those things happened, as well as did it pass your company’s policy. We’re taking what was previously a manual process of manual evidence-gathering, and subjective evaluation of pass or fail, and we’re making it automated and completely objective.

Can you explain the technical approach Fianu takes to automate governance and compliance?

We’re using an event-driven architecture to capture the events as they happen. So no more self-reporting, no more retroactive evidence-gathering and no more manual compilation of reports. We’re using an event-driven software to capture these events, evaluate them against policy in real time and provide continuous compliance leading up to deployment.