Register now for your free virtual pass to the Low-Code/No-Code Summit on November 9. Hear from executives at Service Now, Credit Karma, Stitch Fix, Appian and more. Learn more.
As a child, Nir Valtman recalled using tools such as ICQ, NetBus, and Sub7 to hack into computers. From there it was easy to plant a Trojan horse without being noticed.
Today, the adoption of open source packages in nearly every product leaves the door open for adversaries to use the same Trojan horse trick, said Valtman, Arnica co-founder and CEO.
But despite such increased threats to the software supply chain, organizations remain hesitant to deploy tools for fear of hurting developers’ agility.
>>Don’t miss our special issue: How data privacy is transforming marketing.<
Contents
Event
Top with little code/no code
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Register here
“The real challenge is mitigating risk without reducing the speed (and quality of life) of developers,” said Valtman, whose company today announced the general availability of its platform and a $7 million seed funding round.
The new tool uses machine learning (ML) and graph-based behavioral analytics to help protect against supply chain attacks without disrupting developer flow or productivity.
“We believe that by learning how developers work, we can both protect the company code and enable and support developers at the same time,” said Valtman.
Increased risk – but also more action
Attacks in the software supply chain are increasing and increasing with: 650% in 2021 and they are good for now one fifth of all data breaches.
As noted by Dale Gardner, senior analyst at Gartner, “Attackers are increasingly looking for ways to covertly involve themselves in the development process where they can launch their attacks.”
The good news, however, is that “we are seeing both a significant increase in awareness of supply chain attacks and a variety of actions and measures to help prevent attacks,” Gardner said.
Most of this activity, he explained, comes from security engineering teams who want to better understand the risks of the software they use, protect their development infrastructure, and provide descriptions of the software they develop, via software bills of materials (SBOMs). ).
“However, a remaining gap is providing buyers and users of [the] software with the tools and processes they need to evaluate the integrity of the code they use in their organizations,” said Gardner.
Continuous Permission Protection
If you look at recent attacks on the software supply chain, two main root causes stand out, Valtman said. One is improper access control to the development ecosystem. Another example is abnormal behavior that could have been prevented by observing developer behavior, automated scripts (such as CI/CD pipelines), or other communication channels.
Still, “the golden rule in fortifying developer environments is: don’t compromise development speed,” he said. “A developer’s ability to quickly and seamlessly make code changes and ship products to users has a direct impact on revenue, so it’s a no-starter for organizations to get in the way of that.”
This is the dilemma that Arnica is trying to address.
Using ML algorithms and graph-based analysis, the platform builds a behavioral profile of an organization’s development ecosystem and the nuances of developer workflows, Valtman said. It then validates the authenticity of any change made to the code, enabling it to detect developer impersonators and prevent them from using stolen credentials to make changes to the codebase.
Developers can also take interactive action within their tools. For example, to manage excessive permissions and achieve the least privileged state, the tool automatically revokes privileges that are not being used. However, Valtman explained that when developers need them, they can use Arnica’s Slack bot to get permission for any source code repository. Or they can ask the bot to fix a newly discovered hard-coded secret.
The same mechanism can trigger an authentication message to a developer when identifying anomalous behavior to prevent account takeovers and insider threats.
The behavior-based approach to anomaly detection moves security teams from periodic permission updates to “continuous and dynamic” permission protection, Valtman said.
Not just looking for solutions
Valtman, who holds three patents, explained that Arnica was “born out of necessity” when he and his team at financial software company Finastra tested more than a dozen products while trying to secure the software supply chain. They found that most available products aim to give customers a “single pane” of misconfigurations within the development ecosystem.
While there is a growing trend to implement SBOMs, it’s not just about that, Valtman said.
The key is to understand an organization’s inventory and risks. Then organizations must prioritize what is important to them based on existing controls.
Devops and security can have different priorities, he stressed, so it’s important to align why each check is important before “looking for solutions.”
But there are quick wins that are easy to agree on, he said — preventing new hard-coded secrets from being pushed to the source code repository; fixing misconfigured branch security policies; reducing unnecessary administrator privileges.
Better understanding, preparation
In general, organizations need to better understand the risks of software entering the organization, Gardner said.
He also pointed out that most of the attention to date has been focused on supporting security and technical organizations. This is “essential but incomplete,” he said. Procurement and supply chain teams need more help conducting the same types of used software evaluations. All too often these groups lack the tools and information they need to make informed decisions about the risks associated with software and the vendors and providers who create it.
Organizations also need to protect their own development environment and software artifacts, as these environments are typically not properly secured. This has “transformed them into a rich attack surface for malicious individuals,” Gardner said.
In addition, organizations must be willing to provide downstream software users with information not only about the content of the software they create, but also about their own security measures in the software supply chain. This allows them to properly evaluate risks and respond to security incidents, Gardner said.
The right ‘protective clothing’
Arnica’s new funding round was led by Joule Ventures and First Rays Venture Partners, with angel investment from Avi Shua, co-founder and CEO of Orca Security, Dror Davidoff, co-founder and CEO of Aqua Security, and Baruch Sadogursky, head of developer relations at Jfrog.
The company will use the money to accelerate R&D and scale its go-to-market teams. The focus area, Valtman said, is to provide more automated workflow and mitigation capabilities for existing and new customers.
In the end, Valtman compared the tool to his passion for mountain biking.
Unsurprisingly, “I’ve fallen many times, but after each fall I make sure I get the proper protective gear to prevent future injuries,” he said, adding that “I now wear a full-face helmet.”
Arnica’s goal, he said, is to provide organizations with better “protective gear” over time by tackling more complex problems and “shifting the paradigm about risk mitigation.”
The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Discover our briefings.
Janice has been with businesskinda for 5 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider businesskinda team, Janice seeks to understand an audience before creating memorable, persuasive copy.