Register now for your free virtual pass to the Low-Code/No-Code Summit this November 9. Hear from executives from Service Now, Credit Karma, Stitch Fix, Appian, and more. Learn more.
As a kid, Nir Valtman recalled how he used tools like ICQ, NetBus and Sub7 to hack into computers. From there, it was simple to plant a Trojan horse without being detected.
Today, the adoption of open-source packages in nearly every product leaves the door open for adversaries to use the same Trojan horse trick, said Valtman, who is the cofounder and CEO of Arnica.
Yet despite such increased threats to the software supply chain, organizations remain hesitant to implement tools for fear of harming developer agility.
>>Don’t miss our special issue: How Data Privacy Is Transforming Marketing.<<
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
“The real challenge is to mitigate risks without reducing the developers’ velocity (and quality of life),” said Valtman, whose company today announced the general availability of its platform and a $7 million seed funding round.
The new tool leverages machine learning (ML) and graph-based behavioral analysis to help protect against supply chain attacks without disrupting developer flow or productivity.
“We believe that by learning how developers work, we can both protect the company’s code and, at the same time, enable and support developers,” said Valtman.
Increased risk — but increased action, too
Software supply chain attacks are on the rise, increasing by 650% in 2021 and they now account for one-fifth of all data breaches.
As noted by Dale Gardner, senior analyst at Gartner, “Attackers are increasingly looking for ways to surreptitiously insert themselves into the development process, where they can carry out their attacks.”
The good news, though, is “we’re seeing both significant increases in awareness of supply chain attacks, coupled with a variety of actions and measures to help prevent attacks,” Gardner said.
Most of this activity, he explained, is from security engineering teams that are looking to better understand the risks posed by the software they’re using, protect their development infrastructure and provide descriptions of the software they’re developing, via software bills of materials (SBOMs).
“A remaining gap, though, is providing buyers and users of [the] software with the tools and processes they need to evaluate the integrity of the code they’re using in their organizations,” said Gardner.
Continuous permissions security
If you examine recent software supply chain attacks, two major root causes stick out, said Valtman. One is improper access management to the development ecosystem. Another is abnormal behavior that could have been prevented by observing developer behaviors, automated scripts (such as CI/CD pipelines) or other communication channels.
Still, “the golden rule when hardening developer environments is: Do not harm developer velocity,” he said. “A developer’s ability to rapidly and seamlessly make code changes and ship products to users has a direct impact on revenue, so getting in the way of that is a non-starter for organizations.”
This is the quandary that Arnica seeks to address.
Using ML algorithms and graph-based analysis, the platform builds a behavioral profile of an organization’s development ecosystem and the nuances of developer workflows, said Valtman. It then validates the authenticity of each change made to code, making it able to detect developer impersonators and prevent them from using stolen credentials to introduce changes to the codebase.
Also, developers can interactively take action within their tools. For example, to manage excessive permissions and reach the least-privileged status, the tool automatically revokes privileges that are not being used. However, Valtman explained that when developers need them, they can use Arnica’s Slack bot to get permissions to any source code repository. Or, they can ask the bot to fix a newly discovered hard-coded secret.
The same mechanism can trigger an authentication message to a developer upon identifying anomalous behavior to prevent account takeovers and insider threats.
The behavior-based approach to anomaly detection moves security teams away from periodic permissions updates to “continuous and dynamic” permissions security, said Valtman.
Not just chasing solutions
Valtman, who holds three patents, explained that Arnica was “born out of necessity” when he and his team at financial software company Finastra tested more than a dozen products while trying to secure the software supply chain. They found that most available products focus on getting customers a “single pane of glass” of misconfigurations within the development ecosystem.
While there has been a growing trend to implement SBOMs, it’s not just about that, Valtman said.
The key is to establish visibility across an organization’s inventory and risks. Then, organizations should prioritize what matters to them based on existing controls.
Devops and security may have different priorities, he pointed out, so it’s important to align on why each control is important before “chasing solutions.”
But, there are quick wins that are easy to agree on, he said — preventing new hard-coded secrets from being pushed to the source code repository; fixing misconfigured branch protection policies; reducing unnecessary admin permissions.
Better understanding, preparation
Overall, organizations must better understand the risks posed by software entering the organization, said Gardner.
Also, he pointed out that most of the focus to date has been on supporting security and engineering organizations. This is “essential but incomplete,” he said. Procurement and supply chain teams need more help performing those same types of evaluations on software in use. Too often, these groups lack the tools and information they need to make informed decisions about the risks posed by software and the vendors and providers who create it.
Organizations must also protect their own development environment and software artifacts, as these environments are typically not properly secure. This has “transformed them into a rich attack surface for malicious individuals,” said Gardner.
Furthermore, organizations must be prepared to provide downstream software users with not only information about the contents of the software they create, but their own software supply chain security measures. This allows them to properly evaluate risk and respond to security incidents, said Gardner.
The right ‘protective gear’
Arnica’s new funding round was led by Joule Ventures and First Rays Venture Partners, with angel investment from Avi Shua, cofounder and CEO of Orca Security, Dror Davidoff, cofounder and CEO of Aqua Security and Baruch Sadogursky, head of developer relations of Jfrog.
The company will use the funds to accelerate R&D and scale its go-to-market teams. Its focus area, said Valtman, is to provide more automated workflow and mitigation capabilities for existing and new customers.
Ultimately, Valtman compared the tool to his passion for mountain biking.
As would be expected, “I have fallen many times, but after each fall, I make sure to get the right protective gear to avoid any future injuries,” he said, adding that “I now wear a full face helmet.”
Arnica’s goal, he said, is to provide organizations with better “protective gear” over time by addressing more complex problems and “shifting the paradigm on risk mitigation.”