[ad_1]
Nir Valtman is CEO and Founder at Arnica, a platform that enables enterprises to proactively protect their software supply chain from risk by automating daily security operations and empowering developers to own security without compromising risk or speed.
What first attracted you to cyber security?
I grew up with a hacker mindset. I started by destroying the computer lab in my first coding course and hacking other computers with very little coding ability, all when I was 13. When I joined the army service in Israel, I received hands-on education in the defensive side of security, which eventually led to my professional career in cyber security.
Can you share the origin story of arnica?
Before Arnica, I worked at Finastra, the third largest global FinTech company, as VP of Security. The dust from the infamous Solarwinds was just settling and our CEO asked me how we could minimize the risk of a software supply chain attack. We’ve done a comprehensive assessment of companies building solutions in this space, several of which we’ve done proof-of-concepts for. No other vendor was a better fit for what we were looking for: comprehensive coverage, proactive risk mitigation, and a great developer experience. In particular, the developer experience aspect was crucial because any solution I imposed on developers that disrupted their workflow would be rejected and we would be back to square one.
Without finding a solution, I decided to research every software supply chain attack that has occurred in the last 5 years to understand the main symptoms and how to prevent them. At the same time, I talked to two friends, Eran Medan (CTO) and Diko Dahan (COO), who had extensive experience in development and operations leadership. Eran and Diko expressed similar challenges in finding a solution – Diko from a technical perspective and Eran from a development perspective. Given that we were all coming up empty on the solution, we developed a hypothesis about what the solution should be. We conducted dozens of validation calls with security, operations, and engineering leaders that confirmed both the problem and our hypothesis about the solution needed. Fast forward a few months to August 2021 and we have founded Arnica.
Arnica provides behavior-based security end-to-end Can you define what is behavior-based security?
If someone handed you a manuscript and said you wrote it, you could probably tell if it was actually written by you. If, for example, the handwriting is not yours, the entry is dated before your birth, and is written in French (which you do not know how to speak or write), it will be clear that you are not the author. We take a similar approach to code, except we build a profile of each developer consisting of thousands of factors (also known as features in machine learning). By observing the trends and behavior of developers, we can prevent risks that deviate from their normal development patterns. This helps us prevent account hijacking, insider threats, and other risks associated with software development.
Can you discuss how the platform can define the nuances of each developer’s work?
Arnica uses historical auditing and code contribution activity to create a behavioral fingerprint for each developer. This fingerprint represents the known and expected behavior of a developer’s permission usage, coding style, commitment language, and development practices. We can then compare all future activity to this fingerprint to determine the probability that future code came from this author.
What happens after the system flags anomalous behavior?
We always strive to maximize security value while eliminating development friction. When Arnica detects anomalous behavior from a developer account, we flag it in Arnica and automatically send additional authentication via live chat to that developer and security team based on your policy configuration.
How does Arnica help with code auditing?
Arnica provides real-time notifications to developers when they make code changes, reducing the amount of risk that requirements will be reached. For those risks that meet the requirements, Arnica introduces automated code checking on PRs. When risks are located, Arnica comments with risk details and mitigation context for each risk. Arnica can also automatically block merges where there are risks preventing them from reaching production code.
Arnica also enables the identification of vulnerable third-party dependencies, can you discuss how this works for developers?
Arnica scans all third-party packages and vulnerabilities with each code hit, and notifies developers directly via ChatOps when they use vulnerable versions or introduce a low-reputation package into the codebase.
What other features does the Arnica platform offer?
Arnica is focused on providing a platform for application security teams to gain visibility into all risks in the software supply chain, be able to prioritize those risks, and easily stop new risks and fix existing risks. We provide this capability across a wide range of risk categories, including excessive developer permissions, code risks resulting from SAST (Static Application Security Testing) and IaC (Infrastructure as Code) scans, hard-coded secrets, third-party dependencies, and more.
Is there anything else you’d like to share about Arnica?
At Arnica, as we develop application and supply chain security solutions, we consider ourselves a developer-experienced company. We want to make solving security problems a smooth and enjoyable experience. Take our privacy mitigation solution as an example. We detect the secret when the code is pressed, verify it, and send a message to the developer in their chat tool of choice. The message gives the developer a button – “fix” – that removes the secret from the entire git history without the developer having to write any git commands. Just one click away.
We believe that if we can make security an easy and enjoyable part of the development experience, every organization that uses Arnica will be better off.
Thanks for the great interview, readers who want to learn more should visit Arnica.
[ad_2]
Source link