Security platform replaces manual risk assessment with on-the-fly analysis during the build process
Apiiro creates user profiles and analyzes a company’s code base to spot high-risk changes.
A cybersecurity expert wants to make it easier for software developers and security architects to work together. CEO and co-founder Idan Plotnik used what he learned about user and entity behavior analysis by building his previous company to build his latest one: Apiiro. Plotnik sold his previous cybersecurity company Aorato to Microsoft for $200 million a few years ago.
The platform monitors the software development process from design to code to cloud and builds security checks into the entire lifecycle.
Plotnik said that the goal is to reduce the risk in software development and allow companies to build new products and services faster while increasing overall security. He described how one current client in the financial industry requires developers to complete a 400-question risk assessment before starting any new project.
“It takes four months to even initiate a new development process, and if you want to change an existing high business impact application, it will take you one month,” he said.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The platform ingests data from multiple sources to calculate the risk of a particular change. Apiiro identifies an abnormal commit and provides an explanation of why a change was flagged. This includes activity during abnormal hours, if a front-end developer committed a backend code or a developer changed a sensitive file from a different location or different computer.
Apiiro learns a company’s code base as well as the habits of developers. When a commit is in process, the platform compares the changes in the DLL file in the binary to the source control manager and automatically breaks the build behind the scenes, if a security risk pops up.
“And when the attacker will try to compromise an account, a legitimate account inside the network, we can alert and catch it even before the CICD pipeline,” Plotnik said.
Lawrence Pingree, managing vice president of emerging technologies for security and risk at Gartner, said in a Linked In post that he sees user and entity behavior analysis as part of the trend toward the “internet of behaviors.”
Pingree wrote that the next step in this evolution is to apply behavioral analysis to software production, which could include requiring vendors to profile the behaviors of their code or an industry standard on disclosure of software behaviors.
Stopping the next SolarWinds attack
In a video interview with TechRepublic, Plotnik explained how Apiiro takes a different approach to software security. The hackers behind the SolarWinds attack injected code at a point in the process where neither the security team nor the development team would see it, he said.
“The new thing here is to bridge the build server, inject the code early in the process before the build server and just let it shift,” he said.
Plotnik said that most vulnerability scanning tools and software that looks for malicious code in the CICD pipeline can’t spot this kind of attack because the code that was injected wasn’t malicious.
“Only by looking at two points in this story, the source code and the outcome of the build server, only by looking at these two dimensions together, you will be able to identify this attack,” he said.
SEE: Identity theft protection policy (TechRepublic Premium)
Apiiro uses machine learning algorithms and natural language processing algorithms to create user profiles for everyone involved in the software development process. Plotnik said his team trained the algorithms on more than 200,000 code repositories, both publicly available repos and internal repos from customers. The platform uses two learning engines, one that is trained outside a customer’s network and another that learns inside the network when Apiiro is deployed on a company’s servers. The final step is to compare the results between the two algorithms.
“We are learning across all the company’s history because the GitHub server stores all the history of all the code changes and the JIRA server holds all the data across all the projects,” Plotnik said.
Apiiro has a patent pending on this technology, according to Plotnik.
Making security reviews less painful
In addition to making the software development process more secure, Apiiro makes it easier for developers and security experts to work together. Plotnik worked at Microsoft for several years and remembered the conflicts between the two groups. Developers regularly complained to him about issues raised by the security team.
“They always came to me and said, ‘They’re asking me tedious questions that if they would look at the code for five minutes, they would save me two hours,'” he said.
Apiiro connects with read-only permissions to a company’s source control manager and ticketing systems. Security architects or security champions who are part of the development process or on the security team get the warnings from Apiiro first.
“You can add a security champion into the pull request and say, ‘You are the right person to help me remediate the risky material change,'” he said. “This is how we integrate security into the development process without introducing new tools because developers hate it when you introduce them new tools.”
The system also can track high-risk changes such as editing an API that manages the logic of a money transfer and other adaptive governance rules.
“As a security architect, you can set a rule that every time I see this development team for my mobile application introducing an API that is exposing PII data without authorization, I want to comment on the pool request and tell the developer, ‘You introduced a change that you need to fix,'” he said.
Plotnik said this structure builds trust between the security team and the development team.