Nir Valtman is the CEO and Founder at Arnica, a platform that permits enterprises to proactively protect software supply chain from risk by automating the day-to-day security operations and empowering developers to own security without incurring risks or compromising velocity.
What initially attracted you to cybersecurity?
I grew up with a hacking mindset. I began by destroying the pc lab in my first coding course and hacking into other computers with little or no coding skills, all after I was 13 years old. After I joined the Army service in Israel, I got a practical education within the defensive side of security, which ultimately led to my skilled profession in cybersecurity.
Could you share the genesis story behind Arnica?
Before Arnica, I worked at Finastra, the third largest global FinTech company, because the VP of Security. The dust from the infamous Solarwinds was just settling and our CEO asked me how we could minimize the chance of being impacted by a software supply chain attack. We did a comprehensive evaluation of firms constructing solutions on this space, just a few of which we did proof of concepts with. Not one of the vendors were a very good fit for what we were on the lookout for: comprehensive coverage, lively mitigation of risks, and an excellent developer experience. Particularly, the developer experience aspect was critical because any solution that I imposed on developers that disrupted their workflows could be rejected and we’d be back to square one.
Without having found an answer, I made a decision to research every software supply chain attack that had taken place over the past 5 years to form an understanding of the important thing symptoms and find out how to prevent them. At the identical time, I spoke with two friends, Eran Medan (CTO) and Diko Dahan (COO), who had extensive development and operations leadership experience. Eran and Diko, expressed similar challenges to find an answer – Diko from a tech ops perspective, and Eran from a development perspective. Provided that all of us were coming up empty on an answer, we developed a hypothesis of what an answer should appear like. We ran through dozens of validation calls with security, operations and engineering leaders, which validated each the issue and our hypothesis concerning the obligatory solution. Fast forward just a few months to August 2021 and we had co-founded Arnica.
Arnica provides end-to-end behavior-based security, could you define what behavior-based security is?
If someone gave you a handwritten note and told you that you simply wrote it, you’d probably have the option to inform if it was, in actual fact, written by you. If, for instance, the handwriting isn’t yours, the note was dated before you were born, and it’s written in French (which you have no idea find out how to speak or write), it might be clear that you simply aren’t the creator. We take an identical approach to code, except we construct a profile of every developer that consists of hundreds of things (also referred to as features in machine learning). By observing the tendencies and behavior of developers, we are able to stop risks that deviate from their normal development patterns. This helps us stop account takeovers, insider threats, and other risks related to software development.
Are you able to discuss how the platform can discover the nuances of how each developer works?
Arnica leverages historical audit and code contribution activity to generate a behavioral fingerprint for every developer. This fingerprint represents the known and expected behavior of the developer’s permission use, coding style, commit language, and development practices. We’re then in a position to compare all future activity with this fingerprint to find out the likelihood that future code got here from this creator.
What happens once the system flags anomalous behavior?
We all the time strive to maximise security value and, at the identical time, eliminate development friction. When Arnica detects anomalous behavior from a developer account, we flag it in Arnica and robotically send an extra authentication through a direct chat to the developer in query, and the safety team based in your policy configuration.
How does Arnica assist with code auditing?
Arnica provides real-time notifications to developers after they push code changes, reducing the variety of risks that reach pull requests. For those risks that do reach pull requests, Arnica introduces automated code checks on PRs. When risks are positioned, Arnica comments with the chance details and mitigation context for every risk. Arnica also can robotically block merges where risks exist, stopping them from reaching production code.
Arnica also enables identification of vulnerable third party dependencies, could you discuss how this works for developers?
Arnica scans all third party packages and risks on each code push, and notifies developers directly via ChatOps after they use versions with vulnerabilities or introduce a low status package to the code base.
What are among the other functionalities which might be offered by the Arnica platform?
Arnica is concentrated on providing a platform for application security teams to realize visibility across all software supply chain risks, to have the option to prioritize those risks, and to have the option to simply stop recent risks and fix existing risks. We offer this ability across a wide selection of risk categories including excessive developer permissions, code risks resulting from SAST (Static Application Security Testing) and IaC (Infrastructure as Code) scanning, hardcoded secrets, third party dependencies, and more.
Is there the rest that you want to to share about Arnica?
At Arnica, as much as we develop application and provide chain security solutions, we expect of ourselves as a developer experience company. We need to make solving security problems a seamless and pleasant experience. Take our secrets mitigation solution for instance. We discover the key at code push, we validate it, and we push a notification to the developer of their chat tool of alternative. The notification gives the developer a button – “Fix it for me” – which eliminates the key from your complete git history without the developer having to write down any git commands. Only a click.
We imagine that if we are able to make security a straightforward and pleasant a part of the event experience, every organization that uses Arnica can be higher off.