“Today’s DevSecOps coding environment has a problem,” said Idan Plotnik, cofounder and CEO of Apiiro. It’s a big problem — many development, security, and compliance teams have no idea of the business impact of various lines of code. That’s where application risk management needs to take center stage.

Some code controls critical aspects of businesses — lines that control money transfer in the financial industry, for example — so they mandate greater oversight over changes. Plotnik said, “If I am a newbie developer that changed a sensitive API that exposes PII data in a high business impact application, and if the person who reviewed my code and approved the pull request is not an expert in this area of the code, then this is a major risk to the business.”

Context helps application risk management

Apiiro helps decrease risks associated with code development by first assessing and cataloging inventory associated with all applications. Plotnik said, “Developers can also weave in security and compliance requirements and ensure them for every code commit.”

His company’s software trawls through an organization’s source control manager and repositories to conduct an inventory and analyze every change to the application and its infrastructure. Apiiro analyzes the code history and enriches it with commit messages, pull request discussions, and user stories in Jira, and it builds a knowledge and activity profile of each coder, Plotnik says. In gathering and analyzing this collective data — natural language processing (NLP) comes into play here — Apiiro comprehends the lay of the land and context.

Apiiro uses NLP to scan and learn from user stories, commit messages, and pull request discussions. The supervised and unsupervised learning models train thousands of repositories both outside and inside a client’s network and assign a score to the code being worked on, which helps prioritize code according to importance.

In this way, Apiiro’s supervised and unsupervised machine learning models learn which aspects of code development to keep an eye on. Such knowledge can be used to trigger warnings before risky features — especially those written by inexperienced developers — become ingrained into code and cause serious damage. As worrisome code commits are discovered, it can be trained to trigger specific actions like a prescribed workflow or Slack message to alert its users. Apiiro also provides Git and CI/CD (continuous integration/continuous delivery) security and integrity, and checks developer profiles to match them against codes they normally work with. A backend developer committing a significant chunk of frontend code, for example, can trigger an alert warning.

The Code Risk platform develops a comprehensive view of security and compliance risks across applications, infrastructure, open-source code, developer experience, and business impact. Plotnik said, “It can be across your API gateway, open-source code and more … We are bringing it all in one platform and developing context.” Context is important as it intelligently answers risk assessment questionnaires and provides “something that scanning code in a static way cannot deliver,” he added.

CI/CD operations

Without context-driven risk assessment, developers are forced to apply a blunt-force approach to all code, whether it’s high-risk or not. Not every piece of code needs to be subjected to exhaustive risk assessment questionnaires. “We are reducing the friction between developers and security and compliance teams,” Plotnik said, “and we are enabling developers to release code much faster because of this context.” Prioritizing which alerts to issue based on code importance and developer context helps Apiiro deliver a more intelligent approach to the problem and come up with a plausible solution.

In the landscape of CI/CD, Apiiro works by continuously scanning during the code commit process. “I don’t have to wait until the day before I’m releasing the code to production; it’s an ongoing process,” Plotnik said.

Plotnik claims Apiiro is able to “correlate application risk and infrastructure risk together in one view … in one governance engine,” which delivers efficiencies by saving developers time in today’s high-velocity coding environments.

VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member