Nir Valtman is the CEO and Founder at Arnica, a platform that allows enterprises to proactively protect software supply chain from risk by automating the day-to-day security operations and empowering developers to own security without incurring risks or compromising velocity.

What initially attracted you to cybersecurity?

I grew up with a hacking mindset. I began by destroying the pc lab in my first coding course and hacking into other computers with little or no coding skills, all once I was 13 years old. After I joined the Army service in Israel, I got a practical education within the defensive side of security, which ultimately led to my skilled profession in cybersecurity. 

Could you share the genesis story behind Arnica?

Before Arnica, I worked at Finastra, the third largest global FinTech company, because the VP of Security. The dust from the infamous Solarwinds was just settling and our CEO asked me how we could minimize the danger of being impacted by a software supply chain attack. We did a comprehensive evaluation of firms constructing solutions on this space, just a few of which we did proof of concepts with. Not one of the vendors were a superb fit for what we were on the lookout for: comprehensive coverage, lively mitigation of risks, and an ideal developer experience. Particularly, the developer experience aspect was critical because any solution that I imposed on developers that disrupted their workflows can be rejected and we’d be back to square one. 

Without having found an answer, I made a decision to research every software supply chain attack that had taken place over the past 5 years to form an understanding of the important thing symptoms and tips on how to prevent them. At the identical time, I spoke with two friends, Eran Medan (CTO) and Diko Dahan (COO), who had extensive development and operations leadership experience. Eran and Diko, expressed similar challenges find an answer – Diko from a tech ops perspective, and Eran from a development perspective. Provided that all of us were coming up empty on an answer, we developed a hypothesis of what an answer should seem like. We ran through dozens of validation calls with security, operations and engineering leaders, which validated each the issue and our hypothesis concerning the crucial solution. Fast forward just a few months to August 2021 and we had co-founded Arnica. 

Arnica provides end-to-end behavior-based security, could you define what behavior-based security is?

If someone gave you a handwritten note and told you that you just wrote it, you’d probably give you the option to inform if it was, in reality, written by you. If, for instance, the handwriting is just not yours, the note was dated before you were born, and it’s written in French (which you have no idea tips on how to speak or write), it could be clear that you just aren’t the writer. We take an identical approach to code, except we construct a profile of every developer that consists of 1000’s of things (also often known as features in machine learning). By observing the tendencies and behavior of developers, we are able to stop risks that deviate from their normal development patterns. This helps us stop account takeovers, insider threats, and other risks related to software development. 

Are you able to discuss how the platform can discover the nuances of how each developer works?

Arnica leverages historical audit and code contribution activity to generate a behavioral fingerprint for every developer. This fingerprint represents the known and expected behavior of the developer’s permission use, coding style, commit language, and development practices. We’re then capable of compare all future activity with this fingerprint to find out the likelihood that future code got here from this writer.

What happens once the system flags anomalous behavior?

We at all times strive to maximise security value and, at the identical time, eliminate development friction. When Arnica detects anomalous behavior from a developer account, we flag it in Arnica and robotically send an extra authentication through a direct chat to the developer in query, and the safety team based in your policy configuration.

How does Arnica assist with code auditing?

Arnica provides real-time notifications to developers once they push code changes, reducing the variety of risks that reach pull requests. For those risks that do reach pull requests, Arnica introduces automated code checks on PRs. When risks are situated, Arnica comments with the danger details and mitigation context for every risk. Arnica may also robotically block merges where risks exist, stopping them from reaching production code.

Arnica also enables identification of vulnerable third party dependencies, could you discuss how this works for developers?

Arnica scans all third party packages and risks on each code push, and notifies developers directly via ChatOps once they use versions with vulnerabilities or introduce a low status package to the code base. 

What are a few of the other functionalities which can be offered by the Arnica platform?

Arnica is targeted on providing a platform for application security teams to realize visibility across all software supply chain risks, to give you the option to prioritize those risks, and to give you the option to simply stop recent risks and fix existing risks. We offer this ability across a wide selection of risk categories including excessive developer permissions, code risks resulting from SAST (Static Application Security Testing) and IaC (Infrastructure as Code) scanning, hardcoded secrets, third party dependencies, and more. 

Is there anything that you prefer to to share about Arnica?

At Arnica, as much as we develop application and provide chain security solutions, we expect of ourselves as a developer experience company. We need to make solving security problems a seamless and pleasant experience. Take our secrets mitigation solution for instance. We discover the key at code push, we validate it, and we push a notification to the developer of their chat tool of selection. The notification gives the developer a button – “Fix it for me” – which eliminates the key from your complete git history without the developer having to put in writing any git commands. Only a click. 

We imagine that if we are able to make security a simple and pleasant a part of the event experience, every organization that uses Arnica can be higher off.