Development / Security

BluBracket: Getting a Grip on Open Source Code

4 Jun 2020 6:00am, by

The Covid-19 shutdown has only exacerbated enterprise fears that they’re losing control of their source code in the growing git development world. With a push of a button, years of development to create intellectual property can be released into the wild.

Starbucks, Amazon, Uber, Capital One, Microsoft and others have experienced breaches recently related to git repositories such as GitHub, GitLab and BitBucket, not to mention the controversy at the Black Hat security conference when researcher Ruben Santamarta released a paper stating he was able to hack Boeing 787 Dreamliner technology using “some clever Google queries” (a claim Boeing disputes).

Developers used to work in a specific physical environment with locked-down access to a monolithic base of source code. Companies owned the machines developers worked on and kept tight control over access to the code.

Now, especially in the past couple of months, developers are working from home, on their own machines, “so people are scrambling to figure out what are the options out there for them to not interrupt the business … they need a way to be able to securely develop in these remote environments especially in this kind of new paradigm,” said Ajay Arora, co-founder and president-chief operating officer of BluBracket, which is tackling the problem of securing source code.

While companies once relied on VPNs to enable workers to log in remotely, they are a point-in-time control determining who can get access to a central code server. But as soon as that code is cloned onto an endpoint or onto a developer machine, “the cat is out of the bag.”

“What used to be very centralized has now merged into a very collaborative experience that developers can now completely develop in a distributed manner, can pull and contribute to open source. And it’s taken over even the most secure companies in the world in terms of how source code is done,” said Arora.

It’s been a growing concern among enterprises over the past few years, and the Covid-19 work-from-home orders have added impetus to get a grip on this problem, he said.

The Linux Foundation’s Core Infrastructure Initiative (CII), in its Census II report released in February, found that seven of 10 most-used software packages in its analysis were hosted under individual developer accounts.

“The consequences of such heavy reliance upon individual developer accounts must not be discounted,” it warns.

“Software drives everything from elections to nuclear submarines, but we don’t know where code is, where it came from, what secrets live in it and who has access to it. And it can be shared publicly with one click. This puts us all at risk,” Prakash Linga, co-founder and CEO wrote in a blog post.

It’s by no means the only company focused on managing source code. In a slightly different vein, Israeli startup Intezer uses machine learning to identify the origin of code used in attacks. And source{d}, a startup focused on applying machine learning on top of source code, mines data from 57 million public git repositories, to help companies understand where their code is and what’s happening with it.

Visibility, Action

Arora and Linga previously created Vera, software to secure and track digital information across platforms and devices.

Palo Alto, California-based BluBracket offers two products that can be used together or separately. CodeInsights enables users to create what it calls a BluPrint of their code, identifying where their code is and who has access to it. They can classify their code by criticality with a detailed chain of custody for compliance or audit requirements.

“Understanding the patterns of development and understanding what happens for a period of time, is extremely important,” he said.

BluBracket can detect secrets, misconfigurations, and other risks to ensure that sensitive passwords or tokens are not misused. Users can create code and code snippet fingerprints for ongoing tracking and reporting.

CodeSecure enables users to set appropriate policies based on their code classification and enforce those policies around warnings and blocking exfiltration.

Companies might not necessarily want to lock everything down, but they want to have policies in place to protect the business while removing friction in developer workflows, he said.

“So you can look at it almost as a series of concentric circles… The BluPrint is literally your visibility into where code is and what’s going on with your code and who has access to your code at all times,” Arora said.

“Did we find your code in an open source environment? Are there people accessing code that shouldn’t access that particular code? Are there developers that are all of a sudden downloading bunches of code that they shouldn’t be? So all the alerts and active remediation around those alerts are another part of our solution.”

“Code is only increasing in importance and in speed to deployment. BluBracket’s knowledge of both development and security has translated to a product that secures this important aspect of our business,” said John Visneski, data protection officer at The Pokémon Company International.

No Added Friction

Arora described traditional Data Loss Prevention (DLP) tools as “almost sledgehammers to be able to block the exfiltration of different data from people’s devices,” and though those vendors are trying to retrofit their products to this new reality, they’re too coarse-grained to understand the differences, say, between sensitive PII (personally identifiable information) and source code.

“For any of these tools to do an effective job, they have to work with git. They have to work with open source, they do not want to [add] any friction to how they work with the speed of code,” said Linga.

When [traditional DLP tools] are applied at the file level, they’re really not able to distinguish between what’s open source or what’s not, between what’s a text file or code file, and so have been they’ve been pretty unsuccessful in coexisting with developer workflows, he said.

BluBracket recently garnered a $6.5 million seed round lead by Unusual Ventures, with participation by Point72 Ventures, SignalFire and Firebolt Ventures.

Global strategic advisory firm OODA recently named BluBracket among the tech firms with the greatest potential to disrupt the cybersecurity market and improve an organization’s ability to manage cyber risk.

It was one of the top 10 finalists for the Sandbox Innovation Contest at the RSA Conference in February. You can find its three-minute pitch here:

BluBracket is available as a SaaS offering on Google Cloud and also as a self-managed version for on-premise deployments.

GitLab and the Linux Foundation are sponsors of The New Stack.

Feature image by Pexels from Pixabay.

A newsletter digest of the week’s most important stories & analyses.