There were companies like NSO Group, in which a former employee was accused of stealing source code from the company and trying to sell it on the dark web. Source code for major antivirus companies was leaked online.
“There was this increase around with code-related incidents, and we saw that this is an unmet need. Both Lior and I come from a developer background, so we knew that this is a field that needs extra care, and that wasn’t looked at enough before,” said Slavin.
This was all before the more recent SolarWinds incident in which hackers inserted malicious code into software affecting major companies including Microsoft and top government agencies.
Both former security researchers for the Israel Defense Forces, Levy left Symantec and Slavin Reasons Cybersecurity to form Cycode in 2019.
Its initial direction was to protect source code and code repositories such as GitHub, GitLab and Bitbucket. Then through working with prospects and clients and looking at market trends — infrastructure-as-code (IAC), secrets management — they saw that a lot of the configuration that controls the DevOps process was being shifted to code.
“We understood that code repositories nowadays are becoming a much bigger target and are becoming this sort of single source of truth for the entire development operation. And so [we decided] this is what we should focus on. This is what we should protect,” Slavin said.
Secrets, Leaks, IAC
The technology connects with Git-based repositories like GitHub, GitLab and Bitbucket to check things like access configurations, and whether organizations enforce two-factor authentication in their systems themselves. It also looks at individual users’ permission and actual activity, checking that those permissions are appropriate.
It also checks general configurations such as whether a repository has changed from private to public to more elaborate settings, like whether a repository has branch protections. Does this brand protection have policies like commit signing, protecting the repository from rewriting? Are those branch protections actually enforced?
Then the team started looking at secrets.
“Secrets are something that we find in many code repositories nowadays. It could be in the commit history; it can be in the actual code and in the real-time activity. And it could be also in the public contributions of developers,” Slavin said.
“So we build a secret-detection mechanism that allows us to detect these types of secrets. And then recently, we started extending it to the other parts of the DevOps pipeline, so and looking for, for example, secrets that are stored incorrectly in Kubernetes, or secrets in the build, or things like that.”
They also built a leak-detection engine.
“This is something that can happen across the pipeline: It can happen from the code repository itself, it can happen by misconfigured build, it could happen by various configurations in the cloud,” he said.
The technology also scans for misconfigurations in IAC files in the repositories, looking for any violations of the security recommended best practices, and then checking this technology in the cloud.
And finally, we have the sort of audit section of the platform that looks at the events that happen within these tools. And, and sort of aggregates this audit activity. And then we took all this data and we took all the assets that we found in the refining system that was connected. And we’ve collected it in our graph. There were also what are the relations between the different assets and the connections between the systems. And we have policies that are checking all kinds of configurations and settings in the graphs that allow us to detect conflicting configurations or insecurity issues that happened between the stations.
Earlier this month, the company unveiled its knowledge graph technology. This agentless tool aggregates data from DevOps tools, infrastructure and security scanners to provide context and security insights and help security teams better deal with the flood of alerts they get.
“Cycode has saved us a massive number of hours hardening our source control management system, enforcing security configurations and preventing secrets from entering our code. Plus, by plugging seamlessly into our developers’ workflows, our team adopted Cycode right away,” said Ray Espinoza, chief information security officer at systems penetration testing service Cobalt.
Checking Multiple Tools
There’s a plethora of source code analysis tools on the market, this Open Web Application Security Project (OWASP) post points out, while naming quite a number of them. It counts among their strengths that they scale well and that they highlight for developers the precise source files, line numbers and even subsections of lines that are affected. However, the weaknesses it lists are configuration issues and problems in detecting security vulnerabilities, including in authentication, access control and others.
“The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better,” it concludes.
While there are many competitors in the market, the company maintains its value comes in protecting every instance a company might have of repositories such as GitHub or GitLab — and large enterprises might have multiples — and protecting source code across multiple vendors.
“One thing that GitHub is never going to do is build governance tools that work in Bitbucket. So to solve the enterprise use case, you’ve got to think about multiple instances that aren’t necessarily from the same vendor,” said Andrew Fife, vice president marketing at Cycode.
“And who knows what your M&A (mergers and acquisitions) department’s going to bring in next week. They’re going to buy the software company that’s going to impact revenue; they’re not going to buy the software company that necessarily has clean security practices.
“And then the other thing is, we’re not just talking about SCMs (supply chain management) systems anymore, we’re talking about all of the infrastructure, your build systems, your artifact trees, your cloud environments.” Fife maintains that none of the native vendors in these spaces have native tools that are managing code across all phases of the software development lifecycle.
Also this month, the Tel Aviv-based company announced a $20 million Series A round led by Insight Partners.
“The problem of protecting CI/CD tools like GitHub, Jenkins and Amazon Web Services is a gap for virtually every enterprise,” said Jon Rosenbaum, principal at Insight Partners, who will join Cycode’s board of directors. “Cycode secures CI/CD pipelines in an elegant, developer-centric manner. This positions the company to be a leader within the new breed of application security companies — those that are rapidly expanding the market with solutions which secure every release without sacrificing velocity.”
In addition to plans to broaden the range of systems with which it integrates, it’s looking at protecting non-Git-based code repositories that many enterprises still use. That’s to prevent attacks such as that late last year on Accellion’s legacy file transfer platform FTA.
It also wants to go deeper into the existing use cases, detecting more issues around each of the systems to which it connects. And to create more policies that are based on the knowledge graph.
“Modernizing the SDLC has created new security gaps that attackers are readily exploiting,” Slavin said when the funding was announced. “Recent supply chain attacks like SolarWinds and Codecov, major source code leaks from Microsoft and Nissan, and attacks targeting developers like Sawfish and XcodeSpy demonstrate that the battlefield is already shifting.”
Amazon Web Services and GitLab are sponsors of The New Stack.