DevOps / Machine Learning / Security / Technology

GuardRails: Security for the DevOps Age

25 Jun 2020 1:00pm, by

Amid the rise of DevOps, the security industry has neglected developers, argues Stefan Streichsbier, CEO and co-founder of GuardRails.

Going from releases a few times a year to multiple releases a day means security has to be part of developer workflow rather than the traditional “department of No,” he says.

Streichsbier, a former professional hacker in Europe, saw the changes that come with DevOps as a game-changer. Developers began going around the security department, and the tools available to enterprises have become completely outdated, he says.

“I think the future of security is going to look very different to what we see nowadays. And that’s where GuardRails is really working from day one and changing the paradigm for how security tools and platforms are becoming part of developer workflows,” he said.

Streichsbier founded the company in Singapore in January 2018 as an outgrowth of his involvement in advancing the DevOps concept through conferences in the region.

‘Quiet’ Security

GuardRails aims to be a “quiet” security tool, focusing not on every single vulnerability, but those most likely to be exploited by hackers — issues that could cause an application to stop working, allow attackers access to user data, or allow attackers to take over the application.

Otherwise, there’s just too much noise, he says, noting the longest security report for one application that he knows of was 15,000 printed PDF pages. No organization has the means to deal with that.

GuardRails integrates with open source and commercial security tools to pin down the most urgent fixes that need to be made.

Streichsbier points to four differentiators with GuardRails:

  • Integration with modern version control systems — It supports GitHub, GitLab and BitBucket and will know when code changes have been made and by whom. Private repositories must be enabled. Going forward, it scans only the changes and reports results directly in the developer workflow.
  • Security tool orchestration — GuardRails identifies the programming languages and frameworks and automatically runs the matching security tools. It supports languages including Python, Ruby, PHP, JavaScript, Go, Solidity, Java, Elixir, Terraform, and C/C++ and orchestrates more than 25 different tools. If the associated security tools have duplicative rules, it deduplicates them for you.
  • Security rules curation — Covering close to 700 rules in the platform, it culls rules to identify only the relevant issues that require action. The other “noise” is hidden away, but there if you want to dive deep.
  • False-positive detection — It uses machine learning to continuously increase the accuracy of alerting on real vulnerabilities that need to be addressed.

A SaaS runs on Amazon Web Services, the company also offers a version for on-premise deployments. The platform is offered free of charge for anyone who wants to focus only on public code repositories. Paid versions start at $39 monthly for startups.

Its customers include AirAsia, subscription billing platform Recurly, data platform Mode Analytics,  Japanese mobile provider Rakuten Mobile and software vendor G2.com.

“GuardRails proved to be a foundational tool in our digitalization efforts, quick to install, easy to set up and efficient at giving both the developers and the information security team a bird’s-eye view on the current security posture of our numerous old and new repos. Enforcement of security baseline has become effortless, frictionless, proactive and meaningful,” said Fabrice A. Marie, Group CISO for AirAsia.

The platform performs static analysis of the source code to detect potential vulnerabilities, such as unsecured use of SQL queries, regular expressions, dangerous functions, poorly managed authentication, file management or dangerous configuration. It also analyzes dependencies for known vulnerabilities, tracks hard-coded secrets and offers OWASP (Open Web Application Security Project) mapping.

It scans your repositories at each pull request, and for those on paid team plans, every time a commit is pushed to any branch.

“It actually sits tightly integrated with the version control system and knows everything that’s going on,” Streichsbier said. “So you don’t actually have to onboard any repository, any application. But once you installed into this kind of environment GuardRails knows all the repositories exist to know exactly when any new code change has been implemented. And we also know exactly what these changes are. And we know who introduced the changes, and we can pretty much immediately say, ‘OK, now it’s time to scan.’ And we provide all of the results from the scans directly in the workflow to the developer.”

Scan results are displayed as a comment of that PR or in the branches tab of each repository.

“The results are present to developers so that they can actually focus on what’s important, which should be software, and only when something is identified as being an issue, they would get the right information at the right time to take only actually fix it without having to involve any external security experts,” he said.

Traditional application security testing tools tend to be outdated, created for waterfall development rather than agile and DevOps, according to Streichsbier.

More modern competitors include Snyk, which helps developers find vulnerabilities in open source libraries. Streichsbier maintains that GuardRails does more: it identifies vulnerabilities in bespoke code being developed by customer organizations. It also detects secrets such as API keys and AWS security credentials, and supports cloud integration scanning.

A third area of competition comes from code quality solutions like SonarQube, which are moving into the security space, though they are solely focused on code rather than container or infrastructure security, for instance.

More Deep Learning

Going forward, the company will expand its use of deep learning on top of existing tools to improve the accuracy of vulnerability reporting. While it does not automate remediation of issues, that’s part of the future roadmap.

In the third quarter, it plans to add support for the dynamic scanning, which is scanning the application at runtime; for mobile security scanning, infrastructure security scanning and for container security, which Streichsbier says is primarily a matter of automating updates to the latest version of libraries and images.

It also wants to promote custom engines that might not be relevant to the overall market but to specific industries such as credit-card payment. It has plans for a marketplace where users can share their creations.

“GuardRails aims to be not just one puzzle piece of the overall solution, but actually provide the 360-degree view of all the relevant security insights from different categories if you will,” he said.

Snyk is a sponsor of The New Stack.

Feature image: “Blue concrete barriers” by Richard Smith. Licensed under CC BY-SA 2.0.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.

A newsletter digest of the week’s most important stories & analyses.