Security / Software Development

Jit: Security-as-Code Pioneer Opens for Business

22 Jun 2022 3:54pm, by

Anyone can make plans. Turning plans into reality, that’s hard. Jit, a startup with a plump $38.5 million seed funding round, has a magic trick of translating complex security plans from written documents and spreadsheets into code.

The idea behind this, David Melamed, Jit’s Chief Technology Officer, explained is that “Security leaders are adding more tools, faster than their teams are able to implement, tune and configure them to the point where risk spend efficiency becomes out of alignment.”

So, Jit streamlines technical security for engineering teams versus the practice of compliance checkboxes – all while reducing spend. We deliver the simplest approach to implementing DevSecOps where product security is delivered as a service into the CI/CD pipeline, with a product security plan that follows Git principles, translated to a language, developers understand: Code.”

Using GitOps

How? Jit does this by taking GitOps principles and storing your product security plan within your source code management platform. Your security plan is written in YAML and you can view and edit them in your favorite IDE.

Each plan has a designated outcome and specifies individual security measures to achieve this outcome. So you don’t waste time re-inventing the wheel, you can make a security plan from Jit’s plans templates and implement it in your environment. Once you get the hang of it, you can add your own plans.

Minimum Viable Security

Taking its cue from the Minimum Viable Product (MVP) concept, Jit uses minimum viable security (MVS) as a lean, iterative approach to adding ‘Just-In-Time security.’ In the MVS, which is a declarative security plan, you specify the security tools and workflows needed to achieve your outcome.

But you’re not picking out the tools on your own. Instead of requiring you to become an open-source security expert, the Jit security research team has curated and selected the tools that will provide your application’s first line of defense.

The Orchestration Framework’s plug-in architecture takes best-of-breed, open source security tools such as OWASP Dependency-Check, npm-audit, GoSec, Gitleaks, and Trivy and unifies them for you into a simple and consistent developer experience. In short, Jit provides an orchestration layer to unify open-source security tools while natively integrating the security as code experience into the developer workflow.

Easy and Free

Jit aims to be as easy as other as-code tools such as Terraform Plan/Terraform Apply. Adding security will never be easier… once it’s ready for prime time.

The program will eventually automatically orchestrate security tools and workflows. For now, it’s beta and the pieces are still coming together. The ultimate plan is for Jit to provide an easy on-ramp for bringing security into the developer and DevOps workflow.

Between its funding and adding experienced experts to its management, Jit may just be able to deliver on its promise. For example, Abby Kearns, former Puppet CTO and Cloud Foundry Foundation CEO is advising the company.

Jit is free and available as a self-service for you to work on securing your project today.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Jit.