The The Transform Technology Summits begin October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!
âToday’s DevSecOps coding environment has a problem,â said Idan Plotnik, Co-Founder and CEO of Apiiro. This is a big deal – many development, security, and compliance teams have no idea what the business impact of different lines of code is. This is where application risk management must take center stage.
Some codes control critical aspects of businesses – lines that control money transfers in the financial sector, for example – so they impose greater oversight of changes. Plotnik said, âIf I’m a newbie developer who has modified a sensitive API that exposes PII data in a high-impact business application, and the person who reviewed my code and approved the pull request isn’t an expert in this area of ââcode, then this is a major risk for the business.
The context helps in the management of application risks
Apiiro helps reduce the risks associated with code development by first assessing and cataloging the inventory associated with all applications. Plotnik said, “Developers can also build in security and compliance requirements and guarantee them for every code validation.”
His company’s software scours an organization’s source control manager and repositories to take inventory and analyze every change to the application and its infrastructure. Apiiro analyzes the code history and enriches it with validation messages, pull request discussions, and user stories in Jira, and it creates a knowledge and activity profile of each coder, Plotnik explains. By collecting and analyzing this collective data – natural language processing (NLP) comes into play here – Apiiro understands the configuration of the terrain and the context.
Apiiro uses NLP to analyze and learn from user stories, validation messages, and pull request discussions. Supervised and unsupervised learning models form thousands of repositories both outside and inside a customer’s network and assign a score to the code as it works, which helps prioritize the code depending on its importance.
In this way, Apiiro’s supervised and unsupervised machine learning models learn which aspects of code development need to be monitored. This knowledge can be used to trigger warnings before risky features, especially those written by inexperienced developers, take hold in the code and cause serious damage. As disturbing code commits are discovered, it can be trained to trigger specific actions like a prescribed workflow or a Slack message to alert its users. Apiiro also provides the security and integrity of Git and CI / CD (continuous integration / continuous delivery), and checks developer profiles to match the codes they normally work with. A back-end developer who commits a significant portion of frontend code, for example, can trigger an alert warning.
The Code Risk platform develops a comprehensive view of security and compliance risks across applications, infrastructure, open source code, developer experience and business impact. Plotnik said, âIt can be done through your API gateway, your open source code and moreâ¦ We bring it all on one platform and in a development context. Context is important because it intelligently responds to risk assessment questionnaires and provides “something that statically scanning code cannot provide,” he added.
CI / CD operations
Without a contextual risk assessment, developers are forced to apply a blunt approach to all code, whether high risk or not. Each part of the code does not need to be subjected to exhaustive risk assessment questionnaires. “We are reducing friction between developers and the security and compliance teams,” Plotnik said, “and we are making it possible for developers to release code much faster because of this context.” Prioritizing which alerts to issue based on the importance of the code and the developer context helps Apiiro come up with a smarter approach to the problem and come up with a plausible solution.
In the CI / CD landscape, Apiiro operates by scanning continuously during the code validation process. âI don’t have to wait until the day before the code is released into production; it’s an ongoing process, âPlotnik said.
Plotnik claims that Apiiro is able to âcorrelate application risk and infrastructure risk in a single view …
VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the topics that interest you
- our newsletters
- Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
- networking features, and more
Become a member