Nir Valtman is the CEO and Founder at Arnica, a platform that enables enterprises to proactively protect software supply chain from risk by automating the day-to-day security operations and empowering developers to own security without incurring risks or compromising velocity.
What initially attracted you to cybersecurity?
I grew up with a hacking mindset. I started by destroying the computer lab in my first coding course and hacking into other computers with very little coding skills, all when I was 13 years old. When I joined the Army service in Israel, I got a practical education in the defensive side of security, which ultimately led to my professional career in cybersecurity.
Could you share the genesis story behind Arnica?
Before Arnica, I worked at Finastra, the third largest global FinTech company, as the VP of Security. The dust from the infamous Solarwinds was just settling and our CEO asked me how we could minimize the risk of being impacted by a software supply chain attack. We did a comprehensive evaluation of companies building solutions in this space, a few of which we did proof of concepts with. None of the vendors were a good fit for what we were looking for: comprehensive coverage, active mitigation of risks, and a great developer experience. In particular, the developer experience aspect was critical because any solution that I imposed on developers that disrupted their workflows would be rejected and we’d be back to square one.
Without having found a solution, I decided to research every software supply chain attack that had taken place over the last 5 years to form an understanding of the key symptoms and how to prevent them. At the same time, I spoke with two friends, Eran Medan (CTO) and Diko Dahan (COO), who had extensive development and operations leadership experience. Eran and Diko, expressed similar challenges in finding a solution – Diko from a tech ops perspective, and Eran from a development perspective. Given that we all were coming up empty on a solution, we developed a hypothesis of what a solution should look like. We ran through dozens of validation calls with security, operations and engineering leaders, which validated both the problem and our hypothesis about the necessary solution. Fast forward a few months to August 2021 and we had co-founded Arnica.
Arnica provides end-to-end behavior-based security, could you define what behavior-based security is?
If someone gave you a handwritten note and told you that you wrote it, you’d probably be able to tell if it was, in fact, written by you. If, for example, the handwriting is not yours, the note was dated before you were born, and it’s written in French (which you do not know how to speak or write), it would be clear that you aren’t the author. We take a similar approach to code, except we build a profile of each developer that is composed of thousands of factors (also known as features in machine learning). By observing the tendencies and behavior of developers, we can stop risks that deviate from their normal development patterns. This helps us stop account takeovers, insider threats, and other risks associated with software development.
Can you discuss how the platform can identify the nuances of how each developer works?
Arnica leverages historical audit and code contribution activity to generate a behavioral fingerprint for each developer. This fingerprint represents the known and expected behavior of the developer’s permission use, coding style, commit language, and development practices. We are then able to compare all future activity with this fingerprint to determine the likelihood that future code came from this author.
What happens once the system flags anomalous behavior?
We always strive to maximize security value and, at the same time, eliminate development friction. When Arnica detects anomalous behavior from a developer account, we flag it in Arnica and automatically send an additional authentication through a direct chat to the developer in question, and the security team based on your policy configuration.
How does Arnica assist with code auditing?
Arnica provides real-time notifications to developers when they push code changes, reducing the number of risks that reach pull requests. For those risks that do reach pull requests, Arnica introduces automated code checks on PRs. When risks are located, Arnica comments with the risk details and mitigation context for each risk. Arnica can also automatically block merges where risks exist, preventing them from reaching production code.
Arnica also enables identification of vulnerable 3rd party dependencies, could you discuss how this works for developers?
Arnica scans all third party packages and risks on each code push, and notifies developers directly via ChatOps when they use versions with vulnerabilities or introduce a low reputation package to the code base.
What are some of the other functionalities that are offered by the Arnica platform?
Arnica is focused on providing a platform for application security teams to gain visibility across all software supply chain risks, to be able to prioritize those risks, and to be able to easily stop new risks and fix existing risks. We provide this ability across a wide range of risk categories including excessive developer permissions, code risks resulting from SAST (Static Application Security Testing) and IaC (Infrastructure as Code) scanning, hardcoded secrets, third party dependencies, and more.
Is there anything else that you would like to share about Arnica?
At Arnica, as much as we develop application and supply chain security solutions, we think of ourselves as a developer experience company. We want to make solving security problems a seamless and delightful experience. Take our secrets mitigation solution for example. We identify the secret at code push, we validate it, and we push a notification to the developer in their chat tool of choice. The notification gives the developer a button – “Fix it for me” – which eliminates the secret from the entire git history without the developer having to write any git commands. Just a click.
We believe that if we can make security an easy and delightful part of the development experience, every organization that uses Arnica will be better off.
Thank you for the great interview, readers who wish to learn more should visit Arnica.