My name is Nir! I am one of the three co-founders of arnica.io.<p>I’ve worn many hats in cyber security over the years – sys admin, pen-tester, security architect, and Chief Information Security Officer (CISO). What really gets me excited about my work is making security easy and effective for developers and ops teams!
In my last role, at one of the top 3 FinTechs, following the attack against Solarwinds, the CEO asked me what we are doing to secure our software supply chain. I met with 15+ vendors, did a few POCs, but unfortunately each solution either increased operational cost or was too narrow in scope. I really wanted to buy a solution instead building it, but even the ones that hit the short list were rejected by my team (thank you guys!).<p>I also found that many fellow CISOs faced the same problem. This is when I joined forces with my incredible co-founders - Diko and Eran. They were seeing the same pain in their worlds (engineering and ops) too! As a starting point for Arnica, we researched every software supply chain attack since 2018, and based on our research, we found two primary root causes:
1) improper access management to developer tools
2) inability to identify abnormal identity and code behavior<p>We studied the anatomy of each supply chain attack and designed a product to effectively secure developer tool stacks with a DevOps-first approach:
1) Identify excessive permissions to source code starting with GitHub and Azure DevOps repos (free)
2) Mitigate excessive permissions with an ability to regain access via self-service on Slack for your developers
3) Automatically generate & modify a CODEOWNERS file via pull request, based on the contextual behavior of the pull request reviewers
4) Secret detection and validation without modifications of the build pipelines for all repositories, public and private without any user-count limitations (free)
5) Map GitHub users to your SAML/SSO provider. Also free forever.<p>Why are we giving away so much functionality for free? I believe Arnica can do well by doing good in the DevSecOps community. Our mission is to be the easy button for DevOps security. Anything that is considered “single pane of glass” is our free contribution. If we do that first and foremost, we are sure we will build a successful business.<p>~Nir
About half of network pentesting is finding the keys in the file system. Way too often they are in code repos.<p>It’s good that this is a free service. Things are getting like unencrypted backups were in the nineties. Half of data breaches on DataLossDB were because of them. Once LTO-4 made tapes encrypted by default (instead of a paid-for add-on,) it turned the whole industry around.