Spectral exits stealth with $6.2 million to find costly security mistakes buried in code

Spectral, an Israeli startup that’s developing automated tools to help developer teams spot mistakes such as confidential data buried in code, has emerged from stealth today with $6.2 million in a seed round of funding co-led by Amiti and MizMaa.

Recent data from IBM suggests that the average cost of a data breach globally is $3.9 million, a figure that rises to more than $8.6 million for U.S. companies. As businesses have had to double down on their digital efforts over the past year due to the pandemic, this could open the door to more costly coding mistakes as businesses rush to ship new code.

Founded out of Tel Aviv in 2020, Spectral is targeting the developer security operations (DevSecOps) realm with an automated scanner that integrates with developers’ tools to find anything that shouldn’t be in the code — this could be internal API keys, tokens, database login credentials, or any type of password. If companies can identify these “secrets” before the code is committed to a live product, it could prevent unauthorized third parties from using the data to nefarious ends.

Above: Spectral in action

Although Spectral is chiefly designed to scan code in the early building stages, the company also offers an “audit mode” that can scan mobile apps, static websites, containers, and public codebases across different kinds of repositories.

Breached

There have been a number of high-profile data breaches that were ultimately caused by the problem that Spectral is striving to solve. A few years back, Uber revealed a major breach that exposed personal data of millions of riders and drivers, after hackers managed to gain access to a private GitHub repository. While there were many security shortcomings across the board, the root cause was that the intruders found an AWS access key in one of the codebases, which they used to access files from Uber’s Amazon S3 Datastore.

Spectral integrates with most of the common developer productivity tools, including all the continuous integration (CI) tools such as GitHub Actions, GitLab CI, CircleCI, and Travis CI, with plugins for frameworks and products such as Webpack, Gatsby, and Netlify. The company is also quick to note that it is deployed locally on its customers’ own infrastructure, meaning that no code is sent to any third party.

Underpinning the Spectral platform is an array of machine learning (ML) models, some of which are self-contained, meaning that they require no feedback loop to improve, while others do require some “human-in-the-loop,” which presents something of a challenge given that the Spectral platform is designed with security and data privacy in mind.

“Some of the models need a feedback loop which we are creating ourselves with our data science team and security researchers,” Spectral cofounder and CEO Dotan Nahum told VentureBeat. “The technical challenge is exponentially complex due to the high security standard that we allow our users to keep — we do not read, store or process private customer code on our systems, so we cannot have any real feedback loop in that sense. What we do, among many other techniques, is use our own proprietary framework of code synthesis that is enriched with real-world codebases.”

Above: Spectral’s team of 15 in Tel Aviv

There are a number of similar tools on the market already, such as Amazon Macie, which is a managed data security and privacy service that uses ML and pattern matching to identify and protect sensitive data stored on AWS. And then there’s the open source TruffleHog, which searches through git repositories for secrets by digging deep into projects’ commit history and branches. Elsewhere in the startup sphere, French company GitGuardian offers something fairly close to Spectral, though it is pretty much limited to git repositories on platforms such as GitHub and GitLab.

Spectral, on the other hand, is aiming a little wider by allowing users to scan any file in any folder or container, and any “file-like asset” such as text streams, which could work well when scanning chat messages or logs. And Nahum is keen to stress that one of Spectral’s core selling points is that it takes a secure (i.e., local), “developer-first” approach — one focused on speed, made so that DevSecOps teams will want to use it.

“Spectral’s scanner is lightweight and local, it doesn’t require the user to grant any sensitive permissions, and we don’t receive, store, see, or process any of the user’s assets,” he said. “Spectral combines the detection and protection against high-risk security mistakes in a developer-first fashion at coding time, as well as public scanning for these risks in one platform.”

In its short stealth mode so far, Spectral has managed to amass a number of notable clients, including VC-backed companies such as SimilarWeb, Etoro, and Amperity.

VentureBeat

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform
  • networking features, and more

Source: Read Full Article