May
11
2021
--

Cycode raises $20M to secure DevOps pipelines

Israeli security startup Cycode, which specializes in helping enterprises secure their DevOps pipelines and prevent code tampering, today announced that it has raised a $20 million Series A funding round led by Insight Partners. Seed investor YL Ventures also participated in this round, which brings the total funding in the company to $24.6 million.

Cycode’s focus was squarely on securing source code in its early days, but thanks to the advent of infrastructure as code (IaC), policies as code and similar processes, it has expanded its scope. In this context, it’s worth noting that Cycode’s tools are language and use case agnostic. To its tools, code is code.

“This ‘everything as code’ notion creates an opportunity because the code repositories, they become a single source of truth of what the operation should look like and how everything should function, Cycode CTO and co-founder Ronen Slavin told me. “So if we look at that and we understand it — the next phase is to verify this is indeed what’s happening, and then whenever something deviates from it, it’s probably something that you should look at and investigate.”

Cycode Dashboard

Cycode Dashboard. Image Credits: Cycode

The company’s service already provides the tools for managing code governance, leak detection, secret detection and access management. Recently it added its features for securing code that defines a business’ infrastructure; looking ahead, the team plans to add features like drift detection, integrity monitoring and alert prioritization.

“Cycode is here to protect the entire CI/CD pipeline — the development infrastructure — from end to end, from code to cloud,” Cycode CEO and co-founder Lior Levy told me.

“If we look at the landscape today, we can say that existing solutions in the market are kind of siloed, just like the DevOps stages used to be,” Levy explained. “They don’t really see the bigger picture, they don’t look at the pipeline from a holistic perspective. Essentially, this is causing them to generate thousands of alerts, which amplifies the problem even further, because not only don’t you get a holistic view, but also the noise level that comes from those thousands of alerts causes a lot of valuable time to get wasted on chasing down some irrelevant issues.”

What Cycode wants to do then is to break down these silos and integrate the relevant data from across a company’s CI/CD infrastructure, starting with the source code itself, which ideally allows the company to anticipate issues early on in the software life cycle. To do so, Cycode can pull in data from services like GitHub, GitLab, Bitbucket and Jenkins (among others) and scan it for security issues. Later this year, the company plans to integrate data from third-party security tools like Snyk and Checkmarx as well.

“The problem of protecting CI/CD tools like GitHub, Jenkins and AWS is a gap for virtually every enterprise,” said Jon Rosenbaum, principal at Insight Partners, who will join Cycode’s board of directors. “Cycode secures CI/CD pipelines in an elegant, developer-centric manner. This positions the company to be a leader within the new breed of application security companies — those that are rapidly expanding the market with solutions which secure every release without sacrificing velocity.”

The company plans to use the new funding to accelerate its R&D efforts, and expand its sales and marketing teams. Levy and Slavin expect that the company will grow to about 65 employees this year, spread between the development team in Israel and its sales and marketing operations in the U.S.

Feb
17
2021
--

Spectral raises $6.2M for its DevSecOps service

Tel Aviv-based Spectral is bringing its new DevSecOps code scanner out of stealth today and announcing a $6.2 million funding round. The startup’s programming language-agnostic service aims to automated code security development teams to help them detect potential security issues in their codebases and logs, for example. Those issues could be hardcoded API keys and other credentials, but also security misconfiguration and shadow IT assets.

The four-person founding team has a deep background in building AI, monitoring and security tools. CEO Dotan Nahum was a Chief Architect at Klarna and Conduit (now Como, though you may remember Conduit from its infamous toolbar that was later spun off), and the CTO at Como and HiredScore, for example. Other founders worked on building monitoring tools at Elastic and HP and on security at Akamai. As Nahum told me, the idea for Spectral came to him and co-founder and COO Idan Didi during their shared time at mobile application build Conduit/Como.

Image Credits: Spectral

“We basically stored certificates for every client that we had, so we could submit their apps to the various marketplaces,” Nahum told me of his experience at Counduit/Como. “That certificate really proves that you are who you are and it’s super sensitive. And at each point at these companies, I really didn’t have the right tools to actually make sure that we’re storing, handling, detecting [this information] and making sure that it doesn’t leak anywhere.”

Nahum decided to quit his current job and started to build a prototype to see if he could build a tool that could solve this problem (and his work on this prototype quickly discovered an issue at Slack). And as enterprises move from on-premises software to the cloud and to microservices and DevOps, the need for better DevSecOps tools is only increasing.

“The emphasis is to create a great developer experience,” Nahum noted. “Because that’s where we started from. We didn’t start as a top down cyber tool. We started as a modest DevOps friendly, developer-friendly tool.”

Image Credits: Spectral

One interesting aspect of Spectral’s approach, which uses a machine learning model to detect these breaches across programming languages, is that it also scans public-facing systems. On the backend, Spectral integrates with tools like Travis, Jenkins, CircleCI, Webpack, Gatsby and Netlify, but it can also monitor Slack, npm, maven and log providers — tools that most companies don’t really think about when they think about threat modeling.

“Our solution prevents security breaches on a daily basis,” said Spectral co-founder and COO Idan Didi. “The pain points we’re addressing resonate strongly across every company developing software, because as they evolve from own-code to glue-code to no-code approaches they allow their developers to gain more speed, but they also add on significant amounts of risk. Spectral lets developers be more productive while keeping the company secure.”

The company was founded in mid-2020, but it already has about 15 employees and counts a number of large publicly-listed companies among its customers.

Oct
28
2020
--

Enso Security raises $6M for its application security posture management platform

Enso Security, a Tel Aviv-based startup that is building a new application security posture management platform, today announced that it has raised a $6 million seed funding round led by YL Ventures, with participation from Jump Capital. Angel investors in this round include HackerOne co-founder and CTO Alex Rice; Sounil Yu, the former chief security scientist at Bank of America; Omkhar Arasaratnam, the former head of Data Protection Technology at JPMorgan Chase and toDay Ventures.

The company was founded by Roy Erlich (CEO), Chen Gour Arie (CPO) and Barak Tawily (CTO). As is so often the case with Israeli security startups, the founding team includes former members of the Israeli Intelligence Corps, but also a lot of hands-on commercial experience. Erlich, for example, was previously the head of application security at Wix, while Gour Arie worked as an application security consultant for numerous companies across Europe and Tawily has a background in pentesting and led a security team at Wix, too.

Image Credits: Enso Security / Getty Images

“It’s no secret that, today, the diversity of R&D allows [companies] to rapidly introduce new applications and push changes to existing ones,” Erlich explained. “But this great complexity for application security teams results in significant AppSec management challenges. These challenges include the difficulty of tracking applications across environments, measuring risks, prioritizing tasks and enforcing uniform Application Security strategies across all applications.”

But as companies push out code faster than ever, the application security teams aren’t able to keep up — and may not even know about every application being developed internally. The team argues that application security today is often a manual effort to identify owners and measure risk, for example — and the resources for application security teams are often limited, especially when compared the size of the overall development team in most companies. Indeed, the Enso team argues that most AppSec teams today spend most of their time creating relationships with developers and performing operational and product-related tasks — and not on application security.

Image Credits: Enso Security / Getty Images

“It’s a losing fight from the application security side because you have no chance to cover everything,” Erlich noted. “Having said that, […] it’s all about managing the risk. You need to make sure that you take data-driven decisions and that you have all the data that you need in one place.”

Enso Security then wants to give these teams a platform that gives them a single pane of glass to discover applications, identify owners, detect changes and capture their security posture. From there, teams can then prioritize and track their tasks and get real-time feedback on what is happening across their tools. The company’s tools currently pull in data from a wide variety of tools, including the likes of JIRA, Jenkins, GitLab, GitHub, Splunk, ServiceNow and the Envoy edge and service proxy. But as the team argues, even getting data from just a few sources already provides benefits for Enso’s users.

Looking ahead, the team plans to continue improving its product and staff up from its small group of seven employees to about 20 in the next year.

“Roy, Chen and Barak have come up with a very elegant solution to a notoriously complex problem space,” said Ofer Schreiber, partner at YL Ventures . “Because they cut straight to visibility — the true heart of this issue — cybersecurity professionals can finally see and manage all of the applications in their environments. This will have an extraordinary impact on the rate of application rollout and enterprise productivity.”

Apr
29
2019
--

Mirantis makes configuring on-premises clouds easier

Mirantis, the company you may still remember as one of the biggest players in the early days of OpenStack, launched an interesting new hosted SaaS service today that makes it easier for enterprises to build and deploy their on-premises clouds. The new Mirantis Model Designer, which is available for free, lets operators easily customize their clouds — starting with OpenStack clouds next month and Kubernetes clusters in the coming months — and build the configurations to deploy them.

Typically, doing so involves writing lots of YAML files by hand, something that’s error-prone and few developers love. Yet that’s exactly what’s at the core of the infrastructure-as-code model. Model Designer, on the other hand, takes what Mirantis learned from its highly popular Fuel installer for OpenStack and takes it a step further. The Model Designer, which Mirantis co-founder and CMO Boris Renski demoed for me ahead of today’s announcement, presents users with a GUI interface that walks them through the configuration steps. What’s smart here is that every step has a difficulty level (modeled after Doom’s levels, ranging from “I’m too young to die” to “ultraviolence” — though it’s missing Dooms “nightmare” setting), which you can choose based on how much you want to customize the setting.

Model Designer is an opinionated tool, but it does give users quite a bit of freedom, too. Once the configuration step is done, Mirantis actually takes the settings and runs them through its Jenkins automation server to validate the configuration. As Renski pointed out, that step can’t take into account all of the idiosyncrasies of every platform, but it can ensure that the files are correct. After this, the tool provides the user with the configuration files, and actually deploying the OpenStack cloud is then simply a matter of taking the files, together with the core binaries that Mirantis makes available for download, to the on-premises cloud and executing a command-line script. Ideally, that’s all there is to the process. At this point, Mirantis’ DriveTrain tools take over and provision the cloud. For upgrades, users simply have to repeat the process.

Mirantis’ monetization strategy is to offer support, which ranges from basic support to fully managing a customer’s cloud. Model Designer is yet another way for the company to make more users aware of itself and then offer them support as they start using more of the company’s tools.

May
21
2018
--

OpenStack spins out its Zuul open source CI/CD platform

There are few open-source projects as complex as OpenStack, which essentially provides large companies with all the tools to run the equivalent of the core AWS services in their own data centers. To build OpenStack’s various systems the team also had to develop some of its own DevOps tools, and, in 2012, that meant developing Zuul, an open-source continuous integration and delivery (CI/CD) platform. Now, with the release of Zuul v3, the team decided to decouple Zuul from OpenStack and run it as an independent project. It’s not quite leaving the OpenStack ecosystem, though, as it will still be hosted by the OpenStack Foundation.

Now all of that may seem a bit complicated, but at this point, the OpenStack Foundation is simply the home of OpenStack and other related infrastructure projects. The first one of those was obviously OpenStack itself, followed by the Kata Containers project late last year. Zuul is simply the third of these projects.

The general concept behind Zuul is to provide developers with a system for automatically merging, building and testing new changes to a project. It’s extensible and supports a number of different development platforms, including GitHub and the Gerrit code review and project management tool.

Current contributors include BMW, GitHub, GoDaddy, Huawei, Red Hat and SUSE. “The wide adoption of CI/CD in our software projects is the foundation to deliver high-quality software in time by automating every integral part of the development cycle from simple commit checks to full release processes,” said BMW software engineer Tobias Henkel. “Our CI/CD development team at BMW is proud to be part of the Zuul community and will continue to be active contributors of the Zuul OSS project.”

The spin-off of Zuul comes at an interesting time in the CI/CD community, which is currently spoiled for choice. Spinnaker, Google and Netflix are betting on an open source CD platform that solves some of the same problems as Zuul, for example, while Jenkins and similar projects continue to go strong, too. The Zuul project notes that its focus is more strongly on multi-repo gating, which makes it ideal handling very large and complex projects. A number of representatives of all of these open-source projects are meeting at the OpenDev conference in Vancouver, Canada that’s running in parallel with the semi-annual OpenStack Summit there, and my guess is that we’ll hear quite a bit more about all of these projects in the coming days and weeks.

Feb
21
2014
--

Before every release: A glimpse into Percona XtraDB Cluster CI testing

I spoke last month at linux.conf.au 2014 in Perth, Australia, and one of my sessions focused on the “Continuous Integration (CI) testing of Percona XtraDB Cluster (PXC)” at the Developer,Testing, Release and CI miniconf.

Here is the video of the presentation:

Here is the presentation itself:

Below is a rough transcript of the talk:

This talk covered the continuous integration testing of the Galera cluster; specifically, Percona XtraDB Cluster (PXC), based on Galera, is taken into consideration. Due to the nature of the cluster, existing testing procedures of MySQL cannot be used to fully test it, newer novel methodologies are required and used to uncover bugs.

The QA automation of PXC primarily involves:

a) Jenkins

  • Primarily involves triggering of jobs, starting from VCS (bzr) checkin to build clone culminating in tests and RPM/DEB builds.
  • In some cases, manual trigger is used, whereas in other cases, SCM polling is made use of.
  • Build blocking is also used to enforce implicit job processing dependencies, for instance when galera library needs to be embedded.
  • Parameterized triggers to decrease slow VCS clones, and to pass parameters to subsequent jobs. Build plumbing and fork/join with jobs are also used.

b) Sysbench

  • Here it is used for both benchmarking and testing. Requests are simultaneously dispatched to nodes to uncover latent bugs with synchronous replication, especially with transaction – rollbacks and commits – and with conflicts, this also helps with instrumentation of latency.
  • A history of measurements from previous jobs is maintained for time-series graphing of results. This helps in identifying performance regressions.
  • MTR test suite is re-used for creating instances.

c) Random Query Generator (RQG)

  • This has again proved valuable in PXC QA, combinations testing, in particular, is used to test different combination of options, some of which may not come up in general testing but may be used out there in production by someone.
  • As in sysbench, this also stresses multiple nodes at same time but to a much higher degree. A slightly modified RQG, ported from MariaDB RQG Galera extension (https://mariadb.com/kb/en/rqg-extensions-for-mariadb-features/) is being used. Various kinds of statements and transactions are tested, but most importantly, since they run concurrently, bugs surface much easily. Several MDL and DDL related bugs (with TOI) have been found and successfully fixed with this method.
  • With combinations testing, since the number of combinations can get astronomically large, pruning of infeasible combinations is also done.
  • It has also been extended to collect backtraces when server is hard deadlocked (when Deadlock reporter also fails). This has been quite valuable with bugs where obtaining backtraces has had been vital.

d) SST Testing

  • SST stands for State Snapshot Transfer. This is more of an end-to-end testing, in that this test starts with starting a node, loading it with data, starting another node after SST from first node, making sure the data is consistent (by checksumming). This is done with several different combinations of configurations which also tests the SST mechanism itself while at the same time testing the server with these combinations. So, a success of these tests indicates a cluster will start and work as intended (thus, no blue smoke!).
  • This re-uses PXB test suite with Xtrabackup.
  • Also, serves to test PXC on different platforms (13×2 so far).

e) Replication Testing

  • This was written to test upgrades between major versions, 5.5 and 5.6
  • Intended to test rolling upgrade
  • Re-uses earlier test components – MTR, sysbench, SST – since it involves starting two nodes, upgrading one of them and replication stream between them
  • Overlaps with other tests in coverage

f) Other techniques such as use of lock_wait_timeout (defaulting to one year) to catch MDL bugs, use of release and debug builds differently in tests: with the manifestation of a bug in either (an assertion/crash in debug build being a server hang in release buid for instance) are also used.

g) In future, we intend to have:

  • Testing at a higher level with Chef, Puppet etc., intending
    to test packaging
  • Also, to test distro idiosyncrasies
  • Automated handling of test results with extraction and
    analysis of logs and backtraces 

  • Also, currently, we don’t test for externalities like network jitters (something that can be simulated with netem). Doing this requires moving from (or cloning) node-per-process model to node-per-slave (jenkins slave). This can, for instance, help with debugging of issues associated with evs (extended virtual synchrony) layer of galera.
    • Incidentally, this was also one of the questions after the talk, since a few other *aaS providers tend to bring up separate jenkins slaves for testing, where they test for features associated with virtualization for instance (as in case of OpenStack).

To conclude, as you may notice, there is a certain degree of overlap between these tests. This is intended, so that if one type of test misses it, other catches it, making it easy to detect the hard-to-catch bugs.

The post Before every release: A glimpse into Percona XtraDB Cluster CI testing appeared first on MySQL Performance Blog.

Aug
01
2013
--

Percona celebrates its 7th anniversary by giving to open source ecosystem

Percona celebrates its 7th anniversaryToday we’re celebrating Percona’s 7th anniversary.  A lot has changed in these past 7 years – we have grown from a two-person outfit focused exclusively on consulting to a 100-person company with teammates in 22 different countries and 18 different states, now providing Support, Consulting, RemoteDBA, Server Development and Training services.

We also made our mark in open source software development, creating some of the most popular products for the MySQL ecosystem – Percona Toolkit, Percona Xtrabackup, Percona XtraDB Cluster, Percona Server and others. Additionally, we’re into our second year of hosting the Percona Live conference series for the MySQL community. We have grown to serve over 2,000 customers and I’m proud to say we could do it all in bootstrap mode without attracting outside investors and keeping the company owned by its employees.

So how are we celebrating our anniversary? We decided to celebrate by supporting the open source ecosystem, making donations to a number of open source initiatives that have helped us through all these years. We would not be here without you!

As such we’re supporting:

  • MariaDB Foundation for supporting MariaDB, one of the MySQL alternatives that we fully support at Percona.
  • Free Software Foundation as an organization instrumental to the success of the open source movement.
  • Linux Foundation for supporting Linux, by far the most popular platform among our customers.
  • Debian for creating a foundation for some of the most popular Linux distributions out there.
  • Jenkins for the Continuous Integration server we use for our development projects.
  • OpenSSH for software that helps us to access customer systems securely.
  • Drupal for powering our website as well as the websites of many of our customers.

We’re happy to enjoy the growth that’s allowing us to support other projects in our ecosystem. If you have the chance I encourage you do the same. There is a tremendous amount of work going into open source software, which is made free to use, but it is by far not free to create and maintain.

The post Percona celebrates its 7th anniversary by giving to open source ecosystem appeared first on MySQL Performance Blog.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com