Bridging the gap between DevOps and security

The tension between DevOps and security can tug at the cohesion of the IT team in any organization that’s trying to modernize its computing operation and migrate to the cloud.

Using new techniques to automate their pipelines, development teams push to innovate and deploy new applications at breathtaking speed in order to keep a step ahead of competitors. But then colleagues tasked with securing the development of those product updates come back with dozens of potential vulnerabilities they demand be fixed before the software is pushed out to customers.

 Rezilion, an Israeli-founded startup that has just emerged from stealth mode, says it wants to liberate tech leaders from this dilemma and ease the tension between security experts and software developers.

IT leaders run up against a seeming zero-sum dilemma between staying competitive or staying safe. Do they choose to go full-steam ahead with automated production and deployment — part of the DevOps methodology — despite the risk of attack, intrusion, and compromised data? Or do they halt the development process and delay a badly needed update in order to ensure that all potential vulnerabilities are sewn up and dealt with?

Security needs to keep pace with DevOps

Rezilion’s goal is to allow development teams to meet fast-moving update targets and enable security leaders to keep the pace, while ensuring that the final product is resilient to hacks.

 “It’s all about, ‘How can I innovate faster? How can I scale faster? How can I reach more customers? And how can I provide them with more innovation faster than my competitors?”’ said Liran Tancman, the co-founder and CEO of Rezilion. “Security looks at this, and basically it’s a terrifying thing for them.” 

 The numbers are daunting. According to research by cybersecurity firm Palo Alto Networks, software running on cloud platforms of Amazon, Microsoft and Google contained some 34.7 million vulnerabilities in the first half of 2019.

 Whereas security professionals were accustomed to slower moving development cycles that could be managed manually, in the age of cloud platforms and automated development, they face an explosion of software iteration that requires multiple security tools, not to mention additional time and staff to handle the risks. In addition to helping companies move faster more securely, automating security policies help limit inflation of headcount.    

“We have seen customers with 500 deployments per day,” said Tancman. “Over 20,000 virtual machines.”

Security integrated into DevOps pipelines

Rezilion’s SaaS offering integrates into DevOps pipelines and cloud computing provider platforms. Part of a category of security providers known as “cloud workload protection provider,” Rezilion performs a security analysis of programmers’ code through stages of development, deployment in the cloud, and after it goes into operation. Rather than relying on human behavior analysis, as some other practices do, the software determines “a whitelist of known and legitimate outcomes” based on code coming from an enterprise’s CI/CD pipeline, according to Rezilion. 

Rezilion “determines the correct state for every production instance and assures that each is running exactly as programmed,” Tancman said.

The software sends alerts on vulnerabilities, helps developers triage those that require urgent fixes, flags unauthorized code modifications, and expels unauthorized users of cloud-based software. 

The startup said it has raised US$8 million in seed-stage capital. The round was led by Jerusalem Venture Partners, along with venture investors Samsung NEXT, Kindred Capital and LocalGlobe. The funds will be used to build up the R&D operations in Israel and sales operations in the U.S. 

Drawing from the know-how and talent pool of graduates from the signal intelligence unit of the Israeli military, Israel’s cybersecurity startups have attracted a rising tide of investment: Israeli cybersecurity companies raised $2 billion in 2019 compared to $682 million in 2016, according to Start-Up Nation Central, a non-profit that focuses on the Israeli startup industry. Multinationals like F5 Networks and Symantec have set up operations here.

Four years ago, Tancman and co-founder Shlomi Boutnaru sold their previous security startup, CyActive, which specialized in predicting malware attacks, to PayPal. 

Rezilion said that its security software is being included in Chef, a popular configuration management tool used for setting up and automating various phases of the development pipeline: from coding to testing and development, to production. 

 AppsFlyer, a mobile marketing analytics provider that has been using Rezilion’s platform for three months, said it has been able to significantly reduce the complement of tools used for cloud security.  

Better security with fewer resources

 While there is no one “bulletproof” solution to protect computing workloads from development to cloud deployment, Rezilion enables better security with fewer resources at AppsFlyer, said Guy Fletcher, the company’s chief information security officer.

 “It helps us have a better protection faster,” he said. “The fact that there is a very dynamic [computing] environment, with constant and rapid changes requires a different approach of how we protect the environment.”

 Tancman said he considers cloud workload protection platform providers Trend Micro from Japan and Palo Alto Networks, which acquired Israeli startup Twistlock in July to boost its offering, as competitors. Other vendors in the category include Symantec and Israel’s Aqua and Alcide.

The startup co-founder said the market for tools like Rezilion’s is still nascent because enterprises are spending relatively little on security for cloud computing application development out of concern the solutions will slow down innovation and be too difficult to manage. 

 “One of the reasons people are not buying those tools is either because they don’t have the skills to operate them, or because operating them will be making DevOps miserable, which is not an option,” he said. “When I’m looking at the market, it’s not about looking taking competitor market share, it’s really about actually allowing this market to happen.”