Developers these days are expected to write code faster, ship it faster, and keep it secure. But those expectations inevitably lead to small mistakes or misconfigurations - and developers already spend an inordinate amount of time checking code. In a worst-case scenario, it sometimes happens that passwords or API keys are left in the code. The resulting security breaches not only expose confidential data, they can lead to massive fines.
According to IBM estimates, security breaches cost U.S. companies an average of $8.2 million. Startup Spectral (just emerged from stealth) reports that 35% of organizations with a strong open-source posture have suffered at least one public leak. Almost half of those leaks were due to bad security hygiene originating from personal employee accounts and shadow accounts on cloud services like GitHub, Dockerhub, npm, and others.
Spectral offers a platform that the company says can scan a code repository in seconds to detect, flag, and block coding mistakes. It can audit an entire company codebase as well as provide active protection against developer slip-ups. It does this via a hybrid engine that combines hundreds of detectors with AI and automation.
Dotan Nahum, Spectral's founder and CEO, believes that current generation scanning tools take too long. Irrelevant and non-intuitive results can overwhelm developers. That's one of the reasons some developers stop using scanners altogether, he says. Spectral's focus is on the codebase, and the platform aims to monitor, detect, and help mitigate mistakes in development.
Results in 15 minutes
"Within the organization's codebase, Spectral provides developer tools to mitigate and fix issues in a shift-left fashion, by integrating into their SDLC stages, such as their CI/CD pipelines," said Nahum. "Integrating Spectral into the CI takes one line of code, and anyone can get protected within 15 minutes of using the platform."
The platform detects and sends alerts regarding the organization's security posture, public asset footprint, unknown public leaks of its secrets, sensitive access detail, and proprietary digital assets.
Nahum said his company competes on several fronts. There are open-source tools such as truffleHog, for example. He said this class of tools might suffer occasionally from lack of maintenance. From a security research aspect, they follow a product-led growth strategy so do not always enjoy quality feedback from users. Lack of warranty can be another issue. Another issue he brought up is the fact that open source tools can require investment of time in the community. Some developers have too much on their plate to put in the hours.
He claims that Spectral provides a scanner that's an order-of-magnitude better than existing solutions when it comes to security.
As for pentesters, Nahum said Spectral aims to serve as a tool to augment their work and that of other manual code checkers. Compared to manual pentester work, he added, Spectral's automation provides a more detailed and more precise approach.
Spectral see itself as part of an emerging code security market rather than the existing application security testing market. Spectral helps developers protect codebases, avoid data leaks that originate from the supply chain gaps, and help with security mistakes and misconfiguration. Spectral's focus is on the developer side.
"Spectral prioritizes DX (Developer Experience) as high priority, which means that if we let a developer down, we promise a turn-around speed of only a few days to improve our developer experience," said Nahum. "In addition, Spectral's scanner is on an evergreen release model (just like Chrome), which is always updated and so the new version will find its way to these developers automatically."
This article was originally published on March 19, 2021