Apiiro, a company based in Tel Aviv Israel and New York, said on Tuesday that it received a $35 million A-round investment from Kleiner Perkins and Greylock to fuel sales and marketing for technology it says can help organizations weed out insecure code and risky application development practices.
The investment marks one of the biggest early stage bets on the fast-evolving market for so-called “DEVSECOPS ”in which development and security teams are closely integrated as part of agile, CI/CD (continuous integration continuous delivery) development processes.
Apiiro makes technology that can identify and fix security problems during the development process. The company’s Code Risk Platform accelerates development by allowing organizations to identify and prioritize risky code changes before they become part of the development pipeline, said Idan Plotnik, apiiro’s CEO and co-founder.
The platform uses patent-pending technology to learn the historical behavior of application code, infrastructure-as-code and open source components. It also analyzes developer behaviors to identify risk behaviors that could have business impact. It can automatically remediate those risks at the design phase, before deploying to cloud or on-premise, according to a company statement.
“The essence behind apiiro is the need to understand code changes based on your knowledge of the developer, the business impact of the product and other risk factors,” said Plotnik.
The company is the brainchild of Plotnik and co-founder Yonatan Eldar. Both are veterans of the elite Israeli Defense Force (IDF) cybersecurity units and worked together at Aorato, a cloud security vendor and pioneer in the User and Entity Analytics (UEBA) space, which was acquired by Microsoft in 2015.
Following the acquisition, Plotnik and Eldar both worked at Microsoft
“I was responsible for communicating risk to upper management, but it was a constant struggle,” said Plotnik. “The tools we used seemed to take a ‘developer last’ rather than a ‘developer first’ approach.
“Secure by design” processes, pioneered by Microsoft in the 1990s and early 2000s were geared towards older, “waterfall” development methodologies, with their six month or year long development cycles. Simply porting security development tools designed for waterfall development to agile environments resulted in false positives and “noise” that bogged down agile processes.
Plotnik and Eldar saw the need for a product that was tailored to modern, agile development operations and that could bridge the gap between development, security and compliance teams.
The company is just the latest entrant in the DEVSECOPS market, in which companies are pushing cybersecurity capabilities “left” – earlier into the development cycle. In June, for example, GitLab acquired two firms, Peach Tech and Fuzzit to integrate protocol fuzz testing and dynamic application security testing (DAST) API testing into its CI/CD platform.
Last week, Anchore a Santa Barbara, California startup announced new tools to for DEVSECOPS teams that can scan virtual container images and file systems for vulnerabilities or create a Software Bill of Materials (SBOM).
Apiiro’s approach is to integrate with and enrich data from external security tools. The company’s technology creates unified risk profiles across developers and code behavior that zero in on business risk. Rather than simply scanning for vulnerabilities in a banking application, for example, apiiro looks at risk-relevant questions such as whether a given API is responsible for money transfer or whether the service being analyzed is exposed to the Internet. Added to that business context is a deep analysis of developer behavior.
The $35 million round marks one of Greylock’s largest early investments in recent memory said Saam Motamedi, General Partner at Greylock and a member of apiiro’s Board of Directors. That reflects the firm’s confidence in apiiro’s leadership and their track record, as well as Greylock’s enthusiasm for left-shifted security offerings.
“What we hear from customers over the last few years is two trends: the acceleration of digital transformation and the move from waterfall to agile development,” Motamedi said. Unfortunately, technology offerings have not caught up. Firms like apiiro will help accelerate both trends: furthering digital transformation initiatives by simplifying software development organizations’ embrace of agile development and DEVSECOPS.
Plotnik said the company, with research and development based in Tel Aviv and sales and marketing in New York, will use the investment to get the word out about its platform, which is already being used at a number of large banks, as well as to continue development of the Code Risk Platform.