Twistlock has built a new system that makes both developers and security professionals happy, which is not an easy feat
San Francisco-based cyber security startup Twistlock announced today the close of their Series A, bringing in a very sizable $10 million in new funding.
The round was led by the security-focused fund TenEleven Ventures with help from new investor Rally Ventures. Previous backers YL Ventures and an unnamed strategic investor joined in as well. With this new funding added on to the $3.1 million raised in two earlier seed rounds, this injection of cash takes Twistlock to a total of $13.1 million raised.
Co-founded in January 2015 by CEO Ben Bernstein and VP R&D Dima Stopel, the company was the first to market last year with their security solution for protecting containers from vulnerabilities and attacks. They also have an R&D office based in Herzliya.
The building blocks of the DevOps space, programmers rely on containers for moving code and other essential elements like system libraries and tools out quickly for deployment. Being able to constantly update programs like apps through DevOps infrastructures such as JFrog and Docker has allowed the software industry to launch into hyperdrive, setting the new standard for speed that the security field is still working to catch up with.
Developers, especially those in the DevOps ecosystem, and security professionals are often on two sides of the line when it comes to their approach to getting new software out into the world. On the one side are the developers who want to sprint towards the finish line, while the security people are more inclined to throw in breaks to make sure that the code is clean of vulnerabilities before being released.
Recognizing this tension, Twistlock has built a new system that makes both parties happy, continuously checking containers for vulnerabilities throughout the life cycle, maintaining speed and security.
From the security angle, the challenge in working with containers is the reliance on preexisting third party code that programmers use to build their new products out of. This is a common problem but it’s more prevalent in containers because they always have some kind of base image inside. A high percentage of these will have vulnerabilities.
A study done last year found that 33% had critical vulnerabilities. In their work they have seen 60% with vulnerabilities including medium and critical. Going through these massive amounts of code without a tool can be a challenge for the slower paced security practices.
Speaking with Chenxi Wang, Chief Strategy Officer at Twistlock, she tells Geektime that, “In traditional security products, people come and test for a long time before being deployed in production. But security for DevOps is a different mentality.”
She says that her customers expect their solution to work at the same pace that they do, and are used to having tools that they can deploy right away.
“We designed our products like that,” says Wang.
Their automated security suite of products, Twistlock Trust and Twistlock Runtime address the stages of development and production.
As soon as a container image is composed in the development stage, they scan the image and look for vulnerabilities, malware, making sure that the hardening practices and all of the configurations are there.
Twistlock uses an analysis to detect different behavior that they claim can help turn up even zero day vulnerabilities. “Part of what we do is analyze the image and understand how it should look in run time,” explains Wang. “If it doesn’t do what it’s supposed to in run time, then we know that we have caught something.”
In one case, they successfully caught buffer overflow attacks, catching a system call that is only used for cryptographic operations. “We knew that this app had no crypto function,” says Wang on their win.
They also do access control of different docker resources, enforcing policies. This segmentation means that development team can only deploy and operations can only delete. Wang says that this was not an option before. “We think that this is a new way of doing security combining development time capabilities with production control. We are really the first security company to do that. It might not be a revolution per say, but [it] is changing the security game.”
While Twistlock may have been there at the start of the DevOps security, there are others that are working hard to give them a run for their money.
Aqua is another company with an Israeli connection working in this dedicated space. Having launched their product six months after Twistlock, VP Marketing Rani Osnat and CTO and Co-founder Amir Jerbi tell Geektime that they work with a behavior analysis approach to tackle vulnerabilities.
“We create a dynamic security policy based on the behavior of the container,” explains Osnat. “We basically use this whole cycle so that when the environment is being tested, which again in this environment is done quite often, to collect data on how it operates in the context of the application, giving the user the ability to create a feedback loop and set that as the runtime security profile for the container.”
Both companies work with segmentation and constant runtime behavior monitoring techniques that make them strong competition and well placed to make waves in the market.
It goes without saying that Docker also provides solutions for this space, as does a general security company called Black Duck.
The company has reported significant growth over the past year, with 30 enterprises listed as using their product, and licensed customers counting in the double digits. They recently announced InVisionApp as a new customer, and note that bigger names like Wix and AppsFlyer are also on their list of users.
Looking into the short term post funding, Wang says that they will “expand with a product road map that we can execute at a faster pace.” This will include growing their customer support and service as they build a more formal support organization. They will also expand their sales presence, primarily in the U.S. and Europe.
Future of security in DevOps
Asked how she sees acceptance in the developer world of the need for security solutions, Wang tells Geektime that the reaction has been varied, but adds that DevOps personnel have a higher rate of acceptance.
From the looks of it, DevOps will continue to gain a larger slice of the pie when it comes to the software world, raising new challenges for the security community. Speaking recently with the head of security for a very large company in the U.S., she noted that she and others are looking for the right solutions that will allow their development teams to adopt this faster method of work.
Still at an early stage, it will likely take some time for wider integration, eventually becoming a standard in the industry just like how firewalls and other basic precautions have been adopted. The key is the automation and constant checks being done in the background, allowing the developers to keep pushing out that code gold.