We spoke with Nir Valtman, the CEO and Founder of Arnica about the rise in software supply chain attacks. What is their root cause and can automation help prevent them? Nir is an experienced information security leader, executive, expert, and frequent public speaker at leading conferences globally, including Black Hat, Defcon, BSides, and RSA.

devmio: How does the combination of supply chain attacks and excessive permission create a threat for organizations?

Nir Valtman: Software supply chain attacks continue to surprise organizations, but we have seen consistency in two primary root causes:

• Improper access management to the development ecosystem (e.g. source code management, CI/CD pipelines, artifact management, secrets vault, etc.)
• Inability to prevent anomalous behavior of either the identity (e.g. developer, bot, service account) or the source code. Due to the accelerating trend of everything-as-code, unauthorized access to source code can also lead to unauthorized access to cloud environments and infrastructure. Attacks on the supply chain, which repeatedly exploit excessive permissions, represent a real threat to the day-to-day operations of a business.

devmio: What does Arnica do to solve this issue?

Nir Valtman: Arnica’s mission is to proactively protect your software supply chain by automating the day-to-day security operations and empowering developers to own security without compromising velocity.

Arnica does this with high accuracy and granularity by leveraging a behavioral graph to identify which permissions are genuinely needed for each user based on their historical behavior in the development ecosystem. The dynamic nature of software development often results in developers shifting focus between projects over time. Arnica empowers developers to own their security by providing a self-service solution to grant and revoke access to specific resources and actions based on predefined policies.

Additionally, Arnica identifies risky code changes and abnormal developer behavior in order to help development teams increase both security and the quality of their code. For example, Arnica can highlight an anomalous code change in the code review process or even mitigate risks before they get into a code review, such as ensuring that no new hardcoded secrets are introduced into the source code repository.

Attacks on the supply chain, which repeatedly exploit excessive permissions, represent a real threat to the day-to-day operations of a business.

devmio: What is Arnica doing differently from other solutions in its approach to solving this problem?

Nir Valtman: Arnica differentiates in multiple verticals from the competition. First, Arnica can be onboarded with self-service in a couple of minutes. Second, Arnica provides a “single pane of glass” risks and inventory view for free, for unlimited users, forever. Third, any risk that Arnica presents has a one-click mitigation, so that the owners of the development ecosystem will be able to focus on their primary job. Fourth, any risk that Arnica mitigates can be reverted, which means that the operational risk of running Arnica is low. Lastly, developers don’t need to learn a new tool since all actions can be performed within their ecosystem (e.g. Slack).

devmio: What does behavior-based mean and how does it work in practice?

Nir Valtman: Arnica observes the historical behavior of each identity and determines which permission is needed based on deep correlation across activities collected from the development ecosystem. For example, admin user activities are typically recorded in the audit trail, so we can ask questions like “who are the admins that have access to a given source code repository but have not performed any administrative action in the last 90 days?” Arnica users can then build automated policies to respond to that scenario by removing admin privileges for dormant users.

Arnica’s anomaly detection is enriched by machine learning. Our models represent the behavior of each developer, broken down to the granular science of understanding code authorship. This means that Arnica can identify account takeovers, identity spoofing (the git protocol is designed to support it), and even determine if a code snippet belongs to a specific code repository.

It is extremely hard for security tools to nail a stellar developer experience. In most cases, security solutions tend to negatively impact development velocity.

devmio: What feedback are you getting from developers who are using Arnica?

Nir Valtman: It is extremely hard for security tools to nail a stellar developer experience. In most cases, security solutions tend to negatively impact development velocity. At Arnica, we believe we can do the opposite. This is why we love when our customers connect us directly with their developers to get feedback and guidance. For example, our initial approach was to grant specific permissions to developers in certain teams, but this approach resulted in fatigue from too many code review requests. Developers asked for the ability to be removed from specific teams in order to focus on the notifications that were most relevant to them. This is one example of how a security product can be delightful for developers.

devmio: How do you see supply chain attacks evolving in the future and how can we protect against them?

Nir Valtman: I think that we have hardly seen the tip of the iceberg. Software supply chain attacks will continue to be a game of cat and mouse, chasing misconfigurations and patches across the development ecosystem. This is why the problem needs to be solved at its root, while dramatically reducing the blast radius of an attack by eliminating unnecessary access to resources and preventing anomalous behavior.