Rezilion raises $30M help security operations teams with tools to automate their busywork

Security operations teams face a daunting task these days, fending off malicious hackers and their increasingly sophisticated approaches to cracking into networks. That also represents a gap in the market: building tools to help those security teams do their jobs. Today, an Israeli startup called Rezilion that is doing just that — building automation tools for DevSecOps, the area of IT that addresses the needs of security teams and the technical work that they need to do in their jobs — is announcing $30 million in funding.

Guggenheim Investments is leading the round with JVP and Kindred Capital also contributing. Rezilion said that unnamed executives from Google, Microsoft, CrowdStrike, IBM, Cisco, PayPal, JP Morgan Chase, Nasdaq, eBay, Symantec, RedHat, RSA and Tenable are also in the round. Previously, the company had raised $8 million.

Rezilion’s funding is coming on the back of strong initial growth for the startup in its first two years of operations.

Its customer base is made up of some of the world’s biggest companies, including two of the “Fortune 10” (the top 10 of the Fortune 500). CEO Liran Tancman, who co-founded Rezilion with CTO Shlomi Boutnaru, said that one of those two is one of the world’s biggest software companies, and the other is a major connected device vendor, but he declined to say which. (For the record, the top 10 includes Amazon, Apple, Alphabet/Google, Walmart and CVS.)

Tancman and Boutnaru had previously co-founded another security startup, CyActive, which was acquired by PayPal in 2015; the pair worked there together until leaving to start Rezilion.

There are a lot of tools out in the market now to help automate different aspects of developer and security operations. Rezilion focuses on a specific part of DevSecOps: large businesses have over the years put in place a lot of processes that they need to follow to try to triage and make the most thorough efforts possible to detect security threats. Today, that might involve inspecting every single suspicious piece of activity to determine what the implications might be.

The problem is that with the volume of information coming in, taking the time to inspect and understand each piece of suspicious activity can put enormous strain on an organization: it’s time-consuming, and as it turns out, not the best use of that time because of the signal to noise ratio involved. Typically, each vulnerability can take 6-9 hours to properly investigate, Tancman said. “But usually about 70-80% of them are not exploitable,” meaning they may be bad for some, but not for this particular organization and the code it’s using today. That represents a very inefficient use of the security team’s time and energy.

“Eight of out ten patches tend to be a waste of time,” Tancman said of the approach that is typically made today. He believes that as its AI continues to grow and its knowledge and solution becomes more sophisticated, “it might soon be 9 out of 10.”

Rezilion has built a taxonomy and an AI-based system that essentially does that inspection work as a human would do: it spots any new, or suspicious, code, figures out what it is trying to do, and runs it against a company’s existing code and systems to see how and if it might actually be a threat to it or create further problems down the line. If it’s all good, it essentially whitelists the code. If not, it flags it to the team.

The stickiness of the product has come out of how Tancman and Boutnaru understand large enterprises, especially those heavy with technology stacks, operate these days in what has become a very challenging environment for cybersecurity teams.

“They are using us to accelerate their delivery processes while staying safe,” Tancman said. “They have strict compliance departments and have to adhere to certain standards,” in terms of the protocols they take around security work, he added. “They want to leverage DevOps to release that.”

He said Rezilion has generally won over customers in large part for simply understanding that culture and process and helping them work better within that: “Companies become users of our product because we showed them that, at a fraction of the effort, they can be more secure.” This has special resonance in the world of tech, although financial services, and other verticals that essentially leverage technology as a significant foundation for how they operate, are also among the startup’s user base.

Down the line, Rezilion plans to add remediation and mitigation into the mix to further extend what it can do with its automation tools, which is part of where the funding will be going, too, Boutnaru said. But he doesn’t believe it will ever replace the human in the equation altogether.

“It will just focus them on the places where you need more human thinking,” he said. “We’re just removing the need for tedious work.”

In that grand tradition of enterprise automation, then, it will be interesting to watch which other automation-centric platforms might make a move into security alongside the other automation they are building. For now, Rezilion is forging out an interesting enough area for itself to get investors interested.

“Rezilion’s product suite is a game changer for security teams,” said Rusty Parks, senior MD of Guggenheim Investments, in a statement. “It creates a win-win, allowing companies to speed innovative products and features to market while enhancing their security posture. We believe Rezilion has created a truly compelling value proposition for security teams, one that greatly increases return on time while thoroughly protecting one’s core infrastructure.”

#agile-software-development, #alphabet, #amazon, #apple, #articles, #artificial-intelligence, #automation, #ceo, #cisco, #computer-security, #crowdstrike, #cto, #cyactive, #devops, #ebay, #energy, #entrepreneurship, #europe, #financial-services, #funding, #google, #ibm, #jp-morgan-chase, #kindred-capital, #maryland, #microsoft, #paypal, #security, #software, #software-development, #startup-company, #symantec, #technology

Atlassian is bringing new insights to its Jira Software Cloud

DevOps teams are generally trying to constantly improve themselves, so they can deliver software more quickly and reliably, but often they lack the insights needed to actually make that progress.

Atlassian is now offering users of its Jira Software Cloud platform a series of new capabilities that provide data-driven insights into the development process. Jira is a popular issue and project tracking technology and has included features that help developers and their teams to understand where they are in their workflow. 

The new insights go a step beyond what Jira has traditionally provided to its users, with specific insights into different aspects of an agile software development approach. The goal with the new insights is to help organizations better understand what they’re doing right and where development teams can improve, which ultimately results in improved overall efficiency.

“Data is everywhere, but at the same time the insights and the understanding of the actions that you can take are kind of nowhere,” Megan Cook, head of product for Jira Software told TechCrunch. “It’s hard to work smarter in that sense and that’s the big problem that we’re really looking at tackling.” 

Cook explained that development teams need access to metrics on their own progress, so they can make smarter data-driven decisions based on what’s happening in real time. She noted that one of the big shifts that Atlassian is now doing with Jira Cloud is bringing data from all the different development tracking tools together into one place where those teams can make decisions.

One example of the insights that Jira Cloud now provides to users is related to sprint commitments. In the agile software development approach, software is developed in what are known as “sprints” as developers race to complete a certain task. With the sprint commitment insight capability, the idea is to help teams understand what amount of work they can handle, based on past performance. The business goal is to help better understand if a team is over- or under-committing to a given sprint.

Another example is providing an issue type breakdown. Cook explained that the way each team can categorize issues can be very personalized. The categories can include different types of projects, such as whether a project is dealing with fixing bugs and technical debt, or if it’s an innovation or growth product, or just an incremental feature update. With the issue type breakdown insight there is a visualization to help teams better understand what types of issues and projects they are working on in a more intuitive approach than before. Cook explained that users could have identified the different issues before via a search functionality, but she emphasized the new insights approach is far easier.

Atlassian Jira Software Cloud issue type breakdown

Image Credits: Atlassian

In the coming weeks, Cook said that the company will be adding a few additional insights, including the sprint burndown insight. In the agile software development approach, the burndown is about figuring out what’s left to finish in a sprint. The sprint burndown insight will provide a visual indicator of how much work is left to be done as well as how likely it is that the work will be completed within an allocated amount of time.

Atlassian’s approach to enabling developer teams to work more efficiently is one of the primary values that the company has been building for years, and it has resulted in strong growth overall. Atlassian reported fourth-quarter fiscal 2021 revenue of $560 million, up 30% year-over-year gain on the strength of its developer collaboration and management tools.

#agile-software-development, #atlassian, #cloud, #developer, #devops, #jira, #tc

Monad emerges from stealth with $17M to solve the cybersecurity big data problem

Cloud security startup Monad, which offers a platform for extracting and connecting data from various security tools, has launched from stealth with $17 million in Series A funding led by Index Ventures. 

Monad was founded on the belief that enterprise cybersecurity is a growing data management challenge, as organizations try to understand and interpret the masses of information that’s siloed within disconnected logs and databases. Once an organization has extracted data from their security tools, Monad’s Security Data Platform enables them to centralize that data within a data warehouse of choice, and normalize and enrich the data so that security teams have the insights they need to secure their systems and data effectively.

“Security is fundamentally a big data problem,” said Christian Almenar, CEO and co-founder of Monad. “Customers are often unable to access their security data in the streamlined manner that DevOps and cloud engineering teams need to build their apps quickly while also addressing their most pressing security and compliance challenges. We founded Monad to solve this security data challenge and liberate customers’ security data from siloed tools to make it accessible via any data warehouse of choice.”

The startup’s Series A funding round, which was also backed by Sequoia Capital, brings its total amount of investment raised to  $19 million and comes 12 months after its Sequoia-led seed round. The funds will enable Monad to scale its development efforts for its security data cloud platform, the startup said.

Monad was founded in May 2020 by security veterans Christian Almenar and Jacolon Walker. Almenar previously co-founded serverless security startup Intrinsic which was acquired by VMware in 2019, while Walker served as CISO and security engineer at OpenDoor, Collective Health, and Palantir.

#big-data, #cloud-computing, #cloud-infrastructure, #computer-security, #computing, #data-management, #data-warehouse, #devops, #funding, #information-technology, #intrinsic, #opendoor, #palantir, #security, #security-tools, #sequoia-capital, #serverless-computing, #technology, #vmware

Sophos extends its spending spree with Refactr buy

Thoma Bravo-owned Sophos has announced its second takeover in as many weeks with the acquisition of Seattle-based DevSecOps startup Refactr.

Refactr was founded in 2017 and offers an automation platform that helps cybersecurity and DevOps teams to collaboratively operate. The platform, which is used by the non-profit Center for Internet Security and the U.S. Air Force’s Platform One, features a drag-and-drop low-code pipeline builder and DevOps-friendly features that encourage disparate teams to collaborate on the same agile workflow process, according to the company.

“Our mission is to enable DevSecOps to become the modern approach to automation, where cybersecurity use cases like Security Operation, Automation and Response (SOAR), Extended Detection and Response (XDR), compliance, cloud security, and Identity and Access Management (IAM) become building blocks for DevSecOps solutions,” said Michael Fraser, CEO and co-founder of Refactr.

The deal, the terms of which were not disclosed, will see Refactr’s entire team of developers and engineers join Sophos. While Sophos says it will continue to develop and offer Refactr’s DevSecOps automation platform to existing customers, it will also embed its SOAR capabilities to its own managed threat response (MTR) and XDR solutions.

“With Refactr, Sophos will fast track the integration of such advanced SOAR capabilities into our adaptive cybersecurity ecosystem, the basis for our XDR product and MTR service,” said Joe Levy, chief technology officer at Sophos.

Sophos’ acquisition of Refactr lands shortly after it announced plans to buy Braintrace, a cybersecurity startup that provides organizations visibility into suspicious network traffic patterns. Thoma Bravo completed its $3.9 billion takeover of Sophos in 2020 as the company continues to increase its reach in the cybersecurity space. Since then, the private equity firm has acquired security vendor Proofpoint for $12.3 billion and led a $225 million funding round in zero-trust unicorn Illumio.

#braintrace, #chief-technology-officer, #computing, #cybercrime, #cybersecurity-startup, #devops, #illumio, #information-technology, #ma, #proofpoint, #seattle, #security, #security-software, #sophos, #technology, #thoma-bravo, #u-s-air-force

True ‘shift left and extend right’ security requires empowered developers

DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.

The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace the principles of collaboration and agility.

Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent. — Neil MacDonald, Gartner

In an ideal world, all developers would be trained and experienced in secure coding practices from front end to back end and be skilled in preventing everything from SQL injection to authorization framework exploits. Developers would also have all the information they need to make security-related decisions early in the design phase.

If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue.

Once again, the reality falls short of the ideal. While CI/CD automation has given developers ownership over the deployment of their code, those developers are still hampered by a lack of visibility into relevant information that would help them make better decisions before even sitting down to write code.

The entire concept of discovering and remediating vulnerabilities earlier in the development process is already, in some ways, out of date. A better approach is to provide developers with the information and training they need to prevent potential risks from becoming vulnerabilities in the first place.

Consider a developer that is assigned to add PII fields to an internet-facing API. The authorization controls in the cloud API gateway are critical to the security of the new feature. “Shifting left and extending right” doesn’t mean that a scanning tool or security architect should detect a security risk earlier in the process — it means that a developer should have all the context to prevent the vulnerability before it even happens. Continuous feedback is key to up-leveling the security knowledge of developers by orders of magnitude.

#agile-software-development, #api, #column, #computer-security, #computing, #cybersecurity, #developer, #devops, #ec-column, #ec-cybersecurity, #security, #security-testing, #software-development, #software-testing, #sql, #startups, #u-s-securities-and-exchange-commission, #vulnerability

Blameless raises $30M to guide companies through their software lifecycle

Site reliability engineering platform Blameless announced Tuesday it raised $30 million in a Series B funding round, led by Third Point Ventures with participation from Accel, Decibel and Lightspeed Venture Partners, to bring total funding to over $50 million.

Site reliability engineering (SRE) is an extension of DevOps designed for more complex environments.

Blameless, based in San Mateo, California, emerged from stealth in 2019 after raising both a seed and Series A round, totaling $20 million. Since then, it has turned its business into a blossoming software platform.

Blameless’ platform provides the context, guardrails and automated workflows so engineering teams are unified in the way they communicate and interact, especially to resolve issues quicker as they build their software systems.

It originally worked with tech-forward teams at large companies, like Home Depot, that were “dipping [their toes] into the space and now [want] to double down,” co-founder and CEO Lyon Wong told TechCrunch.

The company still works with those tech-forward teams, but in the past two years, more companies sought out resident SRE architect Kurt Anderson to advise them, causing Blameless to change up its business approach, Wong said.

Other companies are also seeing a trend of customers asking for support — for example, in March, Google Cloud unveiled its Mission Critical Services support option for SRE to serve in a similar role as a consultant as companies move toward readiness with their systems. And in February, Nobl9 raised a $21 million Series B to provide enterprises with the tools they need to build service-level-objective-centric operations, which is part of a company’s SRE efforts.

Blameless now has interest from more mainstream companies in the areas of enterprise, logistics and healthcare. These companies aren’t necessarily focused on technology, but see a need for SRE.

“Companies recognize the shortfall in reliability, and then the question they come to us with is how do they get from where they are to where they want to be,” Anderson said. “Often companies that don’t have a process respond with ‘all hands on deck’ all the time, but instead need to shift to the right people responding.”

Lyon plans to use the new funding to fill key leadership roles, the company’s go-to-market strategy and product development to enable the company to go after larger enterprises.

Blameless doubled its revenue in the last year and will expand to service all customer segments, adding small and emerging businesses to its roster of midmarket and large companies. The company also expects to double headcount in the next three quarters.

As part of the funding announcement, Third Point Ventures partner Dan Moskowitz will join Blameless’ board of directors with Wong, Accel partner Vas Natarajan and Lightspeed partner Ravi Mhatre.

“Freeing up engineering to focus on shipping code is exactly what Blameless achieves,” said Moskowitz in a written statement. “The Blameless market opportunity is big as we see teams struggle and resort to creating homegrown playbooks and point solutions that are incomplete and costly.”

 

#accel, #blameless, #dan-moskowitz, #developer, #devops, #enterprise, #funding, #google, #kurt-anderson, #lightspeed-venture-partners, #lyon-wong, #ravi-mhatre, #recent-funding, #san-mateo, #site-reliability-engineering, #software-development, #software-engineering, #startups, #third-point-ventures, #vas-natarajan, #venture-capital

DevOps platform JFrog acquires AI-based IoT and connected device security specialist Vdoo for $300M

JFrog, the company best known for a platform that helps developers continuously manage software delivery and updates, is making a deal to help it expand its presence and expertise in an area that has become increasingly connected to DevOps: security. The company is acquiring Vdoo, which has built an AI-based platform that can be used to detect and fix vulnerabilities in the software systems that work with and sit on IoT and connected devices. The deal — in a mix of cash and stock — is valued at approximately $300 million, JFrog confirmed to me.

Sunnyvale-based, Israeli-founded JFrog is publicly traded on Nasdaq, where it went public last September, and currently it has a market cap of $4.65 billion. Vdoo, meanwhile, had raised about $70 million from investors that include NTT, Dell, GGV and Verizon (disclaimer: Verizon owns TechCrunch), and when we covered its most recent funding round, we estimated that the valuation was somewhere between $100 million and $200 million, making this a decent return.

Shlomi Ben Haim, JFrog’s co-founder and CEO, said that his company’s turn to focusing deeper on security, and making this acquisition in particular to fill out that strategy, are a natural progression in its aim to built out an end-to-end platform for the DevOps team.

“When we started JFrog, the main challenge was to educate the market on what we saw as most important priorities when it comes to building, testing and deploying software,” he said. Then sometime around 2015-2016 he said they started to realize there was a “crack” in the system, “a crack called security.” InfoSec engineers and developers sometimes work at cross purposes, as “developers became too fast” the work they were doing was inadvertently led to a lot of security vulnerabilities.

JFrog has been building a number of tools since then to address that and to bring the collective priorities together, such as its XRay product. And indeed, Vdoo is not JFrog’s first foray into security, but it represents a significant step deeper into the hardware and systems that are being run on software. “It’s a very important leap forward,” Ben Haim said.

For its part, Vdoo was born out of a realization as well as a challenging mission: IoT and other connected devices — a universe of some 50 billion pieces of hardware as of last year — represents a massive security headache, and not just because of the volume of devices: each object uses and interacts with software in the cloud and so each instance represents a potential vulnerability, with zero-day vulnerabilities, CVEs, configuration and hardening issues, and standard incompliances among some of the most common.

While connected-device security up to now has typically focused on monitoring activity on the hardware, how data is moving in and out of it, Vdoo’s approach has been to build a platform that monitors the behavior of the devices themselves on top of that, using AI to compare that behavior to identify when something is not working as it should. Interestingly, this mirrors the kind of binary analysis that JFrog provides in its DevOps platform, making the two complementary to each other.

But what’s notable is that this will give JFrog a bigger play at the edge, since part of Vdoo’s platform works on devices themselves, “micro agents” as the company has described them to me previously, to detect and repair vulnerabilities on endpoints.

While JFrog has built a lot of its own business from the ground up, it has made a number of acquisitions to bolt on technology (one example: Shippable, which it used to bring continuous integration and delivery into its DevOps platform). In this case, Netanel Davidi, the co-founder and CEO of Vdoo (who previously co-founded and sold another security startup, Cyvera, to Palo Alto Networks) said that this was a good fit because the two companies are fundamentally taking the same approaches in their work (another synergy and justification for DevOps and InfoSec being more closely knitted together too I might add).

“In terms of the fit between the companies, it’s about our approach to binaries,” Davidi said in an interview, noting that the two being on the same page with this approach was fundamental to the deal. “That’s only the way to cover the entire pipeline from the very beginning, when they go you develop something, all the way to the device or to the server or to the application or to the mobile phone. That’s the only way to truly understand the context and contextual risk.”

He also made a note not just of the tech but of the talent that is coming on with the acquisition: 100 people joining JFrog’s 800.

“If JFrog chose to build something like this themselves, they could have done it,” he said. “But the uniqueness here is that we have built the best security team, the best security researchers, the best vulnerability researchers, the best reverse engineers, which focus not only on embedded systems, and IoT, which is considered to be the hardest thing to learn and to analyze, but also in software artifacts. We are bringing this knowledge along with us.”

JFrog said that Vdoo will continue to operate as a standalone SaaS product for the time being. Updates that are made will be in aid of supporting the JFrog platform and the two aim to have a fully integrated, “holistic” product by 2022.

Along with the deal, JFrog reiterated financial guidance for the next quarter that will end June 30, 2021. It expects revenues of $47.6 million to $48.6 million, with non-GAAP operating income of $0.5 million to $1.5 million and non-GAAP EPS of $0.00 to $0.01, assuming approximately 104 million weighted average diluted shares outstanding. For Full Year 2021, revenues are expected to be $198 million to $204 million, with non-GAAP operating income between $5 million and $7 million and an approximately 3% increase in weighted average diluted shares. JFrog anticipates consolidated operating expenses to increase by approximately $9-10 million for the remainder of 2021, subject to the acquisition closing.

#developer, #devops, #enterprise, #iot, #jfrog, #ma, #security, #vdoo

GitLab acquires UnReview as it looks to bring more ML tools to its platform

DevOps platform GitLab today announced that it has acquired UnReview, a machine learning-based tool that helps software teams recommend the best reviewers for when developers want to check in their latest code. GitLab, which is looking to bring more of these machine learning capabilities to its platform, will integrate UnReview’s capabilities into its own code review workflow. The two companies did not disclose the price of the acquisition.

“Last year we decided that the future of DevOps includes ML/AI, both within the DevOps lifecycle as well as the growth of adoption of ML/AI with our customers,” David DeSanto, GitLab’s senior director, Product Management – Dev & Sec, told me. He noted that when GitLab recently surveyed its customers, 75% of the teams said they are already using AI/ML. The company started by adding a bot to the platform that can automatically label issues, which then led to the team meeting with UnReview and, finally, acquiring it.

Image Credits: GitLab

“Our primary focus for the second half of this year in bringing on UnReview is to help automate the selection of code reviewers. It’s a very interesting problem to solve, even we at GitLab occasionally end up picking the wrong reviewers based off of what people know,” DeSanto noted.

GitLab launched its original code review components last year. As Wayne Haber, GitLab’s director of Engineering, noted, that was still a very manual process. Even with the new system, teams still retain full control over which reviewers will be assigned to a merge request, but the tool will automatically — and transparently — rank potential reviewers based on who the system believes is best suited to this task.

“I am grateful for the opportunity to share my passion for data science and machine learning with GitLab and its community,” said Alexander Chueshev, UnReview’s founder (and now a senior full stack engineer at GitLab). “I look forward to enhancing the user experience by playing a role in integrating UnReview into the GitLab platform and extending machine learning and artificial intelligence into additional DevOps stages in the future.”

DeSanto noted that GitLab now has quite a bit of experience in acquiring companies and integrating them into its stack. “We’re always looking to acquire strong teams and strong concepts that can help accelerate our roadmap or strategy or help the platform in general,” he said. “And you can see it over the last couple of years of acquisitions. When we were looking at extending what we did in security, we acquired two leaders in the security space to help build that portfolio out. And that’s fully integrated today. […] In the case of this, UnReview is doing something that we thought we may need to do in the future. They had already built it, they were able to show the value of it, and it became a good partnership between the two companies, which then led to this acquisition.”

One interesting wrinkle here is that GitLab offers both a hosted SaaS service and allows users to run their own on-premises systems as well. Running an ML service like UnReview on-premises isn’t necessarily something that most businesses are equipped to do, so at first, UnReview will be integrated with the SaaS service. The team is still looking at how to best bring it to its self-hosted user base, including a hybrid model.

#artificial-intelligence, #cloud, #continuous-integration, #developer, #devops, #engineer, #free-software, #git, #gitlab, #go, #ma, #machine-learning, #ml, #software-engineering, #tc, #unreview, #version-control

Cycode raises $20M to secure DevOps pipelines

Israeli security startup Cycode, which specializes in helping enterprises secure their DevOps pipelines and prevent code tampering, today announced that it has raised a $20 million Series A funding round led by Insight Partners. Seed investor YL Ventures also participated in this round, which brings the total funding in the company to $24.6 million.

Cycode’s focus was squarely on securing source code in its early days, but thanks to the advent of infrastructure as code (IaC), policies as code and similar processes, it has expanded its scope. In this context, it’s worth noting that Cycode’s tools are language and use case agnostic. To its tools, code is code.

“This ‘everything as code’ notion creates an opportunity because the code repositories, they become a single source of truth of what the operation should look like and how everything should function, Cycode CTO and co-founder Ronin Slavin told me. “So if we look at that and we understand it — the next phase is to verify this is indeed what’s happening, and then whenever something deviates from it, it’s probably something that you should look at and investigate.”

Cycode Dashboard

Cycode Dashboard. Image Credits: Cycode

The company’s service already provides the tools for managing code governance, leak detection, secret detection and access management. Recently it added its features for securing code that defines a business’ infrastructure; looking ahead, the team plans to add features like drift detection, integrity monitoring and alert prioritization.

“Cycode is here to protect the entire CI/CD pipeline — the development infrastructure — from end to end, from code to cloud,” Cycode CEO and co-founder Lior Levy told me.

“If we look at the landscape today, we can say that existing solutions in the market are kind of siloed, just like the DevOps stages used to be,” Levy explained. “They don’t really see the bigger picture, they don’t look at the pipeline from a holistic perspective. Essentially, this is causing them to generate thousands of alerts, which amplifies the problem even further, because not only don’t you get a holistic view, but also the noise level that comes from those thousands of alerts causes a lot of valuable time to get wasted on chasing down some irrelevant issues.”

What Cycode wants to do then is to break down these silos and integrate the relevant data from across a company’s CI/CD infrastructure, starting with the source code itself, which ideally allows the company to anticipate issues early on in the software life cycle. To do so, Cycode can pull in data from services like GitHub, GitLab, Bitbucket and Jenkins (among others) and scan it for security issues. Later this year, the company plans to integrate data from third-party security tools like Snyk and Checkmarx as well.

“The problem of protecting CI/CD tools like GitHub, Jenkins and AWS is a gap for virtually every enterprise,” said Jon Rosenbaum, principal at Insight Partners, who will join Cycode’s board of directors. “Cycode secures CI/CD pipelines in an elegant, developer-centric manner. This positions the company to be a leader within the new breed of application security companies — those that are rapidly expanding the market with solutions which secure every release without sacrificing velocity.”

The company plans to use the new funding to accelerate its R&D efforts, and expand its sales and marketing teams. Levy and Slavin expect that the company will grow to about 65 employees this year, spread between the development team in Israel and its sales and marketing operations in the U.S.

#access-management, #agile-software-development, #aws, #bitbucket, #checkmarx, #continuous-integration, #cycode, #devops, #enterprise, #funding, #fundings-exits, #github, #gitlab, #insight-partners, #israel, #jenkins, #recent-funding, #security, #security-tools, #software-development, #software-engineering, #startups, #tc, #united-states, #version-control, #yl-ventures

Opsera raises $15M for its continuous DevOps orchestration platform

Opsera, a startup that’s building an orchestration platform for DevOps teams, today announced that it has raised a $15 million Series A funding round led by Felicis Ventures. New investor HMG Ventures, as well as existing investors Clear Ventures, Trinity Partners and Firebolt Ventures also participated in this round, which brings the company’s total funding to $19.3 million.

Founded in January 2020, Opsera lets developers provision their CI/CD tools through a single framework. Using this framework, they can then build and manage their pipelines for a variety of use cases, including their software delivery lifecycle, infrastructure as code and their SaaS application releases. With this, Opsera essentially aims to help teams set up and operate their various DevOps tools.

The company’s two co-founders, Chandra Ranganathan and Kumar Chivukula, originally met while working at Symantec a few years ago. Ranganathan then spent the last three years at Uber, where he ran that company’s global infrastructure. Meanwhile, Chivukula ran Symantec’s hybrid cloud services.

Image Credits: Opsera

“As part of the transformation [at Symantec], we delivered over 50+ acquisitions over time. That had led to the use of many cloud platforms, many data centers,” Ranganathan explained. “Ultimately we had to consolidate them into a single enterprise cloud. That journey is what led us to the pain points of what led to Opsera. There were many engineering teams. They all had diverse tools and stacks that were all needed for their own use cases.”

The challenge then was to still give developers the flexibility to choose the right tools for their use cases, while also providing a mechanism for automation, visibility and governance — and that’s ultimately the problem Opsera now aims to solve.

Image Credits: Opsera

“In the DevOps landscape, […] there is a plethora of tools, and a lot of people are writing the glue code,” Opsera co-founder Chivukula noted. “But then they’re not they don’t have visibility. At Opsera, our mission and goal is to bring order to the chaos. And the way we want to do this is by giving choice and flexibility to the users and provide no-code automation using a unified framework.”

Wesley Chan, a managing director for Felicis Ventures who will join the Opsera board, also noted that he believes that one of the next big areas for growth in DevOps is how orchestration and release management is handled.

“We spoke to a lot of startups who are all using black-box tools because they’ve built their engineering organization and their DevOps from scratch,” Chan said. “That’s fine, if you’re starting from scratch and you just hired a bunch of people outside of Google and they’re all very sophisticated. But then when you talk to some of the larger companies. […] You just have all these different teams and tools — and it gets unwieldy and complex.”

Unlike some other tools, Chan argues, Opsera allows its users the flexibility to interface with this wide variety of existing internal systems and tools for managing the software lifecycle and releases.

“This is why we got so interested in investing, because we just heard from all the folks that this is the right tool. There’s no way we’re throwing out a bunch of our internal stuff. This would just wreak havoc on our engineering team,” Chan explained. He believes that building with this wide existing ecosystem in mind — and integrating with it without forcing users onto a completely new platform — and its ability to reduce friction for these teams, is what will ultimately make Opsera successful.

Opsera plans to use the new funding to grow its engineering team and accelerate its go-to-market efforts.

#agile-software-development, #clear-ventures, #developer, #devops, #enterprise, #felicis-ventures, #google, #infrastructure-as-code, #opsera, #recent-funding, #release-management, #software-development, #startups, #symantec, #tc, #uber, #wesley-chan

Pulumi launches version 3.0 of its infrastructure-as-code platform

Pulumi was one of the first of what is now a growing number of infrastructure-as-code startups and today, at its developer conference, the company is launching version 3.0 of its cloud engineering platform. With 70 new features and about 1,000 improvements since version 2.0, this is Pulumi’s biggest release yet.

The new release includes features that range from support for Google Cloud as an infrastructure provider (now in preview) to a new Automation API that turns Pulumi into a library that can then be called from other applications. It basically allows developers to write tools that, for example, can then provision and configure their own infrastructure for each customer of a SaaS application, for example.

Image Credits: Pulumi

The company is also launching Pulumi Packages and Components for creating opinionated infrastructure building blocks that developers can then call up from their preferred languages.

Also new is support for Pulumi’s CI/CD Assistant across all the company’s paid plans. This feature makes it easier to deploy cloud infrastructure and applications through more than a dozen popular CI/CD platforms, including the likes of AWS Code Service, Azure DevOps, CircleCI, GitLab CI, Google Cloud Build, Jenkins, Travis CI and Spinnaker. Until now, you needed to be on a Team Pro or Enterprise plan to use this, but it’s now available to all paying users.

In addition, the company is expanding some of its enterprise features with, for example, SAML SSO, SCIm synchronization and new role types.

“When we started out on Pulumi, we knew we wanted to enable developers and infrastructure teams to
collaborate more closely to build more innovative software,” said Joe Duffy, Pulumi co-founder and
CEO. “What we didn’t know yet is that we’d end up calling this ‘Cloud Engineering,’ that our customers
would call it that too, and that they would go on this journey with us. We are now centering our entire
platform around this core idea which is now accelerating as the modern cloud continues to disrupt
entire business models. Pulumi 3.0 is an exciting milestone in realizing this vision of the future —
democratizing access to the cloud and helping teams build better software together — with much more
to come.”

#api, #aws, #cloud-computing, #cloud-infrastructure, #co-founder, #computing, #continuous-integration, #devops, #gitlab, #identity-management, #jenkins, #joe-duffy, #pulumi, #software-engineering, #tc, #technology, #version-control

NLPCloud.io helps devs add language processing smarts to their apps

While visual ‘no code‘ tools are helping businesses get more out of computing without the need for armies of in-house techies to configure software on behalf of other staff, access to the most powerful tech tools — at the ‘deep tech’ AI coal face — still requires some expert help (and/or costly in-house expertise).

This is where bootstrapping French startup, NLPCloud.io, is plying a trade in MLOps/AIOps — or ‘compute platform as a service’ (being as it runs the queries on its own servers) — with a focus on natural language processing (NLP), as its name suggests.

Developments in artificial intelligence have, in recent years, led to impressive advances in the field of NLP — a technology that can help businesses scale their capacity to intelligently grapple with all sorts of communications by automating tasks like Named Entity Recognition, sentiment-analysis, text classification, summarization, question answering, and Part-Of-Speech tagging, freeing up (human) staff to focus on more complex/nuanced work. (Although it’s worth emphasizing that the bulk of NLP research has focused on the English language — meaning that’s where this tech is most mature; so associated AI advances are not universally distributed.)

Production ready (pre-trained) NLP models for English are readily available ‘out of the box’. There are also dedicated open source frameworks offering help with training models. But businesses wanting to tap into NLP still need to have the DevOps resource and chops to implement NLP models.

NLPCloud.io is catering to businesses that don’t feel up to the implementation challenge themselves — offering “production-ready NLP API” with the promise of “no DevOps required”.

Its API is based on Hugging Face and spaCy open-source models. Customers can either choose to use ready-to-use pre-trained models (it selects the “best” open source models; it does not build its own); or they can upload custom models developed internally by their own data scientists — which it says is a point of differentiation vs SaaS services such as Google Natural Language (which uses Google’s ML models) or Amazon Comprehend and Monkey Learn.

NLPCloud.io says it wants to democratize NLP by helping developers and data scientists deliver these projects “in no time and at a fair price”. (It has a tiered pricing model based on requests per minute, which starts at $39pm and ranges up to $1,199pm, at the enterprise end, for one custom model running on a GPU. It does also offer a free tier so users can test models at low request velocity without incurring a charge.)

“The idea came from the fact that, as a software engineer, I saw many AI projects fail because of the deployment to production phase,” says sole founder and CTO Julien Salinas. “Companies often focus on building accurate and fast AI models but today more and more excellent open-source models are available and are doing an excellent job… so the toughest challenge now is being able to efficiently use these models in production. It takes AI skills, DevOps skills, programming skill… which is why it’s a challenge for so many companies, and which is why I decided to launch NLPCloud.io.”

The platform launched in January 2021 and now has around 500 users, including 30 who are paying for the service. While the startup, which is based in Grenoble, in the French Alps, is a team of three for now, plus a couple of independent contractors. (Salinas says he plans to hire five people by the end of the year.)

“Most of our users are tech startups but we also start having a couple of bigger companies,” he tells TechCrunch. “The biggest demand I’m seeing is both from software engineers and data scientists. Sometimes it’s from teams who have data science skills but don’t have DevOps skills (or don’t want to spend time on this). Sometimes it’s from tech teams who want to leverage NLP out-of-the-box without hiring a whole data science team.”

“We have very diverse customers, from solo startup founders to bigger companies like BBVA, Mintel, Senuto… in all sorts of sectors (banking, public relations, market research),” he adds.

Use cases of its customers include lead generation from unstructured text (such as web pages), via named entities extraction; and sorting support tickets based on urgency by conducting sentiment analysis.

Content marketers are also using its platform for headline generation (via summarization). While text classification capabilities are being used for economic intelligence and financial data extraction, per Salinas.

He says his own experience as a CTO and software engineer working on NLP projects at a number of tech companies led him to spot an opportunity in the challenge of AI implementation.

“I realized that it was quite easy to build acceptable NLP models thanks to great open-source frameworks like spaCy and Hugging Face Transformers but then I found it quite hard to use these models in production,” he explains. “It takes programming skills in order to develop an API, strong DevOps skills in order to build a robust and fast infrastructure to serve NLP models (AI models in general consume a lot of resources), and also data science skills of course.

“I tried to look for ready-to-use cloud solutions in order to save weeks of work but I couldn’t find anything satisfactory. My intuition was that such a platform would help tech teams save a lot of time, sometimes months of work for the teams who don’t have strong DevOps profiles.”

“NLP has been around for decades but until recently it took whole teams of data scientists to build acceptable NLP models. For a couple of years, we’ve made amazing progress in terms of accuracy and speed of the NLP models. More and more experts who have been working in the NLP field for decades agree that NLP is becoming a ‘commodity’,” he goes on. “Frameworks like spaCy make it extremely simple for developers to leverage NLP models without having advanced data science knowledge. And Hugging Face’s open-source repository for NLP models is also a great step in this direction.

“But having these models run in production is still hard, and maybe even harder than before as these brand new models are very demanding in terms of resources.”

The models NLPCloud.io offers are picked for performance — where “best” means it has “the best compromise between accuracy and speed”. Salinas also says they are paying mind to context, given NLP can be used for diverse user cases — hence proposing number of models so as to be able to adapt to a given use.

“Initially we started with models dedicated to entities extraction only but most of our first customers also asked for other use cases too, so we started adding other models,” he notes, adding that they will continue to add more models from the two chosen frameworks — “in order to cover more use cases, and more languages”.

SpaCy and Hugging Face, meanwhile, were chosen to be the source for the models offered via its API based on their track record as companies, the NLP libraries they offer and their focus on production-ready framework — with the combination allowing NLPCloud.io to offer a selection of models that are fast and accurate, working within the bounds of respective trade-offs, according to Salinas.

“SpaCy is developed by a solid company in Germany called Explosion.ai. This library has become one of the most used NLP libraries among companies who want to leverage NLP in production ‘for real’ (as opposed to academic research only). The reason is that it is very fast, has great accuracy in most scenarios, and is an opinionated” framework which makes it very simple to use by non-data scientists (the tradeoff is that it gives less customization possibilities),” he says.

Hugging Face is an even more solid company that recently raised $40M for a good reason: They created a disruptive NLP library called ‘transformers’ that improves a lot the accuracy of NLP models (the tradeoff is that it is very resource intensive though). It gives the opportunity to cover more use cases like sentiment analysis, classification, summarization… In addition to that, they created an open-source repository where it is easy to select the best model you need for your use case.”

While AI is advancing at a clip within certain tracks — such as NLP for English — there are still caveats and potential pitfalls attached to automating language processing and analysis, with the risk of getting stuff wrong or worse. AI models trained on human-generated data have, for example, been shown reflecting embedded biases and prejudices of the people who produced the underlying data.

Salinas agrees NLP can sometimes face “concerning bias issues”, such as racism and misogyny. But he expresses confidence in the models they’ve selected.

“Most of the time it seems [bias in NLP] is due to the underlying data used to trained the models. It shows we should be more careful about the origin of this data,” he says. “In my opinion the best solution in order to mitigate this is that the community of NLP users should actively report something inappropriate when using a specific model so that this model can be paused and fixed.”

“Even if we doubt that such a bias exists in the models we’re proposing, we do encourage our users to report such problems to us so we can take measures,” he adds.

 

#amazon, #api, #artificial-intelligence, #artificial-neural-networks, #bbva, #computing, #developer, #devops, #europe, #germany, #google, #hugging-face, #ml, #natural-language-processing, #nlpcloud-io, #public-relations, #software-development, #speech-recognition, #startups, #transformer

Testing platform Tricentis acquires performance testing service Neotys

If you develop software for a large enterprise company, chances are you’ve heard of Tricentis. If you don’t develop software for a large enterprise company, chances are you haven’t. The software testing company with a focus on modern cloud and enterprise applications was founded in Austria in 2007 and grew from a small consulting firm to a major player in this field, with customers like Allianz, BMW, Starbucks, Deutsche Bank, Toyota and UBS. In 2017, the company raised a $165 million Series B round led by Insight Venture Partners.

Today, Tricentis announced that it has acquired Neotys, a popular performance testing service with a focus on modern enterprise applications and a tests-as-code philosophy. The two companies did not disclose the price of the acquisition. France-based Neotys launched in 2005 and raised about €3 million before the acquisition. Today, it has about 600 customers for its NeoLoad platform. These include BNP Paribas, Dell, Lufthansa, McKesson and TechCrunch’s own corporate parent, Verizon.

As Tricentis CEO Sandeep Johri noted, testing tools were traditionally script-based, which also meant they were very fragile whenever an application changed. Early on, Tricentis introduced a low-code tool that made the automation process both easier and resilient. Now, as even traditional enterprises move to DevOps and release code at a faster speed than ever before, testing is becoming both more important and harder for these companies to implement.

“You have to have automation and you cannot have it be fragile, where it breaks, because then you spend as much time fixing the automation as you do testing the software,” Johri said. “Our core differentiator was the fact that we were a low-code, model-based automation engine. That’s what allowed us to go from $6 million in recurring revenue eight years ago to $200 million this year.”

Tricentis, he added, wants to be the testing platform of choice for large enterprises. “We want to make sure we do everything that a customer would need, from a testing perspective, end to end. Automation, test management, test data, test case design,” he said.

The acquisition of Neotys allows the company to expand this portfolio by adding load and performance testing as well. It’s one thing to do the standard kind of functional testing that Tricentis already did before launching an update, but once an application goes into production, load and performance testing becomes critical as well.

“Before you put it into production — or before you deploy it — you need to make sure that your application not only works as you expect it, you need to make sure that it can handle the workload and that it has acceptable performance,” Johri noted. “That’s where load and performance testing comes in and that’s why we acquired Neotys. We have some capability there, but that was primarily focused on the developers. But we needed something that would allow us to do end-to-end performance testing and load testing.”

The two companies already had an existing partnership and had integrated their tools before the acquisition — and many of its customers were already using both tools, too.

“We are looking forward to joining Tricentis, the industry leader in continuous testing,” said Thibaud Bussière, president and co-founder at Neotys. “Today’s Agile and DevOps teams are looking for ways to be more strategic and eliminate manual tasks and implement automated solutions to work more efficiently and effectively. As part of Tricentis, we’ll be able to eliminate laborious testing tasks to allow teams to focus on high-value analysis and performance engineering.”

NeoLoad will continue to exist as a stand-alone product, but users will likely see deeper integrations with Tricentis’ existing tools over time, include Tricentis Analytics, for example.

Johri tells me that he considers Tricentis one of the “best kept secrets in Silicon Valley” because the company not only started out in Europe (even though its headquarters is now in Silicon Valley) but also because it hasn’t raised a lot of venture rounds over the years. But that’s very much in line with Johri’s philosophy of building a company.

“A lot of Silicon Valley tends to pay attention only when you raise money,” he told me. “I actually think every time you raise money, you’re diluting yourself and everybody else. So if you can succeed without raising too much money, that’s the best thing. We feel pretty good that we have been very capital efficient and now we’re recognized as a leader in the category — which is a huge category with $30 billion spend in the category. So we’re feeling pretty good about it.”

#allianz, #austria, #bnp-paribas, #computing, #dell, #deutsche-bank, #developer, #devops, #enterprise, #insight-venture-partners, #lufthansa, #ma, #neotys, #software-engineering, #software-testing, #starbucks, #toyota, #tricentis, #ubs, #verizon

Sources: Palo Alto Networks acquired DevOps security startup Bridgecrew for around $200M

 

The pandemic and the world’s big shift to doing (even) more online has put an unprecedented amount of pressure on cybersecurity. Now, it looks like one of the big public players in that space, Palo Alto Networks, has made an acquisition that will help it address that challenge, specifically with security tools designed for those working in DevOps to handle vast volumes of security data more efficiently.

According to our sources and reports, the company is acquiring Bridgecrew, a startup out of Israel that automates the process of network monitoring and security remediation by translating the feedback into code. Its tools are used by fast-scaling, internet-based businesses like Robinhood, BetterHelp and OneMain Financial.

The acquisition was first rumored earlier this month in Israeli press as a deal worth more than $100 million. Two sources confirmed the talks to us at the time but said the deal had not yet been closed. Then, a report this morning in Israel’s Calcalist said the acquisition is now valued at around $200 million, possibly more if you count earn-outs.

Sources close to the startup’s investors confirm to us that the papers have indeed now been signed on the deal, so expect an official announcement soon.

Spokespeople for both companies previously declined to comment on any deal when we asked earlier this month. We are reaching out to both again.

A $200 million price tag would represent a strong return for Bridgecrew and its investors.

The startup, backed by the likes of Battery Ventures, Operator Partners and more than a dozen others, has only raised around $18 million, including a Series A of $14 million last year. According to PitchBook data, Bridgecrew had a valuation of about $40 million at the time of that last round.

Cybersecurity — specifically the need for better and more sophisticated solutions in the face of an increasing amount of breaches in an ever-growing threat landscape — has seen an increasing focus for years. Indeed, it’s one of the rising tides that has lifted Palo Alto Networks’ boat.

But in the last year, the Covid-19 pandemic has brought more attention to cybersecurity and the need for more automation in it than ever before.

The reason is fairly obvious but is worth repeating: as more organizations migrate operations into distributed, digital-only, cloud-based environments, architectures have become more fragmented, complex and simply bigger and more of an exploitation target.

That’s presented a challenge for those provisioning security for these operations, and that has led to a new wave of companies over the last several years building automated solutions, merging DevOps with security monitoring.

“We founded Bridgecrew because we saw that there was a huge bottleneck in security engineering, in DevSecOps, and how engineers were running cloud infrastructure security,” Bridgecrew CEO and co-founder Idan Tendler told TechCrunch last year. Others in this wider space include PortShift (which was acquired by Cisco last year), Tines and many others.

Palo Alto Networks has also been building its own tools for DevOps security, namely with Prisma, which it introduced in 2019 and updated last year.

It’s not clear why Palo Alto would choose to supplement that with an outside acquisition, but it’s notable that Bridgecrew focuses on DevOps security specifically and it has seen a lot of traction in that area.

Its sweet spot appears to be customers who are building huge businesses themselves on cloud infrastructure and are using automation as part of bigger efforts to ensure better cybersecurity practices.

It counts customers like Databricks for its flagship Bridgecrew platform product, which provides security scanning and remediation in the form of code across a wide range of infrastructure environments. The company recently said that its customer base and monthly sign ups both tripled in the second half of last year.

It has also seen a lot of pick-up of Checkov, its open source infrastrcuture-as-code (IaC) scanner that it says works across cloud infrastructure in Terraform, Cloudformation, Kubernetes, Arm templates or Serverless Framework to detect misconfigurations.

Checkov passed a milestone of 1 million downloads last quarter, speaking to the company’s reputation and traction with the very customers that Palo Alto is looking to reach.

Notably, Bridgecrew says it’s working on other open source projects, so that could also be a focus for Palo Alto here.

Another takeaway from this news is how Israel continues to be fertile ground for hatching and growing cybersecurity businesses.

“Palo Alto Networks was established by Israeli founders, and Bridgecrew will be the seventh Israeli cybersecurity company acquired by Palo Alto in the recent years,” said Avihai Michaeli, a Tel Aviv-based senior investment banker and startup advisor.

We will update this story as we learn more.

#bridgecrew, #devops, #europe, #fundings-exits, #palo-alto-networks, #security

GitLab raises $195M in secondary funding on $6B valuation

GitLab has confirmed with TechCrunch that it raised a $195 million secondary round on a $6 billion valuation. CNBC broke the story earlier today.

The company’s impressive valuation comes after its most recent 2019 Series E in which it raised $268 million on a 2.75 billion valuation, an increase of $3.25 billion in under 18 months. Company co-founder and CEO Sid Sijbrandij believes the increase is due to his company’s progress adding functionality to the platform.

“We believe the increase in valuation over the past year reflects the progress of our complete DevOps platform towards realizing a greater share of the growing, multi-billion dollar software development market,” he told TechCrunch.

While the startup has raised over $434 million, this round involved buying employee stock options, a move that allows the company’s workers to cash in some of their equity prior to going public. CNBC reported that the firms buying the stock included Alta Park, HMI Capital, OMERS Growth Equity, TCV and Verition.

The next logical step would appear to be IPO, something the company has never shied away from. In fact, it actually at one point included the proposed date of November 18, 2020 as a target IPO date on the company wiki. While they didn’t quite make that goal, Sijbrandij still sees the company going public at some point. He’s just not being so specific as in the past, suggesting that the company has plenty of runway left from the last funding round and can go public when the timing is right.

“We continue to believe that being a public company is an integral part of realizing our mission. As a public company, GitLab would benefit from enhanced brand awareness, access to capital, shareholder liquidity, autonomy and transparency,” he said.

He added, “That said, we want to maximize the outcome by selecting an opportune time. Our most recent capital raise was in 2019 and contributed to an already healthy balance sheet. A strong balance sheet and business model enables us to select a period that works best for realizing our long-term goals.”

GitLab has not only published IPO goals on its Wiki, but its entire company philosophy, goals and OKRs for everyone to see. Sijbrandij told TechCrunch’s Alex Wilhelm at a TechCrunch Disrupt panel in September that he believes that transparency helps attract and keep employees. It doesn’t hurt that the company was and remains a fully remote organization, even pre-COVID.

“We started [this level of] transparency to connect with the wider community around GitLab, but it turned out to be super beneficial for attracting great talent as well,” Sijbrandij told Wilhelm in September.

The company, which launched in 2014, offers a DevOps platform to help move applications through the programming lifecycle.

#cloud, #developer, #devops, #enterprise, #funding, #gitlab, #recent-funding, #secondaries, #sid-sijbrandij, #startups, #tc

3 questions to ask before adopting microservice architecture

As a product manager, I’m a true believer that you can solve any problem with the right product and process, even one as gnarly as the multiheaded hydra that is microservice overhead.

Working for Vertex Ventures US this summer was my chance to put this to the test. After interviewing 30+ industry experts from a diverse set of companies — Facebook, Fannie Mae, Confluent, Salesforce and more — and hosting a webinar with the co-founders of PagerDuty, LaunchDarkly and OpsLevel, we were able to answer three main questions:

  1. How do teams adopt microservices?
  2. What are the main challenges organizations face?
  3. Which strategies, processes and tools do companies use to overcome these challenges?

How do teams adopt microservices?

Out of dozens of companies we spoke with, only two had not yet started their journey to microservices, but both were actively considering it. Industry trends mirror this as well. In an O’Reilly survey of 1500+ respondents, more than 75% had started to adopt microservices.

It’s rare for companies to start building with microservices from the ground up. Of the companies we spoke with, only one had done so. Some startups, such as LaunchDarkly, plan to build their infrastructure using microservices, but turned to a monolith once they realized the high cost of overhead.

“We were spending more time effectively building and operating a system for distributed systems versus actually building our own services so we pulled back hard,” said John Kodumal, CTO and co-founder of LaunchDarkly.

“As an example, the things we were trying to do in mesosphere, they were impossible,” he said. “We couldn’t do any logging. Zero downtime deploys were impossible. There were so many bugs in the infrastructure and we were spending so much time debugging the basic things that we weren’t building our own service.”

As a result, it’s more common for companies to start with a monolith and move to microservices to scale their infrastructure with their organization. Once a company reaches ~30 developers, most begin decentralizing control by moving to a microservice architecture.

Teams may take different routes to arrive at a microservice architecture, but they tend to face a common set of challenges once they get there.

Large companies with established monoliths are keen to move to microservices, but costs are high and the transition can take years. Atlassian’s platform infrastructure is in microservices, but legacy monoliths in Jira and Confluence persist despite ongoing decomposition efforts. Large companies often get stuck in this transition. However, a combination of strong, top-down strategy combined with bottoms-up dev team support can help companies, such as Freddie Mac, make substantial progress.

Some startups, like Instacart, first shifted to a modular monolith that allows the code to reside in a single repository while beginning the process of distributing ownership of discrete code functions to relevant teams. This enables them to mitigate the overhead associated with a microservice architecture by balancing the visibility of having a centralized repository and release pipeline with the flexibility of discrete ownership over portions of the codebase.

What challenges do teams face?

Teams may take different routes to arrive at a microservice architecture, but they tend to face a common set of challenges once they get there. John Laban, CEO and co-founder of OpsLevel, which helps teams build and manage microservices told us that “with a distributed or microservices based architecture your teams benefit from being able to move independently from each other, but there are some gotchas to look out for.”

Indeed, the linked O’Reilly chart shows how the top 10 challenges organizations face when adopting microservices are shared by 25%+ of respondents. While we discussed some of the adoption blockers above, feedback from our interviews highlighted issues around managing complexity.

The lack of a coherent definition for a service can cause teams to generate unnecessary overhead by creating too many similar services or spreading related services across different groups. One company we spoke with went down the path of decomposing their monolith and took it too far. Their service definitions were too narrow, and by the time decomposition was complete, they were left with 4,000+ microservices to manage. They then had to backtrack and consolidate down to a more manageable number.

Defining too many services creates unnecessary organizational and technical silos while increasing complexity and overhead. Logging and monitoring must be present on each service, but with ownership spread across different teams, a lack of standardized tooling can create observability headaches. It’s challenging for teams to get a single-pane-of-glass view with too many different interacting systems and services that span the entire architecture.

#atlassian, #cloud, #column, #developer, #devops, #enterprise, #microservices, #saas, #software-development, #startups, #tc

Atlassian brings new DevOps metrics to Jira

Atlassian is launching an update to its ubiquitous Jira issue and project tracking service today — and specifically the Jira Software Cloud version — that brings a number of new features for visualizing and measuring how code moves through the development pipeline. With this, project managers and developers will be able to get deeper insights into the code teams are working on, for example, and where that code is in the deployment pipeline. Users of Jira Software Premium will also be able to track deployment frequency and cycle times right inside of the service now, too.

In the quest to reach that near-mythical land of ‘insights,’ many teams mistake consolidation for control. But the challenge is not the number of tools; it’s the way they’re integrated,” the Jira team writes in today’s announcement. “No single vendor will ever deliver all the products an agile software team needs, so the burden still lies on the team to manually connect the dots.”

Image Credits: Atlassian

This update, Atlassian argues, helps those teams do just that. For most teams, Jira is already the central repository where each piece of work is documented in some form or another, after all. Some of that work happens in Atlassian tools, but most of it happens in the context of third-party services. The idea here is to pull all of this DevOps work together and provide more visibility and insights into the state of a company’s development pipeline.

Specifically, there are four different updates here. The first is ‘code in Jira,’ which may sound like you can now code inside of Jira, but in reality, it’s about seeing which repos in Bitbucket, GitHub, GitLab or Git Integration for Jira are currently actively worked on. With the new ‘deployments’ feature, users can now get a real-time view of all of their deployment information across CI/CD services like Bitbucket Pipelines, Jenkins, Azure DevOps, Circle CI, Octopus Deploy and JFrog.

Image Credits: Atlassian

“Whether you’re a product manager looking to see which features have deployed to which environment or a team lead looking to understand the average time it takes for your team to go from idea to production within a certain project, you’ll find your answer in the Deployments in Jira tab,” the company explains.

The last two features, only available in the pricier and more enterprisey Jira Software Premium, will soon provide more in-depth metrics about deployment frequency and cycle times. The idea here is simply to provide more metrics to help teams better understand trends and identify outliers in their processes.

#atlassian, #bitbucket, #computing, #developer, #devops, #github, #jenkins, #jfrog, #jira, #product-manager, #software-development, #software-engineering, #tc

AWS announces DevOps Guru to find operational issues automatically

At AWS re:Invent today, Andy Jassy announced DevOps Guru, a new tool for DevOps teams to help the operations side find issues that could be having an impact on an application performance. Consider it like the sibling of CodeGuru, the service the company announced last year to find issues in your code before you deploy.

It works in a similar fashion using machine learning to find issues on the operations side of the equation. “I’m excited to launch a new service today called Amazon DevOps Guru, which is a new service that uses machine learning to identify operational issues long before they impact customers,” Jassy said today.

The way it works is that it collects and analyzes data from application metrics, logs, and events “to identify behavior that deviates from normal operational patterns,” the company explained in the blog post announcing the new service.

This service essentially gives AWS a product that would be competing with companies like Sumo Logic, DataDog or Splunk by providing deep operational insight on problems that could be having an impact on your application such as misconfigurations or resources that are over capacity.

When it finds a problem, the service can send an SMS, Slack message or other communication to the team and provides recommendations on how to fix the problem as quickly as possible.

What’s more, you pay for the data analyzed by the service, rather than a monthly fee. The company says this means that there is no upfront cost or commitment involved.

#andy-jassy, #aws-reinvent-2020, #cloud, #devops, #enterprise, #tc

OpsLevel raises $5M to fix DevOps

The term ‘DevOps’ has been rendered meaningless and developers still don’t have access to the right tools to put the overall idea into practice, the team behind DevOps startup OpsLevel argues. The company, which was co-founded by John Laban and Kenneth Rose, two of PagerDuty’s earliest employees, today announced that it has raised a $5 million seed funding round, led by Vertex Ventures. S28 Capital, Webb Investment Network and Union Capital also participated in this round, as well as a number of angels, including the three co-founders of PagerDuty .

“[PagerDuty] was an important part of the DevOps movement. Getting engineers on call was really important for DevOps, but on-call and getting paged about incidents and things, it’s very reactive in nature. It’s all about fixing incidents as quickly as possible. Ken [Rose] and I saw an opportunity to help companies take a more proactive stance. Nobody really wants to have any downtime or any security breaches in the first place. They want to prevent them before they happen.”

Image Credits: OpsLevel

With that mission in mind, the team set out to bring engineering organizations back to the roots of DevOps by giving those teams ownership over their services and creating what Rose called a “you build it, you own it” culture. Service ownership, he noted, is something the team regularly sees companies struggle with. When teams move to microservices or even serverless architectures for their systems, it quickly becomes unclear who owns what and as a result, you end up with orphaned services that nobody is maintaining. The natural result of that is security and reliability issues. And at the same time, because nobody knows which systems already exist, other teams reinvent the wheel and rebuild the same service to solve their own problems.

“We’ve underinvested in tools to make DevOps actually work,” the team says in today’s announcement. “There’s a lot we still need to build to help engineering teams adopt service ownership and unlock the full power of DevOps.”

So at the core of OpsLevel is what the team calls a “service ownership platform,” starting with a catalog of the services that an engineering organization is currently running.

Image Credits: OpsLevel

“What we’re trying to do is take back the meaning of DevOps,” said Laban. “We believe it’s been rendered meaningless and we wanted to refocus it on service ownership. We’re going to be investing heavily on building out our product, and then working with our customers to get them to really own their services and get really down to solving that problem.”

Among the companies OpsLevel is already working with are Segment, Zapier, Convoy and Under Armour. As the team noted, its service becomes most useful once a company runs somewhere around 20 or 30 different services. Before that, a wiki or spreadsheet is often enough to manage them, but at that point, those systems tend to break.

OpsLevel gives them different onramps to start cataloging their services. If they prefer to use a ‘config-as-code’ approach, they can use those YAML files as part of their existing Git workflows. But OpsLevel offers APIs that teams can plug into their various systems if they already have existing service creating workflows.

The company’s funding round closed in late September. The pandemic, the team said, didn’t really hinder its fundraising efforts, something I’ve lately heard from a lot of companies (though the ones I talk obviously to tend to be the ones that recently raised money).

“The reason why [we raised] is because we wanted to really invest in building out our product,” Laban said. “We’ve been getting this traction with our customers and we really wanted to double down and build out a lot of product and invest into our go-to-market team as well and really wanted to accelerate things.”

#angel-investors, #devops, #finance, #investment, #pagerduty, #s28-capital, #seed-money, #software-development, #startup-company, #tc, #vertex-ventures, #webb-investment-network

Arrikto raises $10M for its MLOps platform

Arrikto, a startup that wants to speed up the machine learning development lifecycle by allowing engineers and data scientists to treat data like code, is coming out of stealth today and announcing a $10 million Series A round. The round was led by Unusual Ventures, with Unusual’s John Vrionis joining the board.

“Our technology at Arrikto helps companies overcome the complexities of implementing and managing machine learning applications,” Arrikto CEO and co-founder Constantinos Venetsanopoulos explained. “We make it super easy to set up end-to-end machine learning pipelines. More specifically, we make it easy to build, train, deploy ML models into production using Kubernetes and intelligent intelligently manage all the data around it.”

Like so many developer-centric platforms today, Arrikto is all about “shift left.” Currently, the team argues, machine learning teams and developer teams don’t speak the same language and use different tools to build models and to put them into production.

Image Credits: Arrikto

“Much like DevOps shifted deployment left, to developers in the software development life cycle, Arrikto shifts deployment left to data scientists in the machine learning life cycle,” Venetsanopoulos explained.

Arrikto also aims to reduce the technical barriers that still make implementing machine learning so difficult for most enterprises. Venetsanopoulos noted that just like Kubernetes showed businesses what a simple and scalable infrastructure could look like, Arrikto can show them what a simpler ML production pipeline can look like — and do so in a Kubernetes-native way.

Arrikto CEO Constantinos Venetsanopoulos. Image Credits: Arrikto

At the core of Arrikto is Kubeflow, the Google -incubated open-source machine learning toolkit for Kubernetes — and in many ways, you can think of Arrikto as offering an enterprise-ready version of Kubeflow. Among other projects, the team also built MiniKF to run Kubeflow on a laptop and uses Kale, which lets engineers build Kubeflow pipelines from their JupyterLab notebooks.

As Venetsanopoulos noted, Arrikto’s technology does three things: it simplifies deploying and managing Kubeflow, allows data scientists to manage it using the tools they already know, and it creates a portable environment for data science that enables data versioning and data sharing across teams and clouds.

While Arrikto has stayed off the radar since it launched out of Athens, Greece in 2015, the founding team of Venetsanopoulos and CTO Vangelis Koukis already managed to get a number of large enterprises to adopt its platform. Arrikto currently has more than 100 customers and, while the company isn’t allowed to name any of them just yet, Venetsanopoulos said they include one of the largest oil and gas companies, for example.

And while you may not think of Athens as a startup hub, Venetsanopoulos argues that this is changing and there is a lot of talent there (though the company is also using the funding to build out its sales and marketing team in Silicon Valley). “There’s top-notch talent from top-notch universities that’s still untapped. It’s like we have an unfair advantage,” he said.

“We see a strong market opportunity as enterprises seek to leverage cloud-native solutions to unlock the benefits of machine learning,” Unusual’s Vrionis said. “Arrikto has taken an innovative and holistic approach to MLOps across the entire data, model and code lifecycle. Data scientists will be empowered to accelerate time to market through increased automation and collaboration without requiring engineering teams.”

Image Credits: Arrikto

#arrikto, #cloud, #cloud-computing, #cloud-infrastructure, #computing, #developer, #devops, #europe, #google, #john-vrionis, #kubeflow, #kubernetes, #machine-learning, #ml, #mlops, #recent-funding, #software-development, #startups, #unusual-ventures

Salto raises $27M to let you configure your SaaS platforms with code

Salto, a Tel Aviv-based open-source startup that allows you to configure SaaS platforms like Salesforce, NetSuite and HubSpot with code, is coming out of stealth today and announced that it has raised a $27 million Series A round. This round was led by Bessemer Venture Partners, Lightspeed Venture Partners and Salesforce Ventures.

The general idea here — which is similar to the ‘infrastructure-as-code’ movement — is to allow business operations teams to automate the labor-intensive and error-prone ways they currently use to manage SaaS platforms. While others in this space are betting on no-code solutions for managing these systems, Salto is going the other way and is betting on code instead.

“We realized the challenges BizOps teams face are very similar to the problems encountered by software and DevOps engineers on a daily basis,” writes Salto co-founder and CEO Rami Tamir in today’s announcement. “So we adapted software development fundamentals and best practices to the BizOps field. There’s no need to reinvent the wheel; the same techniques used to make high-quality software can also be applied to keeping control over business applications.”

Image Credits: Salto

Salto makes the core of its service available as open source. This open-source version includes the company’s NaCI language, a declarative configuration language based on the syntax of HashiCorp’s hcl, a command-line interface for deploying configuration changes (and fetching the current configuration state of an application) and a VS Code extension.

In combination with Git, business operations teams can collaborate on writing these configurations and test them in staging environments. The company is essentially taking modern software development practices and applying them to business operations.

Image Credits: Salto

“Defining a company’s business logic as code can make a fundamental change in the way business applications are delivered,” writes Tamir. “We like to think about it as ‘company-as-code,’ much in the same way as ‘infrastructure-as-code’ transformed the way we manage data centers.”

Some of the use cases here are configuring custom Salesforce CPQ fields, and syncing profiles across Salesforce environments and maintaining audio logs for NetSuite. For now, the company only supports connections to Salesforce, HubSpot and NetSuite, with others following soon.

Like other open-source companies, Salto’s business model involved selling a hosted version of its service, which the company is also announcing today.

In terms of raising this new round, it surely helped that the founding team, which includes Benny Schnaider and Gil Hoffer, in addition to Tamir, previously sold the three companies they founded. Pentacom was acquired by Cisco earlier this year; Oracle acquired Ravello Systems in 2016 and Qumranet was acquired by Red Hat in 2008.

“Business agility is more important than ever today, and the alignment of external business services to real business needs is increasing in strategic importance,” said Alex Kayyal, Partner and Head of International at Salesforce Ventures . “BizOps teams are becoming more and more crucial to the success of companies. With Salto they are empowered to meet the tasks they are charged with, equipped with modernized methodologies and a greatly enhanced toolbox.”

#bessemer-venture-partners, #cisco, #cloud-applications, #computing, #devops, #head, #hubspot, #lightspeed-venture-partners, #netsuite, #oracle, #oracle-corporation, #ravello-systems, #red-hat, #salesforce, #salesforce-ventures, #salto, #software, #software-as-a-service, #tc, #tel-aviv

Render raises $4.5M for its DevOps platform

Render, the winner of our Disrupt SF 2019 Startup Battlefield, today announced that it has added another $4.5 million onto its existing seed funding round, bringing total investment into the company to $6.75 million.

The round was led by General Catalyst, with participation from previous investors South Park Commons Fund and a group of angels that includes Lee Fixel, Elad Gil and GitHub CTO (and former VP of Engineering at Heroku) Jason Warner.

The company, which describes itself as a ‘Zero DevOps alternative to AWS, Azure and Google Cloud,’ originally raised a $2.25 million seed round in April 2019, but it got a lot of inbound interest after winning the Disrupt Battlefield. In the end, though, the team decided to simply raise more money from its existing investors.

Current Render users include Cypress.io, Mux, Bloomscape, Zelos, 99designs and Stripe.

“We spoke to a bunch of people after Disrupt, including Ashton Kutcher’s firm, because he was one of the judges,” Render co-founder and CEO Anurag Goel explained. “In the end, we decided that we would just raise more money from our existing investors because we like them and it helped us get a better deal from our existing investors. And they were all super interested in continuing to invest.”

What makes Render stand out is that it fulfills many of the promises of Heroku and maybe Google Cloud’s App Engine. You simply tell it what kind of service you are going to deploy and it handles the deployment and manages the infrastructure for you.

“Our customers are all people who are writing code. And they just want to deploy this code really easily without having to worry about servers, or maintenance, or depending on DevOps teams — or, in many cases, hiring DevOps teams,” Goel said. “DevOps engineers are extremely expensive to hire and extremely hard to find, especially good ones. Our goal is to eliminate all of that work that DevOps people do at every company, because it’s very similar at every company.”

Image Credits: Render

One new feature the company is launching today is preview environments. You can think of them as disposable staging or development environments that developers can spin up to test their code — and Render promises that the testing environment will look the same as your production environment (or you can specify changes, too). Developers can then test their updates collaboratively with QA or their product and sales teams in this environment.

Development teams on Render specify their infrastructure environments in a YAML file and turning on these new preview environments is as easy as setting a flag in that file.

Image Credits: Render

“Once they do that, then for every pull request – because we’re integrated with GitHub and GitLab — we automatically spin up a copy of that environment. That can include anything you have in production, or things like a Redis instance, or managed Postgres database, or Elasticsearch instance, or obviously API’s and web services and static sites,” Goel said. Every time you push a change to that branch or pull request, the environment is automatically updated, too. Once the pull request is closed or merged, Render destroys the environment automatically.

The company will use the new funding to grow its team and build out its service. The plan, Goel tells me, is to raise a larger Series A round next year.

#ashton-kutcher, #battlefield, #continuous-integration, #devops, #elad-gil, #elasticsearch, #general-catalyst, #git, #github, #gitlab, #heroku, #lee-fixel, #software, #software-engineering, #tc, #version-control, #web-services

Contrast launches its security observability platform

Contrast, a developer-centric application security company with customers that include Liberty Mutual Insurance, NTT Data, AXA and Bandwidth, today announced the launch of its security observability platform. The idea here is to offer developers a single pane of glass to manage an application’s security across its lifecycle, combined with real-time analysis and reporting, as well as remediation tools.

“Every line of code that’s happening increases the risk to a business if it’s not secure,” said Contrast CEO and chairman Alan Nauman. “We’re focused on securing all that code that businesses are writing for both automation and digital transformation.”

Over the course of the last few years, the well-funded company, which raised a $65 million Series D round last year, launched numerous security tools that cover a wide range of use cases from automated penetration testing to cloud application security and now DevOps — and this new platform is meant to tie them all together.

DevOps, the company argues, is really what necessitates a platform like this, given that developers now push more code into production than ever — and the onus of ensuring that this code is secure is now also often on that.

Image Credits: Contrast

Traditionally, Nauman argues, security services focused on the code itself and looking at traffic.

“We think at the application layer, the same principles of observability apply that have been used in the IT infrastructure space,” he said. “Specifically, we do instrumentation of the code and we weave security sensors into the code as it’s being developed and are looking for vulnerabilities and observing running code. […] Our view is: the world’s most complex systems are best when instrumented, whether it’s an airplane, a spacecraft, an IT infrastructure. We think the same is true for code. So our breakthrough is applying instrumentation to code and observing for security vulnerabilities.”

With this new platform, Contrast is aggregating information from its existing systems into a single dashboard. And while Contrast observes the code throughout its lifecycle, it also scans for vulnerabilities whenever a developers check code into the CI/CD pipeline, thanks to integrations with most of the standard tools like Jenkins. It’s worth noting that the service also scans for vulnerabilities in open-source libraries. Once deployed, Contrast’s new platform keeps an eye on the data that runs through the various APIs and systems the application connects to and scans for potential security issues there as well.

The platform currently supports all of the large cloud providers like AWS, Azure and Google Cloud, and languages and frameworks like Java, Python, .NET and Ruby.

Image Credits: Contrast

#agile-software-development, #application-security, #cloud-computing, #computing, #devops, #enterprise, #information-technology, #ntt-data, #recent-funding, #security, #security-tools, #software, #startups

Now may be the best time to become a full-stack developer

In the world of software development, one term you’re sure to hear a lot of is full-stack development. Job recruiters are constantly posting open positions for full-stack developers and the industry is abuzz with this in-demand title.

But what does full-stack actually mean?

Simply put, it’s the development on the client-side (front end) and the server-side (back end) of software. Full-stack developers are jacks of all trades as they work with the design aspect of software the client interacts with as well as the coding and structuring of the server end.

In a time when technological requirements are rapidly evolving and companies may not be able to afford a full team of developers, software developers that know both the front end and back end are essential.

In response to the coronavirus pandemic, the ability to do full-stack development can make engineers extremely marketable as companies across all industries migrate their businesses to a virtual world. Those who can quickly develop and deliver software projects thanks to full-stack methods have the best shot to be at the top of a company’s or client’s wish list.

Becoming a full-stack developer

So how can you become a full-stack engineer and what are the expectations? In most working environments, you won’t be expected to have absolute expertise on every single platform or language. However, it will be presumed that you know enough to understand and can solve problems on both ends of software development.

Most commonly, full-stack developers are familiar with HTML, CSS, JavaScript, and back-end languages like Ruby, PHP, or Python. This matches up with the expectations of new hires as well, as you’ll notice a lot of openings for full-stack developer jobs require specialization in more than one back-end program.

Full-stack is becoming the default way to develop, so much so that some in the software engineering community argue whether or not the term is redundant. As the lines between the front end and back end blur with evolving tech, developers are now being expected to work more frequently on all aspects of the software. However, developers will likely have one specialty where they excel while being good in other areas and a novice at some things….and that’s OK.

Getting into full-stack though means you should concentrate on finding your niche within the particular front-end and back-end programs you want to work with. One practical and common approach is to learn JavaScript since it covers both front and back end capabilities. You’ll also want to get comfortable with databases, version control, and security. In addition, it’s smart to prioritize design since you’ll be working on the client-facing side of things.

Since full-stack developers can communicate with each side of a development team, they’re invaluable to saving time and avoiding confusion on a project.

One common argument against full stack is that, in theory, developers who can do everything may not do one thing at an expert level. But there’s no hard or fast rule saying you can’t be a master at coding and also learn front-end techniques or vice versa.

Choosing between full-stack and DevOps

One hold up you may have before diving into full-stack is you’re also mulling over the option to become a DevOps engineer. There are certainly similarities among both professions, including good salaries and the ultimate goal of producing software as quickly as possible without errors.  As with full-stack developers, DevOps engineers are also becoming more in demand because of the flexibility they offer a company.

#agile-software-development, #column, #coronavirus, #covid-19, #designer, #developer, #devops, #labor, #security, #software-development, #software-engineering, #startups, #talent, #tc, #venture-capital

Atlanta’-based Speedscale now has $2.2 million more to grow its API test automation business

It only took a few weeks after its Y Combinator demo day debut for the Atlanta-based API test automation company Speedscale to raise its first $2.2 million.

Founded by longtime developers and Georgia Institute of Technology alumni, Ken Ahrens, Matthew LeRay and Nate Lee had known each other for roughly twenty years before making the jump to working together.

A circuitous path of interconnecting programming jobs in the devops and monitoring space led the three men to realize that there was an opportunity to address one of the main struggles new programmers now face — making sure that updates to api integrations in a containerized programming world don’t wind up breaking apps or services.

“We were helping to solve incident outages and incidents that would cause downtime,” said Lee. “It’s hard to ensure the quality between all of these connection points [between applications]. And these connection points are growing as people add apis and containers. We said, ‘How about we solve this space? How could we preempt all of this and ensure maintaining release velocity with scalable automation?’”

Typically companies release new updates to code in a phased approach or in a test environment to ensure that they’re not going to break anything. Speedscale proposes test automation using real traffic so that developers can accelerate the release time.

“They want to change very frequently,” said Ahrens, speaking about the development life cycle. “Most of the changes are great, but every once in a while they make a change and break part of the system. The state of the art is to wait for it to be broken and get someone to fix it quickly.”

The pitch SpeedScale makes to developers is that its service can give coders the ability to see the problems before the release. They automate the creation of the staging environment, automation suite and orchestration to create that environment.

“One of the big things for me was when I saw the rise of Kubernetes was what’s really happening is that engineering leaders have been able to give more autonomy to developers, but no one has come up with a great way to validate and I really think that Speedscale can solve that problem.”

The Atlanta-based company, which only just graduated from Y Combinator a few months ago, is currently in a closed alpha with select pilot partners, according to LeRay. And the nine month-old company has raised $2.2 million from investors including Sierra Ventures from the Bay Area and Atlanta’s own Tech Square Ventures to grow the business.

“Apis are a huge market,” Ahrens said of the potential opportunity for the company. “there’s 11 million developers who develop against apis… We think the addressable market for us is in the billions.”

#agile-software-development, #alpha, #api, #atlanta, #computing, #devops, #downtime, #georgia-institute-of-technology, #information-management, #information-technology, #sierra-ventures, #tc, #tech-square-ventures, #y-combinator

Solvo raises $3M seed round to automatically manage cloud infrastructure permissions

Solvo, a Tel Aviv-based startup that promises to automatically generate cloud security permissions by analyzing a developer’s code, today announced that it has raised a $3 million seed funding round from TLV Partners and Surround Ventures. The idea here is to analyze the code and generate the least-privilege permissions that still allow the code to run.

Currently, Solvo’s focus is on AWS, with support for Python, Java and Node.js, but the team plans to expand its service to other clouds and languages over time.

The company was co-founded by its CEO Shira Shamban and its CTO, David Hendri. Shamban has 17 years of cybersecurity experience, leading security teams at Dome9 and CheckPoint, in addition to her time in the Israeli Intelligence Corps’ Unit 8200. Similarly, Hendri was one of the first R&D employees at Dome9 and served as an officer in the Israeli Intelligence Corps.

“Today, every software developer has their own AWS account — and they can scale up and entire crypto mining farm wherever in the world,” Shamban explained. “And when they do that, or when they write the next Tinder for cats they have to grant security permissions to the infrastructure because this is how it works. But there are software developers, not security engineers.”

Similarly, she argues, DevOps teams don’t typically focus on these security permissions either. At the same time, the security engineers also often don’t exactly know why a specific Lambda function in AWS communicated to a specific database, for example. Because of that, it’s often not quite clear who is in charge of infrastructure security.

“We created a solution that developers like to use […]. The developers like it, but the security team needs it — because they don’t have visibility and they don’t know the risks in their Cloud account,” said Shamban.

Because Solve creates very granular permissions, down to the row level in a database table, for example, when malicious actors do get into the system, they will only be able to access a small slice of the available data. That’s still obviously a problem, but it keeps the blast radius small.

As developers update their applications, the system automatically learns how a given company operates and updates its rules accordingly.

The company is already working with a Fortune 500 design partner to build out its service, which it offers as a SaaS product. But in addition to big enterprises, the team believes that small- and medium-sized companies can also benefit from its service.

Unsurprisingly, the company plans to use the new funding round, which it raised entirely over Zoom, to build out the team and product.

“The big problem that Solvo solves is the result of a growing trend in the market—the transfer of responsibility for code and product security in the cloud from the DevOps people to the development people,” said Shahar Tzafrir, a managing partner at TLV Partners . “In light of the enthusiastic responses we’ve received from potential customers that affirmed the necessity of the solution along with the unique ability of this particular team to offer a quick solution, we were quick to offer this seed investment to the entrepreneurs— and we are happy and proud that they chose us.”

#amazon-web-services, #aws, #cloud-infrastructure, #devops, #enterprise, #infrastructure-security, #permissions, #recent-funding, #security, #startups, #tel-aviv, #tlv-partners