As founder and CEO of both AppDynamics and Harness, two companies that improved visibility into cloud-native applications, Jyoti Bansal had a unique view of the blind spots that remained.
What he realized was the APIs that often connect hundreds of microservices in modern architectures are most likely to compromise application security, as they massively expand an attack surface in ways that are often difficult to detect, Bansal told CRN.
That insight led Bansal to form Traceable, a San Francisco-based startup that came out of stealth Tuesday with $20 million in funding from Unusual Ventures and a mission to secure modern workloads at the level of their code. Bansal, who sold AppDynamics to Cisco Systems in 2017 for $3.7 billion, spun Traceable out of BIG Labs, his startup studio.
[Related: Refactr CEO: Coronavirus Crisis Is Rapidly Accelerating Shift To DevSecOps]
“API security is a big pain right now, as everything is exposed with APIs and there’s really no visibility security teams have into those APIs,” Bansal told CRN. “There’s really no good solutions in the market these days to do those things.”
Even tech giants like Uber and Facebook have been victims of business logic attacks due to vulnerabilities in microservice APIs, he said.
Traceable looks to provide end-to-end visibility into data flowing through any given API through its distributed tracing system while enforcing security policy at those critical soft points in cloud-native workloads.
“This area needs a complete rethink in how you build next-generation application security,” Bansal said
The startup’s technology “creates the same language” for the developer and security communities, enabling DevSecOps, an emerging method of integrating security into the DevOps pipeline, Bansal said.
“Our approach to market is appraise what’s happening at the code level itself,” Bansal said. “If an attacker is using code in anomalous ways, we provide you a response.”
Traceable co-founder and CTO Sanjay Nagaraj told CRN that while working as vice president of engineering at AppDynamics, and later for a short stint at Cisco, he saw the security challenges posed by distributed services and distributed APIs.
As customers gradually shifted from monolithic services to microservices, there was a general lack of understanding of which APIs were most vulnerable to attack, even as those APIs often exposed business logic that enabled attackers to access sensitive data.
Traceable, which has already deployed the platform for some notable preview customers, connects into three places: the web proxy or API gateway, the Kubernetes and Docker orchestrators as sidecar services, and finally the application layer itself through Java.
That makes it possible to trace application activity from the user and session through the application code.
“That way we are able to track all the data,” Nagaraj said. “We call it edge-to-code.”
The startup’s platform includes TraceAI, machine-learning technology that analyzes data to learn typical application behavior and then detect activity deviating from the norm. The software integrates with Kubernetes, Istio and Envoy service meshes, and Slack and Jira to bring security into developer’s workflows.
Once the platform comes out of beta, the goal will be to integrate with the leading DevOps and security vendors.
Bansal, who still runs DevOps startup Harness, said his new company plans on building a channel as an important component of its go-to-market approach, Bansal said.
“After the launch, that’s a big part of our strategy, to incorporate systems integrators and create a good VAR ecosystem,” Bansal said.
Traceable has open-sourced its underlying platform, Hypertrace, to make robust tracing more accessible, and to foster a community that advances the project.
related stories
Video
