Backslash Security Unveils Tool to Visualize Cloud-Native Code Flows

Backslash Security emerged from stealth today to provide IT teams with a visual tool that identifies workflows in cloud-native code that could lead to a security breach.

Fresh from raising $8 million in funding, Backslash Security CEO Shahar Man says the company’s namesake tool provides a lightweight approach to mapping toxic code flows that exposes flaws that could be exploited by cybercriminals.

That approach makes it easier to prioritize remediation efforts using a threat model that Backslash Security developed to map code and dependencies in cloud-native application environments. The Backslash tool currently supports Amazon Web Services (AWS) environments and GitHub code repositories with support for other platforms planned, says Man.

Securing cloud-native applications is especially challenging because of the rate at which they are developed and updated, notes Man. Existing cybersecurity tools tend to generate massive amounts of false-positive alerts that overwhelm application development teams; those development teams spend, on average, 25 minutes investigating each one, he adds.

The Backslash tool provides the context development teams need to address issues as code is being developed, says Man. Only then does it become feasible to employ DevSecOps best practices to shift responsibility for application security left toward developers, notes Man.

Cloud-native applications are, by definition, highly distributed, so there tend to be a lot of hidden dependencies that are difficult to discover. Cybercriminals, however, have become more adept at combining multiple techniques to exploit a weakness in a microservice that can lead to an entire cloud-native application being compromised.

The challenge, of course, is that most application developers have little to no cybersecurity expertise. Many organizations are attempting to shift responsibility for application security left toward developers, but without the right tools at their disposal, it’s not likely developers will make any headway, notes Man. It’s still fairly common, for example, for a relatively simple SQL injection attack to be successfully used to compromise an application environment, he notes.

Organizations have moved to improve the security of their software supply chains by adding cybersecurity professionals to their DevOps teams, but not many have a lot of application development expertise. The Backslash Security approach makes it simpler for developers to understand how workflows in their code could be exploited without having to rely on a cybersecurity professional to discover it.

Over time, cloud-native applications may become considerably more secure than legacy applications simply because flaws were discovered earlier in the application development process. In the meantime, organizations should expect cybercriminals to continue to focus on exploiting weaknesses in software supply chains. The attacks may not be overly sophisticated, but given the current odds of success, the targets are simply too tempting to ignore. The issue organizations must come to terms with, however, is the increasing amount of liability those security flaws represent as the Biden administration and other governments around the world consider penalties for deploying insecure code.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1605 posts and counting. See all posts by Mike Vizard