Disruption #1: Code to Cloud DSPM
Two weeks ago, I met the CEO of Privya, an innovative Israeli startup. Their latest product initiates with a traditional AppSec workflow: an agentless approach that connects to GitHub or your preferred code repository. And then, voilà—the privacy scan begins. But you might wonder, what kind of scan? It’s not SAST, nor is it SCA. Here’s how Privya describes it:
"Privya automatically builds a relationship map between all services, storage systems, and applications. It identifies third parties where data is shared and documents which personal and sensitive data are used where and how data flows between the various elements. This process happens much more quickly, comprehensively, and accurately than any manual mapping process and is continuously updated when triggered by the CI/CD."
So, it's a privacy solution that feels like AppSec, flows like AppSec, and even smells like AppSec! How so? The privacy scan focuses solely on code, yet it can identify both structured and unstructured data sources used by the application. Additionally, it maps all third-party services that the app connects to. In other words, it can discover the main data flows and potential data leakage vectors.
领英推荐
The question that comes to mind is, “How much privacy data can a code scan actually identify?” Privya claims that their ML-driven scan can achieve semantic classification by analyzing variables and function calls, identifying the use of personal information (PII). For instance, the code might run a Snowflake query using variables like user_name and cc. Later in the flow, the code might show that this data is shared with Salesforce via an API call, which would be flagged as a privacy risk. Findings can then be prioritized based on severity and confidence.
You get the idea: it’s not a complex data scan of all your data clouds ala DSPM, but one scan may also lead to the other. Eventually the left meets the right. The discovery of a specific data source in the code can trigger a targeted data scan of the tables and columns referenced in the code to precisely classify the data involved in the flow. The need for regular compliance scans of data repositories does not disappear. One can even foresee an ASPM approach where DAG scan results can be ingested and correlated with the privacy code scan to get a more complete picture across code and infrastructure.
From a remediation standpoint, there is a significant advantage in integrating with the application code and working directly with developers. Establishing a graph of application-to-data flow from the left provides indisputable value, as scanning code for privacy risks can reveal critical insights. This approach helps identify potential issues early in the development process, enabling more effective remediation. Who knew there could be so much value in scanning code for privacy risks? Brilliant: from code to cloud DSPM!
Co-Founder & CEO & Investor
7 个月Mon cher amie, You are the only one that I know of, capable of making sense of a soup of cyber-security acronyms... ?? Warmest regards!
part 2, on AI data access governance right here: https://www.dhirubhai.net/posts/nicopopp_part-2-of-last-week-post-on-data-secuity-activity-7222442856265760768-qpCO?utm_source=share&utm_medium=member_desktop
Brilliant! ‘sensing’ privacy risks from code is a non obvious yet natural progression with modern AI capabilities. IMHO this is both a shift left and operate at run time as the false positive / negatives can be signficiant like any other code scanners. With side car architectures & learning agents in the side car, run time increase of signal to noise can be the virtuous win from shifting left ??
Security, Privacy and AI
8 个月Nico Popp Shift left on privacy is a concept that is described in detail for one particular aspect - data deletion but could also be done for other critical aspects. This is a Meta publication at USENIX https://www.usenix.org/conference/usenixsecurity20/presentation/cohn-gordon https://www.usenix.org/conference/usenixsecurity20/presentation/cohn-gordon
Building confidence in the security of cloud platforms. Christian, husband, father of 5, Pastor, Board Member, crazy hobbiest
8 个月So much work to be done here. Excited to see the movement and couldn't agree more.