Cycode launches knowledge graph to better prevent source code tampering

The knowledge graph is part of Cycode’s $20 million Series A funding round, and reflects their strategy of broadening both the type of source code that they protect, and the ecosystem that can better help to protect it.

Today Cycode, a 2019 startup with an innovative solution specifically designed to protect source code from theft, leakage and manipulation, is making a pair of announcements. They announced a $20 million Series A round led by Insight Partners, with participation from seed investor, YL Ventures. The new funding brings total investment to $25 million. They also announced the launch of a knowledge graph that correlates data across the software development lifecycle, extending the scope of the protection that Cycode provides.

Cycode has been showing strong momentum, helped by another flurry of high-profile incidents relating to source code being compromised.

“What really helped us is there were a lot of incidents that related to our area of expertise,” said Ronen Slavin, CTO and co-founder of Cycode. He noted the SolarWinds and Codecov attacks in particular, the latter of which affected huge companies.

“Since the SolarWinds attack was announced in December, we have had five major supply chain attacks – about one per month,” said Andrew Fife, Cycode’s CMO.

“The industry keeps seeing evidence of why this area is important and why they need to pay attention to it,” Slavin stressed.

COVID has also helped Cycode, Slavin noted.

“With developers working from home and connectivity to internal systems necessary, protecting developers by segregating them becomes impossible,” he said.

Cycode has broadened out their definition of what they protect since their launch.

The Cycode team

“When we originally talked about source code, we meant just source code, but in modern source code repositories there’s a lot more there, including definitions for infrastructure and policies defining code,” Fife said. “These are now all things that are essentially part of source code repositories. Even the name isn’t really accurate anymore because there’s a lot more there, including definitions for the entire DevOps pipeline. This created an opportunity for us to understand the extended behavior of the pipeline, in which we look at the entire pipeline itself and extend use cases to it.”

The newly announced knowledge graph will play a key role here in protecting the pipeline.

“We have been working on our knowledge graph for the last couple of months, and which lets us aggregate all the assets in the systems we connect with,” Slavin said. The knowledge graph maps out the asset information and user activity from DevOps tools, infrastructure and security scanners, through their agentless architecture. It then correlates events to create contextual insights, prioritize remediation, reduce false positives and ensure the integrity of the pipeline.

“It adds a unique ability to help with code tampering,” Fife stated.

The knowledge graph is part of Cycode’s strategy – which will be accelerated by the new funding round – to further extend pipeline protection.

“We are facing new use cases of tampering, and we can harness the graph to solve them, but these are also a pipeline problem,” Fife said. “Code tampering can be in the repositories, in the build itself, like SolarWinds was, or in the Cloud environment like Codecov. We are building a full pipeline solution to make sure the output of one phase is the input of the next. This will identify at any stage if something is compromised and being tampered with.”

The idea is to provide multi-layered protection for source code.

“We want to build systems with defense in depth,” Slavin said. “This will enforce less privileges across systems, provide strong configuration across the system, and monitor the system for independent verification of the signed commit. It’s a layered approach, like everything else in cybersecurity.”

“The way the industry thinks about solving code tampering makes sense – but it’s only the last step in a process that starts much earlier,” Fife added. “To reduce the risk of code tampering, we need to increase integrity. One of the big lessons from SolarWinds is you can’t always trust things that are signed. They signed because they assumed the code was valid. We can’t make that same mistake in our own software supply chains. That’s what the layers of the onion do, verify why you should trust that commit in the first place. Should a developer even have least access? How do we know who they say they are? How do we harden authentication procedures and manage keys to trust the certificate? These are all things where data that starts on Day One  of a person joining the company provides information that can go into a graph database on whether to trust the commit. That’s how you create an airtight solution.”

Cycode is also expanding its presence with initiatives around strategic partnerships, their channel, and their user community.

“We intend to integrate with other third-party security tools to improve detections and enrich our system,” said Lior Levy, CEO and co-founder of Cycode. “There aren’t any of these in place yet. We are engaging with several vendors but it’s for later this year.”

“We have, however, integrated with all the source control management systems, all the cloud platforms, and we hope to use them as channels for us,” Fife stated.

Cycode has begun to build out its channel, and has a channel program in place.

“We started out our channel program, and there are now some partners that we are engaging with today. We are looking to accelerate that,” Levy noted.  “Today, our channel is more traditional security vendors, but it is complementary to anyone who sells more traditional application security. The partner program is also in place. It’s just not exposed on the website.”

“One other area that’s important is building a community around the knowledge graph,” Fife said. “Right now, it’s used internally. We query across the graph ourselves and present that to the customer and they can customize, but in the future, as we build a community around the graph so they can write their own queries, that will allow us to respond to attacks as quickly as possible.

“Since finding and retaining talent is critical, especially as security moves more and more into development, which means security needs to have a dev background, we are creating a low-code engine to input questions into the graph,” Fife added. “With the community, the more who join, the more powerful it will become.”

Cycode also announced some of their new publicly referenceable customers. These include Grubhub, Databricks, Flexport, Rapyd, Copart and Cobalt.

“For this year we remain focused on the North American market,” Levy said. “Next year, we will expand to Europe.”