In December 2021In the year A vulnerability in a widely used logging library that hasn’t been patched since 2013 has led to a completely insecure state.
The 10/10 rated Log4Shell flaw in Log4j, an open source logging software, is everywhere from online games to enterprise software and cloud data centers, finding victims everywhere from Adobe and Cloudflare to Twitter and Minecraft. It has been described by security experts as “a design failure at risk,” and has shown the potential consequences of sending malicious code.
Boston-based AppMap, which is going through the TechCrunch Disrupt Startup Battlefield this week, wants to stop this bad code from getting into production. An open-source dynamic runtime code analysis tool that the startup claims is the first of its kind, it’s the brainchild of Elizabeth Lawler, who knows a thing or two about security. Prior to founding AppMap, she co-founded DevOps security startup Conjur, which was acquired by CyberArk in 2017, and served as Chief Data Officer for Generation Health, which was later acquired by CVS.
After selling two companies to large enterprises, Lawler saw firsthand how legacy software remained, developers struggled to understand how to upgrade the systems they were given, and how to deliver fast and secure code with complex microservices and cloud applications.
“It amazes me that people have a mental model of how things work that’s disconnected from the actual process,” Lawler told TechCrunch. “When we write code without knowing how our software works, we make good guesses.”
Image Credits: AppMap
That led to the creation of AppMap, with the simple idea that developers could see the behavior of software while writing it so they could prevent problems while the software was running. As a static analysis tool that shows runtime data, AppMap – built from the ground up over three years – works in the code editor to help developers see which components are connecting to which components, at what speed and latency, what network speed, and whether there are any bugs in between. It allows them to gain insights and make improvements faster than ever before.
All of this is done in an interactive code editor extension, which makes AppMap as easy to use and intuitive as possible with the help of comic book artists and musicians.
“I’m a data scientist, so I know how hard data is,” Lawler said. “Google Maps showed us beautifully how to personalize and localize maps, so we used that as a jumping off point for how we wanted to approach that big data problem.”
To coincide with TechCrunch Disrupt, AppMap is launching three new features: the ability to share and collaborate with other engineers; performance analysis that alerts developers when code changes impact performance and scalability; and security analysis that can identify software run-time code issues in the developer code editor that leak customer data and secrets to log files or lack or improper authentication or authorization.
Now we can see the top 10 types of issues of OWASP that are growing. Static cases are in circulation because we have good scanners for them, but what we don’t have good scanners for are the dynamic cases designed in. Nature. If you look at the CWE Top 25, about half of them are code design issues.
Being based on open source, evident from the startup’s community-source approach to modifying the product and adding new features, AppMap is free for developers to use. “We don’t believe in paying for self-awareness on a program,” Lawler said. If we integrate with your GitHub and need to provide some backend functionality or repository, those are paid services.
Image Credits: AppMap
AppMap, a seed-stage VC-backed pre-revenue startup, currently has more than 20,000 customers – a figure growing by 20% every month – with developers using the product at IBM, NASA, Sonos and Salesforce. He’s also growing the team, consisting of employees who have coded at some point in their careers and have deep DevOps, automation, cybersecurity and test-driven development experience. Kevin Gilpin, technical founder of AppMap, described it as his career highlight. “Build your vehicle online” pages for Ford.
Although it will only launch in 2021, the startup’s vision is far greater. Preventing developers from submitting bad code. We spend a lot of time and energy tooling the things underneath our apps, but we’ve never tooled the creative process. We’ve never really seen people think, design and create in this way. I think it opens up a lot of possibilities by having that in-the-moment observational data. As AppMap evolves, I’d like to think about how this will become more than performance analysis and a helpful technology in that realm.
