Jit aims to simplify product security for developers

Jit, a startup with a platform designed to make product security easier for developers, has raised $38.5 million seed funding. In addition, the company released a free public beta version that automates product security by converting complex security plans from written documents and spreadsheets into security plans-as-code maintained on GitHub. The goal is to empower modern engineering teams to take responsibility for product security as part of their devops workflow.

Jit claims it makes it simple to integrate security into the devops workflow. According to David Melamed, cofounder and CTO of Jit, cybersecurity executives are introducing new tools at a faster pace than their teams can integrate with, adjust to, and configure. 

Melamed also stated that developing a security plan or program takes too much time for high-speed development and product teams. This shifts attention to risk management, and as he sees it, when there are so many risk-related costs, efficiency falls out of sync.

Jit, according to Melamed, simplifies technical security for engineering teams, while also lowering costs. He added that Jit provides a straightforward solution to adopting DevSecOps, in which product security is supplied as a service into the continuous integration, continuous delivery (CI/CD) pipeline, with a product security plan based on Git principles and translated into a language developers understand — code.

Security-as-code (SaC)

Today, security and product functionality are not mutually exclusive. A product can be flawless in terms of functionality yet absolutely insecure in terms of security. This is because security is still often an afterthought in software development. 

According to the State of Developer-Driven Security 2022 survey conducted by Secure Code Warrior, 86% of developers do not consider application security to be a top priority while building code. According to the study, more than half of the 1,200 developers polled are unable to assure that their code is secure against common vulnerabilities. This is one of the reasons why only 29% of the developers believe that building secure code should be a top priority.

According to the same survey, 67% of engineers said they put off writing secure code until later in the software development lifecycle due to time constraints and a lack of training or direction on how to do so. As a result, they prioritize functionality over security. However, adopting security-as-code (SaC) firmly combines application development and security administration, allowing developers to focus on key features and functionality, while also simplifying security teams’ configuration and permission management. This enhances communication between development and security teams, as well as fostering a security culture throughout the company.

In fact, McKinsey reports that most cloud leaders agree that infrastructure-as-code (IaC) allows companies to automate the creation of cloud systems without relying on error-prone human configuration. SaC goes a step further, McKinsey claims, by programmatically creating cybersecurity policies and standards, allowing them to be referenced automatically in configuration scripts. Rather than waiting until later, developers increasingly think about security from the beginning of a project.

To automatically and continuously detect vulnerabilities and security issues, security tests and scanning are integrated into the CI/CD pipeline. Everyone in the organization can see who has access to which resources, since access policy decisions are written in source code. Jit claims it is designed for modern engineering teams that are developing cloud-native software, using CI/CD best practices and want to ensure that product security is present from day one.

Minimum viable security strategy

Many modern development organizations are shifting left and introducing a variety of security technologies for developers, according to Ed Sim, founder and general partner of Boldstart Ventures. What’s missing, he claims, with the proliferation of these solutions is an orchestration layer that combines a range of open-source security tools while organically integrating the security as code experience into the developer workflow.

“Jit is the first solution that allows developers to easily embed minimal viable security from day zero, resulting in security at the speed of code,” Sim said.

According to a Ponemon Institute report, 41% of respondents say product security is a top priority for their companies, 50% say they examine product security before shipping a product to clients, and 59% say they’ve lost revenue because of product security issues. Jit claims to have codified what it calls “minimum viable security plans” that are compliant with industry standards. According to Jit, these strategies address the threat landscape as well as the basic security requirements for protecting a product from its earliest iteration. A compliance checklist in a spreadsheet becomes code that is saved in a repository. The company claims that the next step is an automated orchestration of all OSS security technologies across the entire tech stack, including code, infrastructure, CI/CD, runtime and APIs.

As a developer, instead of having to research, configure, implement and work to integrate open-source security tools into their stacks and CI/CD pipelines, the security research team at Jit says what sets its tools apart is that the company has taken the time to curate and select tools that will provide the first line of defense for the developers’ applications. 

This, according to the company, is useful if an individual isn’t a security domain expert and this responsibility has recently been handed to their plate. Jit claims it is designed to be as simple to use as other as-code tools. With its tools, the company says a developer may now write a security plan and apply it to their specific stack with a few clicks in the user interface, similar to its competitor Terraform Plan/Terraform Apply.

Boldstart Ventures led the seed funding round, which included Insight Partners, Tiger Global Management, and strategic angel investors. FXP, a new Boston-Israel startup venture studio, founded the company.