Jit aims to simplify product security for developers

Jit, a startup with a platform designed to make product safety easier for developers, has raised $38.5 million in seed capital. Additionally, the company has released a free public beta that automates product security by converting complex security plans from written documents and spreadsheets into security plans as code, maintained on GitHub. The aim is to enable modern engineering teams to take responsibility for product safety as part of their development workflow.

Jit claims it makes it easy to build security into the Devops workflow. According to David Melamed, Jit co-founder and CTO, cybersecurity leaders are adopting new tools faster than their teams can integrate, customize and configure.

Melamed also explained that developing a security plan or program takes too much time for high-velocity development and product teams. This shifts the focus to risk management, and in his view, efficiency is thrown off balance with so many risk-related costs.

According to Melamed, Jit simplifies technical security for engineering teams while reducing costs. He added that Jit provides a straightforward solution for adopting DevSecOps, where product security is provided as a service into the continuous integration, continuous delivery (CI/CD) pipeline, with a product security plan based on Git principles and implemented in a developer language is translated understand – code.

Security-as-Code (SaC)

Security and product functionality are no longer mutually exclusive. A product can be functionally flawless, but absolutely unsafe in terms of safety. This is because security in software development is often still an afterthought.

According to the 2022 State of Developer-Driven Security survey conducted by Secure Code Warrior, 86% of developers do not consider application security a top priority when creating code. According to the study, more than half of the 1,200 developers surveyed cannot assure that their code is protected against common security vulnerabilities. This is one of the reasons why only 29% of developers believe that creating secure code should be a top priority.

According to the same survey, 67% of engineers say they defer writing secure code until later in the software development lifecycle due to time constraints and a lack of training or guidance. As a result, they prioritize functionality over security. However, the advent of Security-as-Code (SaC) tightly ties application development and security management, allowing developers to focus on key features and functionality while simplifying configuration and permissions management for security teams. This improves communication between development and security teams and fosters a security culture across the organization.

In fact, McKinsey reports that most cloud executives agree that Infrastructure-as-Code (IaC) allows organizations to automate the creation of cloud systems without having to rely on error-prone human configuration. SaC goes a step further, claims McKinsey, by programmatically creating cybersecurity policies and standards that allow them to be automatically referenced in configuration scripts. Instead of waiting for later, developers are increasingly thinking about security from the beginning of a project.

Security tests and scans are integrated into the CI/CD pipeline to automatically and continuously detect vulnerabilities and security issues. Everyone in the organization can see who has access to what resources because access policy decisions are written in source code. Jit claims it’s designed for modern engineering teams that develop cloud-native software, use CI/CD best practices, and want to ensure product security is in place from day one.

Minimum viable security strategy

According to Ed Sim, founder and general partner of Boldstart Ventures, many modern development organizations are moving to the left and are adopting a variety of developer security technologies. He claims that the proliferation of these solutions lacks an orchestration layer that combines a suite of open-source security tools while organically integrating security as a code experience into the developer workflow.

“Jit is the first solution that allows developers to embed minimal practical security from day zero, resulting in security in the speed of code,” said Sim.

According to a report by the Ponemon Institute, 41% of respondents say product safety is a top priority for their companies, 50% say they check product safety before shipping a product to customers, and 59% say they lost revenue due to product safety issues. Jit claims to have codified what it calls “minimum viable security plans” that conform to industry standards. According to Jit, these strategies address the threat landscape as well as the basic security requirements to protect a product from its earliest iteration. A compliance checklist in a spreadsheet becomes code stored in a repository. The company claims that the next step is an automated orchestration of all OSS security technologies across the entire tech stack, including code, infrastructure, CI/CD, runtime and APIs.

Rather than being developers researching, configuring, implementing, and working to integrate open-source security tools into their stacks and CI/CD pipelines, Jit’s security research team says what sets its tools apart is that the company the time to curate and select tools that are the first line of defense for developers’ applications.

This is useful, according to the company, when a person is not an expert in security domains and has recently put that responsibility on their plate. Jit claims that it is as easy to use as other as-code tools. With its tools, the company says, a developer can now write a security plan and apply it to their specific stack with a few clicks in the UI, similar to competitor Terraform Plan/Terraform Apply.

Boldstart Ventures led the seed funding round, which included Insight Partners, Tiger Global Management and strategic angel investors. The company was founded by FXP, a new startup venture studio from Boston and Israel.