Aqua Security's CEO Dror Davidoff (left) with the company's CTO, Amir Jerbi. (Credit: Aqua Security)

Aqua Security last week acquired Argon, putting together Aqua’s build platform with Argon’s supply chain security capability.

SC Media caught up with Dror Davidoff, co-founder and CEO of Aqua Security to discuss the acquisition, how the cloud has changed development work, what Aqua really means when they talk about a cloud native application protection platform (CNAPP), and the importance of software supply chain security.

What are the challenges around cloud security that Aqua Security aims to solve?

Everyone is moving to the cloud today and in so doing, adopting cloud-native technologies. This requires a different way of securing the environment. It’s not only brought about new technologies, but an interesting opportunity to do security different and better than it used to be on-premises. In the cloud-native world, everything is connected and sits on the CI/CD pipeline. So development, staging, and the infrastructure is integrated and connected. In the build stage, we focus on the following three areas:

  • Development cycle: Helping developers build the environment in a secure manner.
  • Infrastructure: Define which cloud the app runs on, the type of service, and the underlying infrastructure.
  • Runtime controls: Makes sure what’s running in the environment is what’s supposed to be running.

We are one of the only platforms that connect the dots. Aqua gives users a good risk assessment into an environment. It also can detect and prevent malicious activity. By integrating all three, we offer a cloud native application protection platform, a CNAPP, the integration of development, infrastructure and runtime control. We believe that’s the right way to secure a cloud environment.  

Can you explain Argon’s approach to supply chain security?

In today’s world, software development works very much like an assembly line. Developers pull different snippets of code from different sources. From open source repositories, third-party repositories, even reused components that were built within the organization. The CI/CD pulls pieces of code from different sources and uses them in the development cycle. So Argon processes, secures, and verifies the code, answering the following questions: Who has access? What kind of code was brought in? Where does it come from? Is it certified? And once the code is brought in, is it secure enough so nobody can tamper with it?

Argon looks at the supply chain of code, making sure the supply chain is secure and certified so at the end of process when the image gets made, the developers know it’s in compliance with the company’s enterprise policies.

How has the rise of the cloud and the data explosion changed DevOps?

There’s a lot of autonomy today and the world has become much more open and democratic. Developers have access to many more pieces of code. So in this new world, how do we secure the pipeline? Who has access? What are the plug-ins. What are the snippets of code they bring in? And do they do it in a secure and controlled way? This presents a very new problem, an issue that has received increased attention because of painful supply chain attacks like SolarWinds and CodeCov. People are now aware that this is a serious weakness in their security posture.

Why was Argon the right acquisition for Aqua Security?

Argon started 15 months ago and came up with a way to integrate into the pipeline and secure the entire process. When we looked into them, we saw they had great technology and a great idea. It was a natural extension of what we were doing at Aqua. It made perfect sense from a product perspective. It was also a good cultural match so we decided to join forces. This moves gives us an edge. We now have a very unique differentiator in being able to manage both the build stage and the software supply chain.