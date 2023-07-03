



Secret sprawl, where companies store authentication credentials and similar sensitive data in multiple locations, is a serious and serious problem for companies that want to avoid security breaches.

Businesses may have hundreds of secrets spread across their infrastructure, such as API keys, passwords, database access tokens, and other sensitive information, asking questions about what is stored where, who has access to it, and making it difficult to monitor whether these data are accidentally discovered. It’s the way into the public realm. For example, in 2017 Uber revealed a massive breach exposing the personal data of approximately 57 million customers. Although there were many security flaws, the root cause came from hackers discovering his AWS access keys on his GitHub. Uber developer’s repository.

And against that backdrop, we’ve seen a slew of startups and big tech tools hit the market designed to help companies manage their secret sprawl. The latest is a San Francisco-based company called Infisical, which today announced it has raised a $2.8 million seed round led by Google’s Gradient Ventures to help companies of all sizes centralize confidentiality management. bottom.

top secret

Infisical markets itself as a comprehensive confidentiality management platform that combines all the components an enterprise needs. According to Infisical co-founder Vlad Matsiako, it’s similar to what Ripling is doing in the workforce management space, except for confidentiality.

“As companies become more digital and more integrated with other software, it becomes more difficult to manage all application and developer secrets. We need to allow access, which in itself is a security concern,” Matsiako explained to TechCrunch. “Infisical can be thought of as an all-in-one confidentiality management stack that combines all relevant products for an enterprise.”

It includes a dashboard for managing secrets across different projects and environments. Client SDKs. Command line interface (CLI). Native integrations with GitHub, Netlify, Vercel, and more. Secret versioning and “point-in-time recovery”. audit log. and covert scanning.

In terms of business models, Infisical earns revenue through a hosted cloud enablement that sells as SaaS, and through a self-hosted offering that sells enterprise-grade features.

(kind of) open source elements

Infisical is positioning itself as an “open source” SecretOps platform, but a quick peek at its license on GitHub suggests that it probably falls along the lines of open core or available source rather than pure open source territory. You can see that it is That said, many of the platform’s core features, such as secret scanning and infrastructure integration, appear to be available under the permissive MIT license, while audit logging, single sign-on, recovery and access control – a separate Enterprise Edition (EE). Under a proprietary license based on.

“Our entire codebase is publicly available on GitHub, and we also make all core secrets management functionality available under the MIT license,” Matsiaako said. “We strongly believe that individual developers and enthusiasts should be able to experiment with most features for free using either Infisical Cloud or Infisical self-hosted.”

The idea here is that as users start looking at Infisical in terms of deployment for significant commercial use cases, they will need more features such as advanced security and compliance. Therefore, even if an enterprise chooses to self-host his Infisical, they will still need to purchase his Enterprise license to leverage the unique features of the core.

“The real goal is to charge only large companies,” Machiako added.

There are already a number of similar tools on the market, including multi-billion dollar cloud infrastructure giant HashiCorp’s open-source Vault project, which has nearly established standards in the field of confidentiality management. increase. However, Matsiako argues that Infisical is aimed at general developers rather than platform engineering teams, making it easier to adopt with a flatter learning curve.

“While Vault is difficult to adopt for developers without security or infrastructure knowledge, we have found Vault to be more popular among security and platform engineering teams,” he said. . “This slows down the development cycle for companies, and some companies even resort to developing completely custom developer solutions on top of his Vault, or instead of Vault.

Other notable alternatives include Doppler and Akeyless, which are effectively their own SaaS products. It even includes impractical products like confidential scanning tools like his GitGuardian, a feature Infisical already supports as part of its platform.

“By integrating Secret Scanning within the Infisicals bundled product, we unlock synergies between Secrets Management and Secrets Scanning. You just have to do it,” says Matsiaako.

story so far

The company’s founder trio (Matsiako, Maidul Islam, and Tony Dang) met at Cornell University, where they studied a combination of computer and data science courses, before working at various companies including AWS, Figma, and Bung. They then met in August last year from San Francisco to start a new venture together.

“Through our experience and conversations with industry players, we know that managing application secrets is cumbersome and the secrets management industry’s problems are far from solved,” said Matsiako. “It became clear that we needed to build an open source solution that was easy to use for secrets management. It gives you the flexibility to self-host on your own infrastructure.”

Infisical raised $500,000 from participating in Y Combinator’s (YC) Winter 2023 program and recently hired its first engineer from enterprise software giant Red Hat.

Besides lead backer Gradient Ventures, the company’s seed round included investments from YC, 22 Ventures, and angel backers such as Elad Gil and YC’s Diana Hu.

