In December 2021, a vulnerability in a widely used logging library that had gone unfixed since 2013 caused a full-blown security meltdown.
The 10/10-rated Log4Shell flaw in Log4j, an open source logging software that’s found practically everywhere, from online games to enterprise software and cloud data centers, claimed numerous victims from Adobe and Cloudflare to Twitter and Minecraft due to its ubiquitous presence. It was described by security experts as a “design failure of catastrophic proportions,” and demonstrated the potentially far-reaching consequences of shipping bad code.
Boston-based AppMap, going through TechCrunch Disrupt Startup Battlefield this week, wants to stop this bad code from ever making it into production. The open source dynamic runtime code analysis tool, which the startup claims is the first of its kind, is the brainchild of Elizabeth Lawler, who knows a thing or two about security. Prior to founding AppMap, she founded DevOps security startup Conjur, which was acquired by CyberArk in 2017, and served as chief data officer for Generation Health, later acquired by CVS.
After selling two companies into large enterprises with lots of legacy software, Lawler witnessed firsthand how developers were struggling to understand the systems they were tasked with improving, and finding it difficult to deliver fast and secure code in complex microservices and cloud applications.
“It’s surprising to me that people have a mental model of how things work that is actually disconnected from how it actually works,” Lawler tells TechCrunch. “When we don’t know how our software works, we’re making best guesses when we write code.”
That led to the creation of AppMap, which was built on the simple idea that developers should be able to see the behavior of software as they write it so they can prevent problems when the software runs. Unlike static analysis tools that don’t show runtime information, AppMap — which was built from the ground up over a three-year period — runs within the code editor to show developers which components are communicating with which components, at what throughput and latency, at what network speed and whether there are any errors between them, enabling developers to get actionable insights and make improvements quicker than before.
All of this is done within an interactive code editor extension, which AppMap designed with the help of comic book artists and musicians in order to make it as easy to use and intuitive as possible.
“I’m a data scientist, so I know how overwhelming data can be,” said Lawler. “Google Maps has elegantly shown us how maps can be personalized and localized, so we used that as a jumping off point for how we wanted to approach the big data problem.”
To coincide with TechCrunch Disrupt, AppMap is launching three new features: the ability to share and collaborate with other engineers; performance analysis that alerts developers when code changes will impact performance and scalability; and security analysis that can identify software runtime code issues within a developer’s code editor before they commit their code, be it leaking customer data and secrets into log files or missing or improper authentication or authorization.
“We can see the kinds of issues that are now the rising OWASP Top 10. Static issues have gone down in prevalence because we have good scanners for them, but what we don’t have great scanners for are these dynamic issues that are design in nature. If you look at the CWE Top 25, almost half of these are code design issues.”
As it’s based on open source, which is evident from the startup’s community-sourced approach to changing its product and adding new features, AppMap is free for developers to use. “We don’t believe you should be charged for self-awareness in programming,” Lawler said. “If we’re going to integrate with your GitHub and we have to provide some background functions or storage, then those are paid services.”
AppMap, which is a seed-stage VC-backed pre-revenue startup, currently has more than 20,000 customers — a figure that’s growing by 20% every month — with developers at IBM, NASA, Sonos and Salesforce using its product. It’s also growing its team, which is made up of employees that have coded at some point in their career and hold deep DevOps, automation, cybersecurity and test-driven development experience. Kevin Gilpin, AppMap’s technical co-founder, describes his career highlight as delivering “build your vehicle online” pages for Ford.
Though it only launched in 2021, the startup’s vision goes far beyond preventing developers from shipping bad code. “We spend a lot of time and energy instrumenting things that are downstream of our application, but we’ve never instrumented the creative process. We’ve never really watched people think, design and create in this way. I think that by having observability data in that moment, it’s going to open up a lot of opportunities. As AppMap evolves, I’d like to think about how this gets even bigger than performance analysis and becomes more of an assistive technology in that realm.”