Slim.AI lands $31M to make container security ‘easy’ for developers

The insecurity of the software supply chain has turned into an impossible-to-ignore issue. There are the high-profile compromises, including the SolarWinds and Kaseya supply chain attacks, of course. But those attacks are part of a much bigger phenomenon: according to data from Aqua Security, attacks involving the software supply chain surged by more than 300% overall in 2021.

Of particular concern for the industry is the security of cloud-native technologies — namely, containers. Partly as a response to the fast pace of software releases, developers frequently turn to free-to-use container images in public container registries to serve as the starting point for a new software project.

But while taking this shortcut does expedite the application development process significantly, it doesn’t always result in containers that are optimized for use in production — or secure. Findings released today by Sysdig show that 75% of container images actually have patchable vulnerabilities considered to be of “high” or “critical” severity.

New duties for devs

While developers excel at writing code, optimizing and securing containers are another matter. And yet, “it’s more and more the job of the developer” to ensure that their containers meet infrastructure and security needs, said John Amaral, formerly the head of product for Cisco’s cloud security business, and now CEO of Slim.AI. “They just don’t necessarily have the skills or the tools that make it easy to do that.”

That’s where Amaral’s current company, Slim.AI, comes in, with a platform for simplifying the work of securing and optimizing containers. To fuel the further advancement of the platform, Slim.AI today announced a $31 million series A funding round, co-led by Insight Partners and StepStone Group, with Knollwood as a participating investor. The company has now raised $37.6 million since its founding in February 2020.

With its software-as-a-service platform, Slim.AI enables developers to search for containers across multiple container registries at once. Then, the platform allows developers to see what’s inside a container, in terms of its composition and security profile —”making it easy for you to know what’s inside your container before you use it,” said Amaral.

And soon, the Slim.AI platform will add capabilities to automate the process of removing unneeded software from containers — eliminating vulnerabilities and reducing the potential attack surface for an app.

Building atop open source

The startup was founded by Amaral, who serves as CEO, and chief technology officer Kyle Quest. They launched the company to build out a developer tools platform on top of DockerSlim — an open source project created by Quest, that now has more than 12,000 stars on GitHub — and eventually offer a commercial version.

The Slim.AI platform remains free for developers, with the company looking to first achieve a large base of users for the platform before looking to commercialize it. The “early access” program for the platform currently has several thousand users, according to the company.

The platform’s ability to provide “Google-like” search for containers across public registries — Docker Hub, Amazon Elastic Container Registry, Microsoft Container Registry, and RedHat Quay — is one of its biggest differentiators, Amaral said. Slim.AI can also provide private connections, authenticated using API tokens, to the Google Container Registry and to the Amazon, Docker, and Red Hat registries.

Integrations with GitHub and GitLab are coming “in the near future,” the company has stated.

Then, once a developer locates a container image that looks promising, Slim.AI provides visualizations and insights about the software that makes up the container, Amaral said.

“You can open that container up using our tool in the cloud, and it gives you a deep analysis of the composition — so you can understand, ‘What’s inside that container? Does it have the pieces I need? Is it built in a way that I think is sound and useful to me? And does it have software in there that I don’t want?’” he said.

All in all, “this ability to search, analyze, understand, and evaluate containers in one platform from multiple registries is unique to Slim.AI,” Amaral said. “No other platform does this. No one has brought all these pieces together.”

‘Minification’

Forthcoming updates for Slim.AI will enable developers to take direct action around optimizing and securing their container images. The next feature launch will bring the ability to automatically remove unneeded software—
such as package managers and libraries — from a container.

This “minification” capability is currently available in DockerSlim, and is expected to debut for Slim.AI’s early access users in late February or early March.

The Slim.AI platform does not offer vulnerability detection itself, given that there are already many tools available to scan containers for vulnerabilities, Amaral said. The company does plan to introduce plugins on its platform for popular security scanners, which could happen as soon as the second quarter, he said.

After a developer scans a container and finds a vulnerability with a third-party tool, they can then use Slim.AI to “minify” the container—and then re-scan the container to see if this eliminated the vulnerability, Amaral said. Often, this is exactly what will happen, he said.

“There can be a 10- or 20- or 30-fold reduction of vulnerabilities just by removing packages that are unnecessary,” Amaral said.

(The “slim” in the company’s name refers to this feature of removing unnecessary software — while the “AI” in the name actually stands for “application intelligence” in this case, according to Amaral.)

Along with security, the Slim.AI platform can also assist developers with optimizing containers so that they’re ready for production, ensuring that key elements — such as monitoring and updating — are supported, he said.

Ultimately, Slim.AI enables DevOps teams to ensure that their software is “highly secure, optimum from a performance and cost perspective, and composed in a way that is production-ready,” Amaral said.

Commercial plans

In terms of launching a commercial version of the platform, Slim.AI first aims to prove itself useful enough to developers that they deem the platform worthy of using at their job, he said.

“We’re really focused on building value for developers [so they say], ‘I can see how to use this at work. I can see how to use this to solve a problem for my team,’” Amaral said.

The first commercial efforts by the company could begin in the second half of the year, he said.

In the meantime, Slim.AI aims to expand its team with the help of its series A funding. With a focus on hiring engineers, the startup expects to more than double its current team of 20 this year.

Prior to Slim.AI, Amaral spent nearly four years at Cisco — after the company acquired CloudLock, where he was head of product. Quest had been chief architect at CloudLock and also remained at Cisco following the acquisition. Both left Cisco in early 2020 to launch Slim.AI, and announced the startup’s $6.6 million seed round in January 2021.

Looking ahead, Slim.AI hopes that its platform can accomplish the rare feat of being both “good for developer velocity, but also good for security,” Amaral said.