Inner Loop Capital

Congratulations to Josh Kamdjou, Ian Thiel, and the entire Sublime Security team. So much to celebrate here: * $60m Series B * IVP and Cack Wilhelm as leads (big fan!) * Colin Jones joins as President (wow) * “Two Maryland boys” (yes!) #MDtech

🎉 I am excited to share our latest case study about How Coveo Strengthened GitHub Actions Security with StepSecurity! Coveo is a market leader in AI-powered search, recommendations and generative experiences that enables enterprises like Dell, United Airlines, SAP, Zoom, and Salesforce to offer relevant experiences across workplace, website, commerce and customer service use cases. At Coveo, over 200 developers utilize GitHub Actions for continuous integration. They primarily use self-hosted ephemeral runners, with a few GitHub-hosted runners across more than 300 GitHub repositories. 🚨 The Challenge:  Before transitioning its CI jobs to GitHub Actions, Coveo's security team identified an opportunity to enhance its security strategy around third-party Actions. Coveo prioritized implementing network and runtime security observability for Actions runners to proactively detect potential threats like tampering software artifacts during build to inject a backdoor or exfiltration of sensitive source code and secrets to unauthorized servers, ensuring robust protection of their software supply chain. ✅ The Solution:  Coveo turned to StepSecurity to address these challenges and scale their security posture across GitHub Actions workflows without burdening developers. To tackle the security challenges associated with GitHub Actions, Coveo integrated StepSecurity Harden-Runner into their runner image, bringing immediate, detailed security observability to all jobs running on their self-hosted runners without any code changes. StepSecurity Harden-Runner establishes a baseline for each job, capturing outbound network traffic, processes, and file operations during the build. Deviations from this baseline trigger alerts, enabling Coveo’s security team to quickly detect and respond to potential threats, such as malicious dependencies or attempts to tamper with builds. 📈 Scaling GitHub Actions Security Best Practices:  To support Coveo's goal of guiding the implementation of GitHub Actions security best practices and scaling their security efforts, StepSecurity provided a comprehensive solution. StepSecurity detects and flags security misconfigurations in GitHub Actions workflows, such as overprivileged token permissions, unpinned Actions, and risky 3rd party Actions. Moreover, StepSecurity goes beyond simple detection by offering automated remediation through high-precision fix recommendations. StepSecurity further enhanced security by providing a comprehensive score for third-party Actions based on static and dynamic analysis. This scoring evaluates key security attributes, offering quick insights into the trustworthiness of an Action.  🏆 The Outcome:  Coveo enhanced the security of their GitHub Actions workflows by integrating StepSecurity, gaining deep observability and automated protection against potential threats—all without burdening developers. Link to full case study in the comments 👇 

Thank you Benjamin Black, Joanna Drake, Akkadian Ventures, and the entire team at RAISE Global. It’s an honor to be involved and to support the single most impactful event of the year on the emerging VC manager calendar. As a participant, alum, and Alumni Sponsor, every experience with RAISE has been <chef’s kiss>.

Thank you to Ron G., Peter Szulman, Tobias Stanzel, and the entire xtype.io team for trusting Inner Loop Capital since 2021 and your first financing round. It’s been an honor to have a front row seat as you have made your vision for a better ServiceNow experience a reality. Congratulations on the major milestone of your Series A financing. I cannot wait to see what you now achieve with the new support of Dave Zilberman at Norwest Venture Partners and the whole team at ServiceNow Ventures, alongside the ongoing support of the incomparable Jason Booma and Austin Goode at Columbia Capital, as well as SaaS Ventures and many other key partners. Congratulations and well done!

Congratulations to Cloud Security company Tamnoon, which employs a unique Human-AI hybrid approach to managing cloud exposure, on their $12m Series A. Thank you to Marina S., Idan Perez, Zohar Alon and the entire team for allowing Inner Loop Capital to be a small part of your journey since your Seed round, and for enabling us to double down in your Series A. Thank you also to Merlin Ventures, Secret Chord Ventures, toDay.Ventures, Elron Ventures and our newest friends Bright Pixel (formerly Sonae IM) for your partnership here. Great things — and a more secure Cloud — are ahead!

Thank you Winter Mead and the whole Coolwater Capital team for a great event and for including alums like Inner Loop Capital!

🎉 I am excited to share our latest case study about how Hashgraph, leveraging StepSecurity's enterprise solution, revolutionized GitHub Actions security across its diverse CI/CD environments (🔗 in the comments)! As a leader in Web3 and decentralized infrastructure, implementing robust CI/CD security measures is crucial for Hashgraph to maintain trust, prevent vulnerabilities, and ensure the reliability of its platform. Recognizing the need for a comprehensive solution to address these concerns, Hashgraph turned to StepSecurity’s enterprise platform. The result: 1️⃣ Security visibility into outbound network traffic from all runners 2️⃣ Detection and prevention of tampering attempts during builds 3️⃣ Reduced risk of supply chain attacks and CI/CD credential exfiltration 4️⃣ Reduced risk of using third-party actions by using StepSecurity Maintained Actions 5️⃣ Reduced manual overhead in maintaining GitHub Actions security best practices Learn how Hashgraph achieves comprehensive CI/CD security without compromising development speed with StepSecurity.