startup - Nocturnalknight's Lair

Hidden Threats in PyPI and NPM: What You Need to Know

By Ramkumar Sundarakalatharan | November 9, 2024 | Comments 0 Comment

Introduction: Dependency Dangers in the Developer Ecosystem

Modern software development is fuelled by open-source packages, ranging from Python (PyPI) and JavaScript (npm) to PHP (phar) and pip modules. These packages have revolutionised development cycles by providing reusable components, thereby accelerating productivity and creating a rich ecosystem for innovation. However, this very reliance comes with a significant security risk: these widely used packages have become an attractive target for cybercriminals. As developers seek to expedite the development process, they may overlook the necessary due diligence on third-party packages, opening the door to potential security breaches.

Faster Development, Shorter Diligence: A Security Conundrum

Today, shorter development cycles and agile methodologies demand speed and flexibility. Continuous Integration/Continuous Deployment (CI/CD) pipelines encourage rapid iterations and frequent releases, leaving little time for the verification of every dependency. The result? Developers often choose dependencies without conducting rigorous checks on package integrity or legitimacy. This environment creates an opening for attackers to distribute malicious packages by leveraging popular repositories such as PyPI, npm, and others, making them vectors for harmful payloads and information theft.

Malicious Package Techniques: A Deeper Dive

While typosquatting is a common technique used by attackers, there are several other methods employed to distribute malicious packages:

Supply Chain Attacks: Attackers compromise legitimate packages by gaining access to the repository or the maintainer’s account. Once access is obtained, they inject malicious code into trusted packages, which then get distributed to unsuspecting users.
Dependency Confusion: This technique involves uploading packages with names identical to internal, private dependencies used by companies. When developers inadvertently pull from the public repository instead of their internal one, they introduce malicious code into their projects. This method exploits the default behaviour of package managers prioritising public over private packages.
Malicious Code Injection: Attackers often inject harmful scripts directly into a package’s source code. This can be done by compromising a developer’s environment or using compromised libraries as dependencies, allowing attackers to spread the malicious payload to all users of that package.

These methods are increasingly sophisticated, leveraging the natural behaviours of developers and package management systems to spread malicious code, steal sensitive information, or compromise entire systems.

Timeline of Incidents: Malicious Packages in the Spotlight

A series of high-profile incidents have demonstrated the vulnerabilities inherent in unchecked package installations:

June 2022: Malicious Python packages such as loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils were caught exfiltrating AWS credentials and sensitive developer information to unsecured endpoints. These packages were disguised to look like legitimate tools and fooled many unsuspecting developers. (BleepingComputer)
December 2022: A malicious package masquerading as a SentinelOne SDK was uploaded to PyPI, with malware designed to exfiltrate sensitive data from infected systems. (The Register)
January 2023: The popular ctx package was compromised to steal environment variables, including AWS keys, and send them to a remote server. This instance affected many developers and highlighted the scale of potential data leakage through dependencies. (BleepingComputer)
September 2023: An extended campaign involving malicious npm and PyPI packages targeted developers to steal SSH keys, AWS credentials, and other sensitive information, affecting numerous projects globally. (BleepingComputer)
October 2023: The recent incident involving the fabrice package is a stark reminder of how easy it is for attackers to deceive developers. The fabrice package, designed to mimic the legitimate fabric library, employed a typosquatting strategy, exploiting typographical errors to infiltrate systems. Since its release, the package was downloaded over 37,000 times and covertly collected AWS credentials using the boto3 library, transmitting the stolen data to a remote server via VPN, thereby obscuring the true origin of the attack. The package contained different payloads for Linux and Windows systems, utilising scheduled tasks and hidden directories to establish persistence. (Developer-Tech)

The Impact: Scope of Compromise

The estimated number of affected companies and products is difficult to pin down precisely due to the widespread usage of open-source packages in both small-scale and enterprise-level applications. Given that some of these malicious packages garnered tens of thousands of downloads, the potential damage stretches across countless software projects. With popular packages like ctx and others reaching a substantial audience, the economic and reputational impact could be significant, potentially costing affected businesses millions in breach recovery and remediation costs.

Real-world Impact: Consequences of Malicious Packages

The real-world impact of malicious packages is profound, with consequences ranging from data breaches to financial loss and severe reputational damage. The following are some of the key impacts:

British Airways and Ticketmaster Data Breach: In 2018, the Magecart group exploited vulnerabilities in third-party scripts used by British Airways and Ticketmaster. The attackers injected malicious code to skim payment details of customers, leading to significant data breaches and financial loss. British Airways was fined £20 million for the breach, which affected over 400,000 customers. (BBC)
Codecov Bash Uploader Incident: In April 2021, Codecov, a popular code coverage tool, was compromised. Attackers modified the Bash Uploader script, which is used to send coverage reports, to collect sensitive information from Codecov’s users, including credentials, tokens, and keys. This supply chain attack impacted hundreds of customers, including notable companies like HashiCorp. (GitGuardian)
Event-Stream NPM Package Attack: In 2018, a popular JavaScript library event-stream was hijacked by a malicious actor who added code to steal cryptocurrency from applications using the library. The compromised version was downloaded millions of times before the attack was detected, affecting numerous developers and projects globally. (Synk)

These incidents highlight the potential repercussions of malicious packages, including severe financial penalties, reputational damage, and the theft of sensitive customer information.

Fabrice: A Case Study in Typosquatting

The recent incident involving the fabrice package is a stark reminder of how easy it is for attackers to deceive developers. The fabrice package, designed to mimic the legitimate fabric library, employed a typosquatting strategy, exploiting typographical errors to infiltrate systems. Since its release, the package was downloaded over 37,000 times and covertly collected AWS credentials using the boto3 library, transmitting the stolen data to a remote server via VPN, thereby obscuring the true origin of the attack. The package contained different payloads for Linux and Windows systems, utilising scheduled tasks and hidden directories to establish persistence. (Developer-Tech)

Lessons Learned: Importance of Proactive Security Measures

The cases highlighted in this article offer important lessons for developers and organisations:

Dependency Verification is Crucial: Typosquatting and dependency confusion can be avoided by carefully verifying package authenticity. Implementing strict naming conventions and utilising internal package repositories can help prevent these attacks.
Security Throughout the SDLC: Integrating security checks into every phase of the SDLC, including automated code reviews and security testing of modules, is essential. This ensures that vulnerabilities are identified early and mitigated before reaching production.
Use of Vulnerability Scanning Tools: Tools like Snyk and OWASP Dependency-Check are invaluable in proactively identifying vulnerabilities. Organisations should make these tools a mandatory part of the development process to mitigate risks from third-party dependencies.
Security Training and Awareness: Developers must be educated about the risks associated with third-party packages and taught how to identify potentially malicious code. Regular training can significantly reduce the likelihood of falling victim to these attacks.

By recognising these lessons, developers and organisations can better safeguard their software supply chains and mitigate the risks associated with third-party dependencies.

Prevention Strategies: Staying Safe from Malicious Packages

To mitigate the risks associated with malicious packages, developers and startups must adopt a multi-layered defence approach:

Verify Package Authenticity: Always verify package names, descriptions, and maintainers. Opt for well-reviewed and frequently updated packages over relatively unknown ones.
Review Source Code: Whenever possible, review the source code of the package, especially for dependencies with recent uploads or unknown maintainers.
Use Package Scanners: Employ tools like Sonatype Nexus, npm audit, or PyUp to identify vulnerabilities and malicious code within packages.
Leverage Lockfiles: Tools like package-lock.json (npm) or Pipfile.lock (pip) can help prevent unintended updates by locking dependencies to a specific version.
Implement Least Privilege: Limit the permissions assigned to development environments to reduce the impact of compromised keys or credentials.
Regular Audits: Conduct regular security audits of dependencies as part of the CI/CD pipeline to minimise risk.

Software Security: Embedding Security in the Development Lifecycle

To mitigate the risks associated with malicious packages and other vulnerabilities, it is essential to integrate security into every phase of the Software Development Lifecycle (SDLC). This practice, known as the Secure Software Development Lifecycle (SSDLC), emphasises incorporating security best practices throughout the development process.

Key Components of SSDLC

Automated Code Reviews: Leveraging tools that automatically scan code for vulnerabilities and flag potential issues early in the development cycle can significantly reduce the risk of security flaws making it into production. Tools like SonarQube, Checkmarx, and Veracode help in ensuring that security is built into the code from the beginning.
Security Testing of Modules: Security testing should be conducted on third-party modules before integrating them into the project. Tools like Snyk and OWASP Dependency-Check can identify vulnerabilities in dependencies and provide remediation advice.

Deep Dive into Technical Details

Malicious Package Techniques: As discussed earlier, typosquatting is just one of the many attack techniques. Supply chain attacks, dependency confusion, and malicious code injection are also common methods attackers use to compromise software projects. It is essential to understand these techniques and incorporate checks that can prevent such attacks during the development process.
Vulnerability Analysis Tools:
- Snyk: Snyk helps developers identify vulnerabilities in open-source libraries and container images. It scans the project dependencies and cross-references them with a constantly updated vulnerability database. Once vulnerabilities are identified, Snyk provides detailed remediation advice, including fixing the version or applying patches.
- OWASP Dependency-Check: OWASP Dependency-Check is an open-source tool that scans project dependencies for known vulnerabilities. It works by identifying the libraries used in the project, then checking them against the National Vulnerability Database (NVD) to highlight potential risks. The tool also provides reports and actionable insights to help developers remediate the issues.
- Sonatype Nexus: Sonatype Nexus offers a repository management system that integrates directly with CI/CD pipelines to scan for vulnerabilities. It uses machine learning and other advanced techniques to continuously monitor and evaluate open-source libraries, providing alerts and remediation options.

Best Practices for Secure Dependency Management

Dependency Pinning: Pinning dependencies to specific versions helps in preventing unexpected updates that may contain vulnerabilities. By using tools like package-lock.json (npm) or Pipfile.lock (pip), developers can ensure that they are not inadvertently upgrading to a compromised version of a dependency.
Use of Private Registries: Hosting private package registries allows organisations to maintain tighter control over the dependencies used in their projects. By using tools like Nexus Repository or Artifactory, companies can create a trusted repository of dependencies and mitigate risks associated with public registries.
Robust Security Policies: Organisations should implement strict policies around the use of open-source components. This includes performing security audits, using automated tools to scan for vulnerabilities, and enforcing review processes for any new dependencies being added to the codebase.

By integrating these practices into the development process, organisations can build more resilient software, reduce vulnerabilities, and prevent incidents involving malicious dependencies.

Conclusion

As the developer community continues to embrace rapid innovation, understanding the security risks inherent in third-party dependencies is crucial. Adopting preventive measures and enforcing better dependency management practices are vital to mitigate the risks of malicious packages compromising projects, data, and systems. By recognising these threats, developers and startups can secure their software supply chains and build more resilient products.

References & Further Reading

Why Startups Should Put Security First: Push from Five Eyes

By Ramkumar Sundarakalatharan | November 2, 2024 | Comments 0 Comment

Five Eyes intelligence chiefs warn of ‘sharp rise’ in commercial espionage

The Five Eyes nations—Australia, Canada, New Zealand, the UK, and the US—have launched a joint initiative, Secure Innovation, to encourage tech startups to adopt robust security practices. This collaborative effort aims to address the increasing cyber threats faced by emerging technology companies, particularly from sophisticated nation-state actors.

The Growing Threat Landscape

The rapid pace of technological innovation has made startups a prime target for cyberattacks. These attacks can range from intellectual property theft and data breaches to disruption of critical services. A recent report by the Five Eyes alliance highlights that emerging tech ecosystems are facing unprecedented threats. To mitigate these risks, the Five Eyes have outlined five key principles for startups to follow, as detailed in guidance from the National Cyber Security Centre (NCSC):

Know the Threats: Startups must develop a strong understanding of the threat landscape, including potential vulnerabilities and emerging threats. This involves staying informed about the latest cyber threats, conducting regular risk assessments, and implementing effective threat intelligence practices.
Secure the Business Environment: Establishing a strong security culture within the organization is essential. This includes appointing a dedicated security leader, implementing robust access controls, and conducting regular security awareness training for employees. Additionally, startups should prioritize incident response planning and testing to minimize the impact of potential cyberattacks.
Secure Products by Design: Security should be integrated into the development process from the outset. This involves following secure coding practices, conducting regular security testing, and using secure software development frameworks. By prioritizing security from the beginning, startups can reduce the risk of vulnerabilities and data breaches.
Secure Partnerships: When collaborating with third-party vendors and partners, startups must conduct thorough due diligence to assess their security practices. Sharing sensitive information with untrusted partners can expose the startup to significant risks, making it crucial to ensure all partners adhere to robust security standards.
Secure Growth: As startups scale, they must continue to prioritize security. This involves expanding security teams, implementing advanced security technologies, and maintaining a strong security culture. Startups should also consider conducting regular security audits and penetration testing to identify and address potential vulnerabilities.

Why Is Secure by Design So Difficult for Startups?

While the concept of “Secure by Design” is critical, many startups find it challenging to implement due to several reasons:

Limited Resources: Startups often operate on tight budgets, focusing on minimum viable products (MVPs) to prove market fit. Allocating funds to security can feel like a competing priority, especially when the immediate goal is rapid growth.
Time Pressure: The urgency to get products to market quickly means that startups may overlook secure development practices, viewing them as “nice-to-haves” rather than essential components. This rush often leads to security gaps that may only become apparent later.
Talent Shortage: Finding experienced security professionals is difficult, especially for startups with limited financial leverage. Skilled engineers who can integrate security into the development lifecycle are often more interested in established firms that can offer competitive salaries.
Perceived Incompatibility with Innovation: Security measures are sometimes seen as inhibitors to creativity and innovation. Secure coding practices, frequent testing, and code reviews are viewed as processes that slow down development, making startups hesitant to incorporate them during their early stages.
Complexity of Security Requirements: Startups often struggle to understand and implement comprehensive security measures without prior experience or guidance. Security requirements can be perceived as overwhelming, especially for small teams already juggling development, marketing, and scaling responsibilities.

This perceived incompatibility of security with growth, coupled with resource and talent constraints, results in many startups postponing a “secure by design” approach, potentially exposing them to higher risks down the line.

How Startups Can Achieve Secure by Design Architectures

Despite these challenges, achieving a Secure by Design architecture is both feasible and advantageous for startups. Here are key strategies to help build secure foundations:

Hiring and Building a Security-Conscious Team:
- Early Inclusion of Security Expertise: Hiring a security professional or appointing a security-focused technical co-founder can lay the groundwork for embedding security into the company’s DNA.
- Upskilling Existing Teams: Startups may not be able to hire dedicated security engineers immediately, but they can train existing developers. Investing in security certifications like CISSP, CEH, or courses on secure coding will improve the team’s overall competency.
Integrating Security into Design and Development:
- Threat Modeling and Risk Assessment: Incorporate threat modeling sessions early in product development to identify potential risks. By understanding threats during the design phase, startups can adapt their architectures to minimize vulnerabilities.
- Secure Development Lifecycle: Implement a secure software development lifecycle (SDLC) with consistent code reviews and static analysis tools to catch vulnerabilities during development. Automating security checks using tools like Snyk or OWASP ZAP can help catch issues without slowing development significantly.
Focusing on Scalable Security Frameworks:
- Microservices Architecture: Startups can consider using a microservices-based architecture. This allows them to isolate services, meaning that a compromise in one area of the product doesn’t necessarily lead to full-system exposure.
- Zero Trust Principles: Startups should build products with Zero Trust principles, ensuring that every interaction—whether internal or external—is authenticated and validated. Even at an early stage, implementing identity management protocols and ensuring encrypted data flow will create a secure-by-default product.
Investing in Security Tools and Automation:
- Continuous Integration and Delivery (CI/CD) Pipeline Security: Integrating security checks into CI/CD processes ensures that every code commit is tested for vulnerabilities. Open-source tools like Jenkins can be configured with security plugins, making security an automated and natural part of the development workflow.
- Use of DevSecOps: Adopting a DevSecOps culture can streamline security implementation. This ensures security practices evolve alongside development processes, rather than being bolted on afterward. DevSecOps also fosters collaboration between development, operations, and security teams.
Leveraging External Support and Partnerships:
- Partnering with Managed Security Providers: Startups lacking the capacity for in-house security can benefit from partnerships with managed security providers. This allows them to outsource their security needs to experts while they focus on core product development.
- Utilize Government and Industry Resources: Programs like Secure Innovation and government grants provide startups with the frameworks and sometimes the financial resources needed to adopt security measures without excessive cost burdens.

Conclusion

The Five Eyes’ Secure Innovation initiative is a significant step forward in protecting the interests of tech startups. By embracing these principles and striving for a secure-by-design architecture, startups can not only mitigate cyber risks but also gain a competitive advantage in the marketplace. The key to startup success is integrating security into the heart of product development from the outset, recognizing it as a value-add rather than an impediment.

With the right strategies—whether through hiring, training, automation, or partnerships—startups can create secure and scalable products, build customer trust, and position themselves for long-term success in a competitive digital landscape.

References and Further Reading:

Five Eyes launch Secure Innovation to protect tech sector – Open Access Government
Five Eyes launch shared advice for tech startups – National Cyber Security Centre
Five Eye collaboration at DoDIIS Worldwide – Clearance Jobs
Five Eyes Alliance Unveils Secure Innovation Guidance – ExecutiveGov

Starling Bank’s Penalty: How to Strengthen Your Compliance Efforts

By Ramkumar Sundarakalatharan | October 5, 2024 | Comments 1 comment

Introduction

The rapid growth of the fintech industry has brought with it immense opportunities for innovation, but also significant risks in terms of regulatory compliance and real security. Starling Bank, one of the UK’s prominent digital banks, recently faced a £29 million fine in October 2024 from the Financial Conduct Authority (FCA) for serious lapses in its anti-money laundering (AML) and sanctions screening processes. This fine is part of a broader trend of fintechs grappling with regulatory pressures as they scale quickly. Failures in compliance not only lead to financial penalties but also damage to reputation and customer trust. In most cases, it also leads to revenue loss and or a significant business impact.

In this article, we explore what went wrong at Starling Bank, examine similar compliance issues faced by other major financial institutions like Paytm, Monzo, HDFC, Axis Bank & RobinHood and propose practical solutions to help fintech companies strengthen their compliance frameworks. This also helps to establish the point that these cybersecurity and compliance control lapses are not restricted to geography and are prevalent in the US, UK, India and many other regions. Additionally, we dive into how vulnerabilities manifest in growing fintechs and the increasing importance of adopting zero-trust architectures and AI-powered AML systems to safeguard against financial crime.

Background

In October 2024, Starling Bank was fined £29 million by the Financial Conduct Authority (FCA) for significant lapses in its anti-money laundering (AML) controls and sanctions screening. The penalty highlights the increasing pressure on fintech firms to build robust compliance frameworks that evolve with their rapid growth. Starling’s case, although high-profile, is just one in a series of incidents where compliance failures have attracted regulatory action. This article will explore what went wrong at Starling, examine similar compliance failures across the global fintech landscape, and provide recommendations on how fintechs can enhance their security and compliance controls.

What Went Wrong and How the Vulnerability Manifested

The FCA investigation into Starling Bank uncovered two major compliance gaps between 2019 and 2023, which exposed the bank to financial crime risks:

Failure to Onboard and Monitor High-Risk Clients: Starling’s systems for onboarding new clients, particularly high-risk individuals, were not sufficiently rigorous. The bank’s AML mechanisms did not scale in line with the rapid increase in customers, leaving gaps where sanctioned or suspicious individuals could go undetected. Despite the bank’s growth, the compliance framework remained stagnant, resulting in breaches of Principle 3 of the FCA’s regulations for businesses(Crowdfund Insider)(FinTech Futures).
Inadequate Sanctions Screening: Starling’s sanctions screening systems failed to adequately identify transactions from sanctioned entities, a critical vulnerability that persisted for several years. With insufficient real-time monitoring capabilities, the bank did not screen many transactions against the latest sanctions lists, leaving it exposed to potentially illegal activity(FinTech Futures). This is especially concerning in a financial ecosystem where transactions are frequent and high in volume, requiring robust systems to ensure compliance at all times.

These vulnerabilities manifested in Starling’s inability to effectively prevent financial crime, culminating in the FCA’s action in October 2024.

Learning from Similar Failures in the Fintech Industry

Paytm’s Cybersecurity Breach Reporting Delays (October 2024): In India, Paytm was fined for failing to report cybersecurity breaches in a timely manner to the Reserve Bank of India (RBI). This non-compliance exposed vulnerabilities in Paytm’s internal governance structures, particularly in their failure to adapt to rapid business expansion and manage cybersecurity threats(Reuters).
HDFC and Axis Banks’ Regulatory Breaches (September 2024): The RBI fined HDFC Bank and Axis Bank in September 2024 for failing to comply with regulatory guidelines, emphasizing how traditional banks, like fintechs, can face compliance challenges as they scale. The fines were related to lapses in governance and risk management frameworks(Economic Times).
Monzo’s PIN Security Breach (2023): In 2023, UK-based challenger bank Monzo experienced a breach where customer PINs were accidentally exposed due to an internal vulnerability. Although Monzo responded swiftly to mitigate the damage, the breach illustrated the need for fintechs to prioritize backend security and implement zero-trust security architectures that can prevent such incidents(Wired).
LockBit Ransomware Attack (2024): The LockBit ransomware attack on a major financial institution in 2024 demonstrated the growing cyber threats that fintechs face. This attack exposed the weaknesses in traditional cybersecurity models, underscoring the necessity of adopting zero-trust architectures for fintech companies to protect sensitive data and transactions from malicious actors(NCSC).
Robinhood’s Regulatory Scrutiny (2021-2022): In June 2021, Robinhood was fined $70 million by FINRA for misleading customers, causing harm through platform outages, and failing to manage operational risks during the GameStop trading frenzy. Robinhood’s systems were not equipped to handle the surge in trading volumes, leading to severe service disruptions and a failure to communicate risks to customers.
Robinhood Crypto’s Cybersecurity Failure (2022): In August 2003, Robinhood was fined $30 million by the New York State Department of Financial Services (NYDFS) for failing to comply with anti-money laundering (AML) regulations and cybersecurity obligations related to its cryptocurrency trading operations. The fine was issued due to inadequate staffing, compliance failures, and improper handling of regulatory oversight within its crypto business. Much like Starling, Robinhood’s compliance systems lagged behind its rapid business growth (Compliance Week)

Key Statistics in the Fintech Compliance Landscape

65% of organizations in the financial sector had more than 500 sensitive files open to every employee in 2023, making them highly vulnerable to insider threats.
The average cost of a data breach in financial services was $5.85 million in 2023, a significant figure that shows the financial impact of security vulnerabilities.
27% of ransomware attacks targeted financial institutions in 2022, with the number of attacks continuing to rise in 2024, further highlighting the importance of robust cybersecurity frameworks.
81% of financial institutions reported a rise in phishing and social engineering attacks in 2023, emphasizing the need for employee awareness and strong access controls.
By 2025, the global cost of cybercrime is projected to exceed $10.5 trillion annually, a figure that will disproportionately impact fintech companies that fail to implement strong security protocols.

Recommendations for Strengthening Compliance and Security Controls

To prevent future compliance breaches, fintech firms should prioritise scalable, technology-enabled compliance solutions. This requires empowering Compliance Heads, Information Security Teams, CISOs, and CTOs with the necessary budgets and authority to develop secure-by-design environments, teams, infrastructure, and products.

AI-Powered AML Systems: Leverage artificial intelligence (AI) and machine learning to enhance AML systems. These technologies can dynamically adjust to new threats and process high volumes of transactions to detect suspicious patterns in real time. This approach will ensure that fintechs can comply with evolving regulatory requirements while scaling.
Zero-Trust Security Models: As the LockBit ransomware attack showed in 2024, fintechs must adopt zero-trust architectures, where every user and device interacting with the system is continuously authenticated and verified. This reduces the risk of internal breaches and external attacks(Cloudflare).
Real-Time Auditing and Blockchain for Transparency: Real-time auditing, combined with blockchain technology, provides an immutable and transparent record of all financial transactions. This would help fintechs like Starling avoid the pitfalls of delayed sanctions screening, as blockchain ensures immediate and traceable compliance checks(EY).
Multi-Layered Sanctions Screening: Implement a multi-layered sanctions screening system that combines automated transaction monitoring with manual oversight for high-risk accounts. This dual approach ensures that fintechs can monitor suspicious activities while maintaining compliance with global regulatory frameworks(Exiger)(FinTech Futures).
Continuous Employee Training and Governance: Strong governance structures and regular compliance training for employees will ensure that fintechs remain agile and responsive to regulatory changes. This prepares the organization to adapt as new regulations emerge and customer bases expand.

Conclusion

The £29 million fine imposed on Starling Bank in October 2024 serves as a crucial reminder for fintech companies to integrate robust compliance and security frameworks as they grow. In an industry where regulatory scrutiny is intensifying, the fintech players that prioritize compliance will not only avoid costly fines but also position themselves as trusted institutions in the financial services world.

How Top Universities Fuel Startups with Venture Capital

By Ramkumar Sundarakalatharan | September 10, 2024 | Comments 0 Comment

Top Universities Driving Global Startups Through Venture Capital: A Data-Backed Overview

Universities play a pivotal role in nurturing talent and fostering innovation, and the success of alumni-founded startups is a testament to the entrepreneurial culture present in these institutions. A recent analysis of venture capital funding across top universities reveals the strong influence of academic ecosystems on startup success. This article dives into the top 50 universities based on the venture capital raised by their alumni, explores key geographical trends, highlights key sectors, and references publicly available data to give a comprehensive view.

The Global Leaders: U.S. Universities Dominate the Startup Landscape

Key Statistics (U.S.):

Total Dollars Raised: $194 billion
Number of Companies Founded: 4,000+
Key Sectors: Technology, Healthcare, FinTech, SaaS, AI

According to Crunchbase and PitchBook data, U.S. universities such as Stanford University, Harvard University, and the University of California, Berkeley lead the pack in terms of venture capital raised and the number of companies founded. These institutions have produced successful ventures in technology, artificial intelligence, and SaaS (Software as a Service). Stanford’s proximity to Silicon Valley has helped drive the innovation boom, particularly in tech startups.

Some of the most notable startups originating from these institutions include:

Stanford University: Renowned for its close ties to Silicon Valley, Stanford is the birthplace of giants like Google (founded by Larry Page and Sergey Brin), Yahoo (founded by Jerry Yang and David Filo), and WhatsApp (co-founded by Brian Acton).
Harvard University: With alumni like Mark Zuckerberg (co-founder of Facebook) and Bill Gates (co-founder of Microsoft), Harvard is a key player in tech, biotech, and healthcare sectors. Startups like Cloudflare (founded by Matthew Prince) also emerged from Harvard.

Europe: A Growing Hub for Innovation

Key Statistics (Europe):

Total Dollars Raised: $23 billion
Number of Companies Founded: 500+
Key Sectors: FinTech, Healthcare, DeepTech, Renewable Energy

Europe has seen rapid growth in FinTech, deep tech, and renewable energy sectors. INSEAD and Cambridge University stand out as key contributors to the startup ecosystem. According to Dealroom.co, FinTech is particularly dominant, with startups like Revolut and TransferWise leading the way.

INSEAD alumni have raised over $23 billion, with many startups thriving in FinTech and consulting sectors. A standout example is BlaBlaCar, a ridesharing platform co-founded by Frédéric Mazzella that has transformed travel across Europe by offering affordable long-distance ride-sharing options.

University of Cambridge has contributed significantly to deep tech and healthcare innovations, producing companies like Arm Holdings, the semiconductor giant. Mike Lynch, founder of Autonomy, is another Cambridge alumnus who has disrupted the tech industry.

Asia: A Rising Force in the Startup World

Key Statistics (Asia):

Total Dollars Raised: $15 billion
Number of Companies Founded: 1,200+
Key Sectors: Technology, Biotech, E-commerce, Mobility

Asia, led by universities like the National University of Singapore (NUS) and Tsinghua University, is rapidly becoming a hotbed for biotech, e-commerce, and mobility startups. NUS has seen its alumni raise billions in venture capital, particularly in the tech sector. According to TechInAsia, NUS-produced startups like Grab, co-founded by Anthony Tan and Tan Hooi Ling, have dominated the Southeast Asian ride-hailing market.

In China, Tsinghua University has been integral in fostering technological advancements, with alumni like Charles Zhang, founder of Sohu, shaping the Chinese tech landscape. The university has become synonymous with engineering and tech entrepreneurship.

Startups in India: The IIT Ecosystem

Key Statistics (India):

Total Dollars Raised: $10 billion
Number of Companies Founded: 800+
Key Sectors: E-commerce, FinTech, SaaS, Mobility

The Indian Institutes of Technology (IITs), particularly IIT Bombay and IIT Delhi, are pivotal in India’s e-commerce, FinTech, and mobility sectors. According to Inc42, startups like Flipkart (co-founded by Sachin Bansal and Binny Bansal, both IIT Delhi graduates) and Zomato (Founded by Deepinder Goyal, IIT Delhi) are reshaping the Indian market and attracting substantial venture capital.

Israel: A Thriving Startup Nation

Key Statistics (Israel):

Total Dollars Raised: $8 billion
Number of Companies Founded: 600+
Key Sectors: Cybersecurity, AI, FinTech, Defense Tech

Israel, often referred to as the Startup Nation, has made a name for itself with innovation in cybersecurity and AI. Universities like the Hebrew University of Jerusalem and the Technion – Israel Institute of Technology have been critical in producing world-class startups. For instance, Waze, the navigation app acquired by Google, was co-founded by Ehud Shabtai, an alumnus of Tel Aviv University. The country’s deep focus on cybersecurity is also reflected in companies like Check Point Software Technologies, founded by Gil Shwed, a Technion graduate.

South Africa: Emerging in FinTech and E-commerce

Key Statistics (South Africa):

Total Dollars Raised: $3 billion
Number of Companies Founded: 150+
Key Sectors: FinTech, E-commerce, Agriculture

While South Africa may not boast the same number of startups as Silicon Valley, it has a growing presence in FinTech and e-commerce. Universities like the University of Cape Town have played a significant role in this growth. One notable company is Yoco, a FinTech startup co-founded by Katlego Maphai, which provides payment solutions for small businesses across Africa. South Africa is also a key player in agri-tech, with startups focusing on modernizing the agricultural supply chain.

South America: A Rising Contender in E-commerce and FinTech

Key Statistics (South America):

Total Dollars Raised: $5 billion
Number of Companies Founded: 500+
Key Sectors: E-commerce, FinTech, PropTech

South America, particularly Brazil and Argentina, has seen a significant rise in e-commerce and FinTech startups. Universities like Universidade de São Paulo and Universidad de Buenos Aires have contributed to this burgeoning ecosystem. Companies like MercadoLibre, co-founded by Marcos Galperin (Universidad de Buenos Aires alumnus), are leading the e-commerce revolution in the region, while Nubank, a FinTech unicorn co-founded by David Vélez, is transforming banking in Latin America.

Why Are These Regions Underrepresented in the Data?

While regions like Israel, South Africa, and South America are seeing growth in venture capital-backed startups, the numbers are still significantly smaller compared to the U.S. and Europe. This can be attributed to a smaller pool of venture capital available, fewer universities with established entrepreneurial ecosystems, and the nascent state of the venture capital markets in these regions. However, they are catching up quickly, and with increasing global attention, these regions are likely to play a larger role in the global startup ecosystem in the coming years.

Conclusion

The data paints a clear picture of the crucial role universities play in fostering entrepreneurship and innovation globally. While U.S. institutions like Stanford and Harvard continue to dominate the startup landscape, the rise of universities in Europe, Asia, and emerging regions such as Israel and South America signals a significant shift toward a more diversified and competitive global startup ecosystem. This is no longer just a Silicon Valley story.

European universities are making strides in deep tech and FinTech, while Asian institutions are positioning themselves at the forefront of sectors like e-commerce, mobility, and biotech. These regions, once considered underrepresented in venture capital, are rapidly scaling their entrepreneurial impact, thanks to increasingly robust academic ecosystems, governmental support, and access to global venture networks.

However, as these newer hubs mature, it becomes clear that the presence of an established entrepreneurial culture, combined with strong alumni networks and well-supported innovation hubs, is key to sustaining long-term growth. For universities aspiring to drive the next generation of unicorns, investing in interdisciplinary research, fostering global collaborations, and creating pipelines between academia and industry will be critical in the years ahead.

The entrepreneurial landscape is rapidly evolving, and universities that align themselves with this shift will not only fuel economic growth but will also shape the future of technology, healthcare, and innovation on a global scale. As venture capital continues to flow into emerging markets, the next wave of disruptive startups may very well come from unexpected regions, further diversifying the global innovation economy.

References:

Crunchbase – Crunchbase Venture Capital Database
Crunchbase is a comprehensive database of startup companies, venture capital firms, and funding rounds, offering insights into global startup ecosystems and venture trends.
PitchBook – PitchBook Data
PitchBook provides detailed reports on venture capital, private equity, and mergers & acquisitions, offering in-depth insights into sector-specific funding and university-driven startups.
Dealroom.co – Dealroom European Startup Data
Dealroom is a leading platform for discovering startups, scale-ups, and investment trends, particularly in the European startup ecosystem.
TechInAsia – Tech in Asia Startup Data
A platform dedicated to startup news and insights from Asia, providing information about venture capital, company profiles, and technology trends across the region.
Inc42 – Inc42 Indian Startup Ecosystem
Inc42 is a leading source for insights on the Indian startup ecosystem, offering reports on funding, growth trends, and key sectors like FinTech, SaaS, and E-commerce.
CB Insights – CB Insights Global Venture Capital
CB Insights is a market intelligence platform that tracks venture capital investments, industry insights, and emerging trends, providing data-driven analysis on startups and sectors.
NASSCOM – Indian Tech Startup Ecosystem Report
NASSCOM publishes reports on India’s growing startup ecosystem, covering key sectors, venture capital inflows, and the impact of technology-driven ventures.
TechCrunch – TechCrunch Global Startup News
A leading news outlet for global startup and venture capital news, TechCrunch reports on funding rounds, sector trends, and university-linked startup initiatives.

What Happens When Huge Capital Meets No Real Product? Welcome to AI Speculation!

By Ramkumar Sundarakalatharan | July 1, 2024 | Comments 0 Comment

Despite its hefty $1.3 billion investment, the recent collapse of Inflection serves as a stark reminder of the volatile AI startup landscape. Inflection’s flagship product, Pi, a ChatGPT rival, failed to gain traction, leading to the company’s dismantling by Microsoft. This case exemplifies the broader trend of massive capital influx into AI ventures lacking substantial products.

The Rise and Fall of Inflection

Inflection was founded by notable entrepreneurs such as Mustafa Suleyman of DeepMind, Karén Simonyan, and Reid Hoffman. Suleyman, a co-founder of DeepMind, had previously contributed to its advancements in AI, which eventually led to its acquisition by Google. Simonyan brought extensive experience from his work on AI research, while Hoffman, co-founder of LinkedIn, provided substantial entrepreneurial and investment acumen.

With backing from influential investors including Bill Gates and Eric Schmidt, Inflection aimed to create a more empathetic AI companion. The company took around two years to develop Pi, its primary product, hoping to leverage its founders’ reputations and the significant capital raised to break into the AI market.

Why Pi Failed

Pi’s failure is attributed to several factors:

Lack of Unique Value: Pi’s context window was significantly shorter than competitors, hindering its ability to provide sustained conversational quality.
Market Oversaturation: The AI companion market is fiercely competitive, with established players like ChatGPT and Character.ai leading the pack.
Financial Mismanagement: Heavy investment without a corresponding viable product highlighted the risks of capital-heavy ventures in AI.

AI Funding and Startup Failures

The AI sector saw an estimated $50 billion in investments in 2023 alone. However, many startups have failed to deliver on their promises. Some notable closures in the last 18 months include:

Inflection: Absorbed by Microsoft, ceasing independent operations.
Vicarious: Acquired by Alphabet, failing to achieve its goal of human-like AI.
Element AI: Acquired by ServiceNow after struggling to commercialize its research.

Startup	Total Investment ($M)	Years to Product Launch	Peak Annual Revenue ($M)	Outcome
Inflection	1300	2	5	Acquired by Microsoft
Vicarious	150	4	2	Acquired by Alphabet
Element AI	257	3	10	Acquired by ServiceNow
MetaMind	45	2	1	Acquired by Salesforce
Geometric Intelligence	60	1	0.5	Acquired by Uber

The Future of AI Investment

This trend of high investment but low product viability raises concerns about the future of AI innovation. Consolidation around major players like Microsoft, Google, and OpenAI could stifle competition and limit diversity in AI development.

Conclusion

The downfall of Inflection underscores the precarious nature of AI investments. As the industry continues to grow, investors must prioritize viable, innovative products over mere potential. This shift could foster a more sustainable and dynamic AI ecosystem.

Inside the Palantir Mafia: Secrets to Succeeding in the Tech Industry

By Ramkumar Sundarakalatharan | June 7, 2024 | Comments 0 Comment

In the world of technology, engineers are not just cogs in a machine; they are the builders, the dreamers, and the ones who solve the problems they see in the world. And sometimes, those solutions turn into billion-dollar businesses. This is the story of the “Palantir Mafia,” a group of former Palantir employees who have left the data analytics giant to found their own startups, just like the famed “PayPal Mafia” that produced companies like SpaceX, YouTube, LinkedIn, Palantir Technologies, Affirm, Slide, Kiva, and Yelp.

1. Introducing the Amazing People from Palantir

The “Palantir Mafia,” akin to the renowned “PayPal Mafia,” comprises former Palantir engineers and executives who left to tackle meaningful problems with technological innovation, creating substantial impact and wealth. Unlike ex-consultants from firms like McKinsey, BCG, or Bain, these tech leaders leverage their deep technical expertise to solve complex issues directly, resulting in profound advancements and successful ventures.

Key Figures and Their Ventures

Alex Karp – Palantir Technologies
- Former Role: Co-Founder and CEO
- Company: Palantir Technologies
- Focus: Data analytics
- Market Penetration: Widely used across government and commercial sectors
- Revenue: $1.5 billion annually
- Capital Raised: $3 billion (Wikipedia) (Business Insider)
Max Levchin – Affirm
- Former Role: Co-Founder (PayPal, associated with Palantir founders)
- Company: Affirm
- Focus: Buy now, pay later financial services
- Market Penetration: Significant presence in the consumer finance market
- Revenue: $870 million in fiscal 2021
- Capital Raised: $1.5 billion
Joe Lonsdale – 8VC
- Former Role: Co-Founder
- Company: 8VC
- Focus: Venture capital firm
- Market Penetration: Diverse portfolio, influential in tech sectors
- Assets Under Management: $3.6 billion
Palmer Luckey – Anduril Industries ( could be the blue blooded Musk of 2020-2030s)
- Former Role: Founder of Oculus VR, associated with Palantir through ventures
- Company: Anduril Industries
- Focus: Defense technology
- Innovation: Developed the Lattice AI platform for autonomous border surveillance and defense applications
- Market Penetration: Contracts with U.S. Department of Defense and border security agencies
- Revenue: $200 million annually
- Capital Raised: $700 million
Garrett Smallwood – Wag!
- Former Role: Executive roles at other startups before Wag!
- Company: Wag!
- Focus: On-demand pet care services
- Market Penetration: Operates in over 100 cities
- Revenue: $100 million annually
- Capital Raised: $361.5 million
Nima Ghamsari – Blend
- Former Role: Product Manager at Palantir
- Company: Blend
- Focus: Mortgage and lending software
- Market Penetration: Partners with major financial institutions
- Revenue: Estimated $100 million+ annually
- Capital Raised: $665 million
Stephen Cohen – Quantifind
- Former Role: Co-Founder of Palantir
- Company: Quantifind
- Focus: Risk and fraud detection using data science
- Market Penetration: Used by financial services and government sectors
- Capital Raised: $8.7 million
Vibhu Norby – B8ta
- Former Role: Engineer at Palantir
- Company: B8ta
- Focus: Retail-as-a-service platform
- Market Penetration: Transforming in-store retail experiences
- Capital Raised: $113 million
Joe Lonsdale – Addepar
- Former Role: Co-Founder of Palantir
- Company: Addepar
- Focus: Wealth management technology
- Market Penetration: Manages over $2 trillion in assets
- Capital Raised: $325 million
Raman Narayanan – SigOpt
- Former Role: Data Scientist at Palantir
- Company: SigOpt (acquired by Intel)
- Focus: Machine learning optimization
- Market Penetration: Utilized by top tech companies
- Capital Raised: $8.7 million (before acquisition)

2. Engineers Make Better Founders in the Tech Industry

Unlike ex-consultants from big 3 who may excel in strategy and communication but often lack the technical depth to truly understand the intricacies of building a tech product, these ex-Palantir engineers come armed with both the vision and the technical chops to bring their ideas to life. They’ve spent years wrestling with complex data problems at Palantir, and they’re now taking those hard-won lessons to solve new challenges across a wide range of industries.

Engineers bring a problem-solving mindset that focuses on creating practical, scalable solutions. This technical acumen has allowed former Palantir employees to launch transformative companies that push the boundaries of what’s possible in various industries.

3. Market Penetration and Success of Palantir Alumni

The success of these Palantir alumni is evident through their market penetration and revenue. For instance, Palantir Technologies itself is a major player in the data analytics field, with a revenue of $1.5 billion annually. Affirm, led by Max Levchin, has made significant inroads in the consumer finance market, generating $870 million in revenue in fiscal 2021. Anduril Industries, founded by Palmer Luckey, has secured substantial contracts with the U.S. Department of Defense, contributing to its $200 million annual revenue.

Other successful ventures include Blend, with its deep partnerships with major financial institutions, and Addepar, managing over $2 trillion in assets. These companies not only showcase the technical expertise of their founders but also highlight their ability to penetrate markets and achieve substantial financial success.

4. Engineers vs. Consultants: A Compelling Argument

The technical depth and problem-solving mindset of engineers make them particularly suited for founding and leading tech startups. Their ability to directly tackle complex problems contrasts with the approach of ex-consultants from firms like McKinsey, BCG, or Bain, who often focus more on financial and operational efficiencies.

While consultants excel in operations-heavy startups, where strategic planning, financial management, and operational efficiency are paramount, engineers thrive in tech startups that require innovative solutions and deep technical expertise. The success stories of the Palantir alumni underscore this distinction, demonstrating how their engineering backgrounds have enabled them to drive significant technological advancements and build successful companies.

Conclusion

The Palantir Mafia’s engineers have leveraged their technical expertise to create innovative solutions and successful ventures, driving significant impact across various industries. Their ability to tackle complex problems directly contrasts with the approach of ex-consultants from firms like McKinsey, BCG, or Bain, who often focus more on financial and operational efficiencies. This technical depth has enabled these former Palantir employees to become influential leaders, pushing the boundaries of technology and innovation.

References & Further Reading:

Non-Compete Clauses: FTC’s Influence on Tech Innovation & Employee Freedom

By Ramkumar Sundarakalatharan | May 3, 2024 | Comments 0 Comment

The recent FTC ruling banning most non-compete agreements nationwide has ignited a firestorm in the business world. While some cheer the increased freedom for workers, others fear a potential talent exodus and a decline in innovation. Let’s delve deeper into this debate, exploring the arguments for and against non-compete clauses, along with the potential consequences of the ruling.

Champions of the Free Agent: A Rising Tide Lifts All Boats

Proponents of the FTC’s decision paint a rosy picture. They argue that:

Increased Worker Mobility: With non-compete shackles removed, workers can freely pursue more lucrative opportunities. This competition between companies drives salaries upwards, forcing employers to offer competitive benefits packages to retain talent.
Innovation on Steroids: A more mobile workforce fosters a cross-pollination of ideas. Employees bring fresh perspectives and experiences from previous roles, leading to a more dynamic and innovative environment across industries.
Empowering the Underdog: Critics of non-competes argue that these clauses disproportionately affect low-wage workers. They often lack the resources to challenge them in court, effectively becoming trapped in jobs with limited upward mobility.

The Employer’s Lament: Protecting the Crown Jewels

Companies are understandably nervous about the FTC’s ruling. Here’s why:

Trade Secrets at Risk: Businesses worry that departing employees, especially those privy to sensitive information, might jump ship to a competitor, potentially taking valuable trade secrets with them. This could give a rival an unfair advantage and stifle innovation.
Customer Loyalty on the Move: Companies also fear losing established customer relationships when key salespeople or account managers move on to a competitor. This could lead to a decline in customer retention and revenue.
Poaching Wars: A Race to the Bottom: Without non-compete clauses, some companies worry about fierce “poaching wars” erupting, where competitors aggressively recruit talent and drive up salaries for specific roles. While this might benefit a select few employees, it could negatively impact smaller companies with limited resources.

The Nuance: Not All Non-Compete Clauses Are Created Equal

It’s important to acknowledge that the FTC ruling has some limitations. Here are some potential grey areas:

Executive Contracts: The ruling may not apply to high-level executives whose contracts often contain stricter non-disclosure and non-compete clauses. These agreements might still be enforceable depending on specific terms.
State Variations: While the FTC ruling aims to be a blanket policy, some states might have stricter or more lenient regulations regarding non-compete clauses. Employers and employees should be aware of their state’s specific laws.
Industry Specificity: The FTC ruling might have a more significant impact on specific industries like tech, where knowledge transfer and trade secrets are particularly valuable. Other sectors may be less affected.

The Future of Work: A Brave New World?

The FTC’s ruling is a major turning point that could significantly reshape the American workforce. It’s too early to predict the full impact, but some potential scenarios include:

Rise of the Free Agent Economy: Highly skilled workers with in-demand expertise may become more like free agents, negotiating short-term contracts or project-based work with various companies.
Focus on Retention Strategies: Companies may shift their focus towards creating a more positive work environment that fosters loyalty and discourages employees from leaving. This could include better benefits, training opportunities, and a strong company culture.
Increased Use of Confidentiality Agreements: Non-compete clauses may be replaced by stricter confidentiality agreements to protect sensitive information, although their enforceability might vary.

The Fork in the Road: The Curveball that Redis Pitched

By Ramkumar Sundarakalatharan | April 4, 2024 | Comments 0 Comment

In a move announced on March 20th, 2024, Redis, the ubiquitous in-memory data store, sent shockwaves through the tech world with a significant shift in its licensing model. Previously boasting a permissive BSD license, Redis transitioned to a dual-license approach, combining the Redis Source Available License (RSAL) and the Server Side Public License (SSPL). This move, while strategic for Redis Labs, has created ripples of concern in the SAAS ecosystem and the open-source community at large.

The Split: From Open to Source-Available

At its core, the change restricts how users, particularly cloud providers offering managed Redis services, can leverage the software commercially. The SSPL, outlined in the March 24th press release, stipulates that any derivative work offering the “same functionality as Redis” as a service must also be open-sourced. This directly impacts companies like Amazon (ElastiCache) and DigitalOcean, forcing them to potentially alter their service models or acquire commercial licenses from Redis Labs.

A History of Licensing Shifts

This isn’t the first time Redis Labs has ruffled feathers with licensing changes. As a 2019 TechCrunch article [1] highlights, Redis Labs has a history of tweaking its open-source license, sparking similar controversies. Back then, the company argued that cloud providers were profiting from Redis without giving back to the open-source community. The new SSPL appears to be an extension of this philosophy, aiming to compel greater contribution from commercial users.

SAAS Providers in a Squeeze

For SAAS providers, the new licensing throws a wrench into established business models. Modifying core functionality to comply with the SSPL might not be feasible, and open-sourcing their entire platform could expose proprietary code. This could lead to increased costs for SAAS companies, potentially impacting end-user pricing.

Open Source Community Divided

The open-source world is also grappling with the implications. While the core Redis functionality remains open-source under RSAL, the philosophical shift towards a more restrictive model has some worried. The Linux Foundation even announced a fork, Valkey, as an alternative, backed by tech giants like Google and Oracle. This fragmentation could create confusion and slow down innovation within the open-source Redis ecosystem.

The Road Ahead: Uncertainty and Innovation

The long-term effects of Redis’s licensing change remain to be seen. It might pave the way for a new model for open-source software sustainability, where companies can balance community development with commercial viability. However, it also raises concerns about control and potential fragmentation within open-source projects.

In conclusion, Redis’s licensing shift presents a complex scenario. While it aims to secure Redis Labs’ financial future, it disrupts the SAAS landscape and creates uncertainty in the open-source world. Only time will tell if this is a necessary evolution or a roadblock to future innovation.

References & Further Reading:

Official Redis PR – https://redis.com/blog/redis-adopts-dual-source-available-licensing/
Microsoft Azure Explainer – https://azure.microsoft.com/en-us/blog/redis-license-update-what-you-need-to-know/
Redis Labs changes its open-source license — again! – TechCrunch – https://techcrunch.com/2019/02/21/redis-labs-changes-its-open-source-license-again/

Why Startups Need To Architect Cloud Agnostic Products

By Ramkumar Sundarakalatharan | November 26, 2023 | Comments 0 Comment

Nobody plans to leave AWS in the startup world, but as they say, “sh** happens.”

As engineers, when we write software, we’re taught to keep it elegant by never depending directly on external systems. We write wrappers for external resources, we encapsulate data and behaviour and standardise functions with libraries.

But, When it comes to the cloud… “eerie silence”

Companies have died because they needed to move off AWS or GCP but couldn’t do it in a reasonable and cost-effective timeline.

We (at Itilite) had a close call with GCP, which served as our brush with the fire. Google had arguably one of the best Distance Matrix capabilities out there. It was used in one of our core logic and ML models. And on one fine Monday afternoon, I have to set up a meeting with my CEO to communicate that we will have to spend ~250% more on our cloud service bill in about 60 days.

Actually, google increased the pricing by 1400% and gave 60 days to rewrite, migrate, move out or perish!

The closest competitor in terms of capability was DistanceMatrix and a reliable “Large” player was Bing. But, both left a lot for in the “Accuracy”. So, for us, the business decision was simple: make the entire product work in “Reduced Functionality” mode for all or start differential pricing for better accuracy! In either case, those APIs must be rewritten with a new adaptor.

It is not an enigma why we do this. It’s simple: there are no alternatives, there is no time to GTM, But maybe there is. I’ll explain why you should take cloud-agnostic architecture seriously and then show you what I do to keep my projects cloud-agnostic.

Cloud Service Rationalisation

The prime reason you should consider the ability to switch clouds and cloud services is so you can choose to use the cloud service that is price and performance-optimized for your use case.

When I first got into serverless, we wrote a transformative API on Oracle Cloud (Bcoz we were part of their Accelerator Program and had a huge credit.) but it fed part of the data that the customer-facing API relied on.

No prize for guessing what happened?

It was a horrible mistake. Our API had an insane latency problem. Cold start requests added additional latency of at least 2 seconds per request. The AWS team has worked hard to build a service that can do things that GCP’s Cloud Functions simply can’t, specifically around cold starts and latency.

I had to move my infrastructure to a different service and a revised network topology.

Guess we would have learned the problem by now, but as we will find out, we did not.

This time it was a combination of Kafka and the AWS Lambda that created an issue. We had relied on Confluent’s connectors for much of the workload interfaces and had to shell out almost $1000 per month per connector!

Avoiding the Cloud Provider Killswitch

Protect Your Business from Unexpected Termination

As a CXO, you may not be aware that cloud providers like AWS, GCP, and Azure reserve the right to terminate your account and destroy your infrastructure at any time, effectively shutting down your business operations. While this may seem like an extreme measure, it’s important to understand that cloud providers have strict terms of service that can lead to account termination for a variety of reasons, even if you’re not engaged in illegal or harmful activities.

A Chilling Example

I recently spoke with a friend who is the founder of a fintech platform. He shared a chilling incident that highlights the risks of relying on cloud providers. His team was using GCP’s Cloud Run, a container service, to host their API. They had a unique use case that required them to call back to their own API to trigger additional work and keep the service active. Unfortunately, GCP monitors this type of behaviour and flags it as potential crypto-mining activity.

On an ordinary Sunday, their infrastructure vanished, and their account was locked. It took them six days of nonstop effort to migrate to AWS.

Protect Your Business

This incident serves as a stark reminder that any business operating on cloud infrastructure is vulnerable to unexpected termination. While you may not be intentionally engaging in activities that violate cloud provider terms of service, it’s crucial to build your infrastructure with the possibility of termination in mind.

Here are some key steps you can take to protect your business from the cloud provider killswitch:

Read and understand the terms of service for each cloud provider you use.
Choose a cloud provider that aligns with your industry and business model.
Avoid relying on a single cloud provider.
Have a backup plan in place.
Regularly review your cloud usage and ensure compliance with cloud provider terms of service.

By taking these proactive measures, you can significantly reduce the risk of your business being disrupted by cloud provider termination and ensure the continuity of your operations.

Unleash the Power of Free Cloud Credits

For early-stage startups operating on a shoestring budget, free cloud credits can be a lifeline, shielding your runway from the scorching heat of cloud infrastructure costs. Acquiring these credits is a breeze, but the way most startups build their infrastructure – akin to an unbreakable blood oath with their cloud provider – restricts them to the credits granted by that single provider.

Why limit yourself to the generosity of one cloud provider when you could seamlessly switch between them to optimize your resource allocation? Imagine the possibilities:

AWS to GCP: Upon depleting your AWS credits, you could effortlessly migrate your infrastructure to GCP, taking advantage of their generous $200,000 credit offer.
Y Combinator: As a Y Combinator startup, you’re entitled to a staggering $150,000 in AWS credits and a mind-boggling $200,000 on GCP.
AI-Powered Startups: If you’re developing AI solutions, Azure welcomes you with open arms, offering $300,000 in free credits to fuel your AI models on their cloud.

By embracing cloud-agnostic architecture, you unlock the freedom to switch between cloud providers, potentially saving you a significant $200,000 upfront. Why constrain yourself to a single cloud provider when cloud-agnosticism empowers you to navigate the cloud landscape with flexibility and cost-efficiency?

Building Resilience: The Importance of Cloud Redundancy

In the ever-evolving world of technology, no system is immune to failure. Even industry giants like Silicon Valley Bank can outright disappear over a weekend or AWS’ main Datacenter can go offline due to a power fluctuation, highlighting the importance of proactively safeguarding your business operations.

Imagine the potential financial impact of a 12-hour outage on AWS for your company. The costs could be staggering, not only in lost revenue but also in reputational damage and customer dissatisfaction or even potential churn.

This is where cloud redundancy comes into play. By running parallel segments of your platform on multiple cloud providers, such as AWS and GCP, you’re essentially creating a fail-safe mechanism.

In the event of an outage on one cloud platform, the other can seamlessly pick up the slack, ensuring uninterrupted service for your customers and minimizing the impact on your business. Cloud redundancy is not just about disaster preparedness; it’s also about optimizing performance and scalability. By distributing your workload across multiple cloud providers, you can tap into the unique strengths and resources of each platform, maximizing efficiency and responsiveness.

In our case, we run the OCR packages, SAML, and Accounts service on Azure, our core “Recommendation engine” and “Booking Engine” on AWS. Yes, having a multi-cloud will involve initial costs that might be prohibitive, but in the long run, the benefits will far outweigh the costs.

Cloud Cost Negotiation: A Matter of Leverage

In the realm of business negotiations, the ultimate power lies in the ability to walk away. If the other party senses your lack of alternatives, they gain a significant advantage, effectively holding you hostage. Cloud cost negotiations are no exception.

Imagine you’ve built a substantial $10 million infrastructure on AWS, heavily reliant on their proprietary APIs like S3, Cognito, and SQS. In such a scenario, walking away from AWS becomes an unrealistic option. You’re essentially at their mercy, accepting whatever cloud costs they dictate.

While negotiating cloud costs may seem insignificant to a small company, for an organization with $10 million of AWS infrastructure, even a 3% discount translates into substantial savings.

To gain leverage in cloud cost negotiations, you need to establish a credible threat of walking away. This requires careful planning and strategic implementation of cloud-agnostic architecture, enabling you to seamlessly switch between cloud providers without disrupting your operations.

Cloud Agnosticism: Your Negotiating Edge

Cloud-agnostic architecture empowers you to:

Diversify your infrastructure: Run your applications on multiple cloud platforms, reducing reliance on a single provider.
Reduce switching costs: Design your infrastructure to minimize the effort and cost of migrating to a new cloud provider.
Strengthen your negotiating position: Demonstrate to cloud providers that you have alternative options, giving you more bargaining power.

By embracing cloud-agnosticism, you transform from a captive customer to a savvy negotiator, capable of securing favorable cloud cost terms.

Unforeseen Challenges: The Importance of Cloud Agnosticism

In the dynamic world of business, unforeseen challenges (and opportunities) can arise at any moment. We often operate with limited visibility, unable to predict every possible scenario that could impact our success. Here’s an actual scenario that highlights the importance of cloud-agnostic architecture:

Acquisition Deal Goes Through

This happened with One of my previous organisations, we tirelessly built this company from the ground up. Our hard work and dedication paid off when a large SaaS Unicorn approached us with an acquisition proposal.

However, during the due diligence, a critical issue emerged: Our company’s infrastructure was entirely reliant on AWS. The Acquiring company had a multi-year multi-million dollar deal with Azure and the M&A team made it clear that unless our platform can operate on Azure, the deal is off the table!

Our team faced the daunting task of migrating the entire infrastructure to Azure within a limited timeframe and budget. Unfortunately, the complexities of the migration proved time-consuming and the merger took 5 months to complete and the offer was reduced by $2 million!

The Power of Cloud Agnosticism

This story serves as a stark reminder of the risks associated with a single-cloud strategy. Had our company embraced cloud-agnostic architecture, we would have possessed the flexibility to seamlessly switch between cloud providers, potentially leading to a bigger exit for all of us!

Cloud-agnostic architecture offers several benefits:

Reduced Vendor Lock-in: Avoids dependence on a single cloud provider, empowering you to switch to more favourable options based on your needs.
Improved Negotiation Power: Gains leverage in cloud cost negotiations by demonstrating the ability to switch providers.
Increased Resilience: Protects your business from disruptions caused by cloud provider outages or policy changes.
Enhanced Scalability: Enables seamless expansion of your infrastructure across multiple cloud platforms as your business grows.

Embrace Cloud Agnosticism for Business Continuity

In today’s ever-changing technological landscape, cloud-agnostic architecture is not just a benefit; it’s a necessity for businesses seeking long-term success and resilience. By adopting a cloud-agnostic approach, you empower your company to navigate the complexities of the cloud landscape with agility, adaptability, and cost-efficiency, ensuring that unforeseen challenges don’t derail your journey.

My Solution

Here’s what I do about it, now after the lessons learnt. I use Multy. Multy is an open-source tool that simplifies cloud infrastructure management by providing a cloud-agnostic API. This means that developers can define their infrastructure configurations once and deploy them to any cloud provider without having to worry about the specific syntax or nuances of each cloud platform. While Multy provides an abstraction layer for deploying cross-cloud environments, you will also need to incorporate cloud-environment agnostic libraries to really make a difference.

References & Further Reading:

No McKinsey, You got it all wrong about developer productivity!

By Ramkumar Sundarakalatharan | September 23, 2023 | Comments 0 Comment

Disclaimer: I have been an enormous proponent of Developer Productivity and have tried to implement automated metrics collection in 3 orgs with varied success. In my Mentoring sessions with early-stage startup leaders as well, I (re)enforce the importance of being aware of Dev Productivity. So much so, that I have written a 2-part article on the same here, here and here. I have also been a huge fan of McKinsey and how they seem to get answers which eluded the attention and resources of mega-corporations or governments alike. However, this article is written to communicate an entirely different perspective. In my opinion, McKinsey has got this entire “framework” thing about “dev productivity” wrong.

Introduction:

About a month back, McKinsey published an article claiming that they have developed a framework to measure productivity. They also acknowledged the fact that they were simply rehashing some of the existing metrics (like DORA and SPACE), which were used by Engineering Leaders and have simplified it (without the context) and are pitching it to their traditional buyers, the C-Suite executives in Mega corporations. Actually, some of these metrics can be useful tools if used correctly -One example is Hand-offs. But, the main reason I have chosen to write this article is their central focus seems to be “Coders should code”. It also appears to have A) missed the context of every metric, OR B) Omitted the context so as not to burden their target audience.

Finally, there is a mix-max of things to track, metrics to monitor and Opportunities to Focus, which looks like

Captain Ramius Pointing to a young Jack Ryan that Admiral Halsey was reckless!

Captain Ramius Pointing to a young Jack Ryan that Admiral Halsey was Stupid!

The Legendary Kent Beck has written a deep 2-part piece on countering the conjectures presented by McKinsey and elaborating on the gaps that engineering orgs are traditionally bound to manifest. It is very well written and covers almost everything. There are also a bunch of other eminent Software Engineers who have written on this and I have tried to give a quick lot at the bottom of this article.

What Was I concerned about?

Focus On Activities

I was primarily concerned about the lack of focus on Outcomes and Impact and a focus on the “Activities” in the proposed framework!

Any engineering leader or manager will tell you that Code Review Velocity and Deployment Frequency have nothing to do with measuring outcomes. While I will not discount Cycle Time or MTTR (I take pride in building multiple teams with one of the lowest MTTR and Cycle times in the ecosystem). They are indicators of some process elements/activities that could lead to outcomes. If we want to measure something, it should be Outcomes, not activities!

Focus on Optimisation of Irrelevant Metrics

Code Review Velocity:

If you want to time-motion the code review process in the entire stream map, you’ll find that async code review is killing your productivity. Pairing improves that dramatically. Instead of trying to sub-optimize for code review, measure the thing we actually want to improve. Which will be “Cycel Time”.

Story Points Completed:

Let’s agree on a basic fact. A “story point” is a made-up number. It was conceived as yet another way to obfuscate estimates for thought work that is difficult to estimate. As originally conceived, it represented the number of mythical “ideal days” of effort. There’s so much time wasted on getting better at “story pointing,” arguing about the Fibonacci sequence, “planning poker,” and other story point nonsense. Frankly, it is one of the “Bad” elements of Scrum! As a leader, you should find and remove handoffs and wait times. Story points are useless for anything and even more useless for this goal. Track throughput instead.

Handoffs:

This is a good one. Good job, McKinsey. You got something right. Stop using testing teams, use pairing instead of code review, operate what you build, and don’t have any people doing anything manual to the right of development.

Contribution Analysis and Opportunities focus

In the other focus areas, they have listed metrics at the individual level that can be useful unless you measure “developer satisfaction,” “retention,” and “interruptions” at the individual level. These should only be measured in aggregates to prevent any cognitive bias. IMO, Things start getting really toxic in the “Opportunities focus” section, though.

I have been part of organisations and processes where there was a focus on tracking and measuring the outcomes of individuals. It did not play out well, ever. My Conclusion after reading the article for the second time is that McKinsey thinks their intended audience (CEOs and CFOs) cannot understand “systems thinking.” Now, If you roll out this or a similar framework and announce this and what do you think will happen?

You have a group of people all working on the same backlog but not acting as a team. Code review suffers, mentoring sufferers, pairing is hard, work breakdown suffers, etc. Anything that requires more than one person to conduct/conclude, including helping someone get unstuck, will get deprioritised!

Overall, The inferences seem to be based on hard facts, but the conjectures are all flawed.

Why This Now?

At this point, I want to highlight what “Triggered” me to write this, read the following.,

For example, one company found that its most talented developers were spending excessive time on noncoding activities such as design sessions or managing interdependencies across teams. In response, the company changed its operating model and clarified roles and responsibilities to enable those highest-value developers to do what they do best: code.
McKinsey’s Article on the purported Framework

Wow. I pray for that company.

So, I believe after McKinsey pointed to the fact, that developers are involved in irrelevant things like design, architecture etc. They created separate towers of responsibility for design. In that case, I am puzzled about who will be responsible for the minor things like dependency management, prerequisites, versioning, capacity planning, concurrency, scalability etc.

Did they get anything Right?

Yes. There are tonnes, but they are buried at the bottom. Their focus on Hand-offs and cycle times are really worth tracking in any engineering org. To the authors’ credit, they have also identified some of the core issues with measuring Developer Productivity. But, someone higher in the firm seem to have suggested to soften the blow. So, they have diluted and buried those sections. I will share 2 gems here.

To truly benefit from measuring productivity, leaders and developers alike need to move past the outdated notion that leaders “cannot” understand the intricacies of software engineering, or that engineering is too complex to measure.

The real problem is that in many large organisations, “The Management” doesn’t understand the work they manage. Management can understand the intricacies of software engineering if they become leaders and study the work they manage. In a large behemoth, not all managers are leaders. They want a framework and will enforce it with an iron fist. Now, McKinsey has delivered them a framework!

Learn the basics. All C-suite leaders who are not engineers or who have been in management for a long time will need a primer on the software development process and how it is evolving.

This one Nailed it! The primary reason “Management” finds it difficult to measure the right thing is because they sometimes do not understand the work they want to measure. Leaders who understand do measure the right things. My primary concern with this framework is, in trying to solve this, McKinsey has made the problem worse!

Just google “McKinsey developer productivity” and you’ll find more articles on how this framework is flawed than the original article link!

Anto’s Response to the Article and the purported Framework.

References & Further Reading/Watching:

1, Mc.Kinsey Article – https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/yes-you-can-measure-software-developer-productivity
2, Kent Beck’s rebuttal – https://newsletter.pragmaticengineer.com/p/measuring-developer-productivity
3, Redidit – https://www.reddit.com/r/programming/comments/1650595/measuring_developer_productivity_a_response_to/
4, Level Up Coding – https://levelup.gitconnected.com/the-developers-productivity-can-t-be-measured-in-mckinsey-s-way-an-analysis-4d81924279ae
5, Measuring Developers Productivity… McKinsey what’s the point? – https://www.youtube.com/watch?v=wjQn8nnkXTs
6, Can We Measure Developer Productivity? A Reaction to McKinsey’s Article – https://www.youtube.com/watch?v=ETa24ErdcwQ
7, HOW TO MEASURE ENGINEERING PRODUCTIVITY? – https://nocturnalknight.co/2022/11/how-to-measure-engineering-productivity/
8, Business Value delivery by Engineering Teams in StartUps – Part 1 – https://nocturnalknight.co/2021/10/business-value-delivery-by-engineering-teams-in-startups-part-1/#comment-773
9, Business Value Delivery by Engineering Teams in StartUps – Part 2 – https://nocturnalknight.co/2021/10/business-value-delivery-by-engineering-teams-in-startups-part-2/
10, Space Metrics – https://www.harness.io/blog/space-metrics-get-started
11, DORA Metrics – https://www.leanix.net/en/wiki/vsm/dora-metrics
12, Dave Farley’s Response To The NONSENSE McKinsey Article On Developer Productivity – https://www.youtube.com/watch?v=yuUBZ1pByzM

Introduction: Dependency Dangers in the Developer Ecosystem

Faster Development, Shorter Diligence: A Security Conundrum

Malicious Package Techniques: A Deeper Dive

Timeline of Incidents: Malicious Packages in the Spotlight

The Impact: Scope of Compromise

Real-world Impact: Consequences of Malicious Packages

Fabrice: A Case Study in Typosquatting

Lessons Learned: Importance of Proactive Security Measures

Prevention Strategies: Staying Safe from Malicious Packages

Software Security: Embedding Security in the Development Lifecycle

Key Components of SSDLC

Deep Dive into Technical Details

Best Practices for Secure Dependency Management

Conclusion

References & Further Reading

Five Eyes intelligence chiefs warn of ‘sharp rise’ in commercial espionage

The Growing Threat Landscape

Why Is Secure by Design So Difficult for Startups?

How Startups Can Achieve Secure by Design Architectures

Conclusion

Introduction

Background

What Went Wrong and How the Vulnerability Manifested

Learning from Similar Failures in the Fintech Industry

Key Statistics in the Fintech Compliance Landscape

Recommendations for Strengthening Compliance and Security Controls

Conclusion

Further Reading and References

Top Universities Driving Global Startups Through Venture Capital: A Data-Backed Overview

The Global Leaders: U.S. Universities Dominate the Startup Landscape

Europe: A Growing Hub for Innovation

Asia: A Rising Force in the Startup World

Startups in India: The IIT Ecosystem

Israel: A Thriving Startup Nation

South Africa: Emerging in FinTech and E-commerce

South America: A Rising Contender in E-commerce and FinTech

Why Are These Regions Underrepresented in the Data?

Conclusion

References:

Further Reading:

The Rise and Fall of Inflection

Why Pi Failed

AI Funding and Startup Failures

The Future of AI Investment

Conclusion

1. Introducing the Amazing People from Palantir

Key Figures and Their Ventures

2. Engineers Make Better Founders in the Tech Industry

3. Market Penetration and Success of Palantir Alumni

4. Engineers vs. Consultants: A Compelling Argument

Conclusion

References & Further Reading:

Champions of the Free Agent: A Rising Tide Lifts All Boats

The Employer’s Lament: Protecting the Crown Jewels

The Nuance: Not All Non-Compete Clauses Are Created Equal

The Future of Work: A Brave New World?

The Split: From Open to Source-Available

A History of Licensing Shifts

SAAS Providers in a Squeeze

Open Source Community Divided

The Road Ahead: Uncertainty and Innovation

References & Further Reading:

Cloud Service Rationalisation

Avoiding the Cloud Provider Killswitch

Protect Your Business from Unexpected Termination

Unleash the Power of Free Cloud Credits

Building Resilience: The Importance of Cloud Redundancy

Cloud Cost Negotiation: A Matter of Leverage

Unforeseen Challenges: The Importance of Cloud Agnosticism

My Solution

References & Further Reading:

Introduction:

What Was I concerned about?

Focus On Activities

Focus on Optimisation of Irrelevant Metrics

Code Review Velocity:

Story Points Completed:

Handoffs:

Contribution Analysis and Opportunities focus

Why This Now?