We’re proud to announce our latest open-source project: 

. Supercronic is a cron implementation designed with containers in mind.

We’ve helped hundreds of Enclave customers roll out scheduled tasks in containerized environments. Along the way, we identified a number of recurring issues using traditional cron implementations such as Vixie cron or dcron in containers:

To be fair, there are very good architectural and security reasons traditional cron implementations behave the way they do. The only problem is: they’re not applicable to containerized environments.

Now, all these problems can be worked around, and historically, that is what we’ve suggested:

But wouldn’t it better if workarounds simply weren’t necessary? We certainly think so!

 is a cron implementation designed for the container age.

Unlike traditional cron implementations, it leaves your environment variables alone, and logs everything to stdout / stderr. It’ll also warn you when your jobs fail or take too long to run.

Perhaps just as importantly, Supercronic is designed with compatibility in mind. If you’re currently using “cron + workarounds” in a container, Supercronic should be a drop-in replacement:

$ cat ./my-crontab */5 * * * * * * echo "hello from Supercronic" $ ./supercronic ./my-crontab INFO[2017-07-10T19:40:44+02:00] read crontab: ./my-crontab INFO[2017-07-10T19:40:50+02:00] starting iteration=0 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:50+02:00] hello from Supercronic channel=stdout iteration=0 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:50+02:00] job succeeded iteration=0 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:55+02:00] starting iteration=1 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:55+02:00] hello from Supercronic channel=stdout iteration=1 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:55+02:00] job succeeded iteration=1 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *"

If you’re an Enclave customer, we’ve 

 with instructions to use Supercronic. If you’re not using Enclave, then 

 for installation and usage instructions.

We’re proud to announce our latest open-source project: Supercronic. Supercronic is a cron implementation designed with containers in mind.

Introducing Supercronic - Cron for containers

In a world where application dependency graphs are deeper than ever, secure engineering means more than securing your own software: tracking vulnerabilities in your dependencies is just as important.

We’ve greatly simplified this process for Enclave users with a recent feature release: Docker Image Security Scans. This is a good opportunity to take a step back, review motivations and strategies for vulnerability management, and explain how this new feature fits in.

Popular dependencies are very juicy targets for malicious actors: a single vulnerability in a project like Rails can potentially affect thousands of apps, so attackers are likely to invest their resources in uncovering and automatically exploiting those.

One infamous (albeit old) example of this is 

: an unauthenticated remote-code-execution (RCE) vulnerability in Rails that’s trivial to automatically scan for and exploit. Among others, 

As an attacker, a vulnerability like CVE-2013-0156 is a gold mine. The exploit can be delivered via a simple HTTP request, so all an an attacker needed to do to compromise vulnerable Rails applications was send that request to as many public web servers as they could find (finding all of them is 

In other words: when it comes to vulnerabilities in third-party code, you’re actively being targeted right now, even if no one has ever heard of you or your business.

Strategies for Dependency Vulnerability Management

Now that we’ve established that vulnerability management matters, the question that remains is: what can you do?

Modern apps depend on a number of dependencies that come from diverse sources ranging from OS packages to vendored dependencies. Fundamentally, there’s no one-size-fits-all approach to track of vulnerabilities that affect them.

So let’s divide and conquer: from a vulnerability management perspective, there’s a useful dichotomy between two categories of third-party software.

The easiest dependencies to look after are those that you installed via a package manager, so let’s start with them.

Using a package manager? Leverage vulnerability databases

Package managers helpfully maintain a list of the packages you installed, which means you can easily compare the software you installed against a vulnerability database, and get a list of packages you need to update and unfixed vulnerabilities you need to mitigate.

Ideally, you want to automate this process in order to be notified about new vulnerabilities when they come out, as opposed to hearing about them when you remember to check. Indeed, remember that when it comes to vulnerable third party dependencies, you’re actively being targeted right now, so speed is of the essence.

There’s a number of open-source projects and commercial products you can use for this type of analysis. A few popular options are Appcanary (which Aptible uses and integrates with), Gemnasium, and Snyk.

That simple!? Almost: you’re probably using multiple package managers in your app, which means you may have to mix and match analyzers to cover everything. Indeed, for most modern apps, you’ll have at least two package managers:

So, what you need to do here is locate the list of installed packages for each of those, and submit it to a compatible vulnerability analyzer.

New Enclave Feature: Docker Image Security Scans

Now’s the right time to tell you about this new Enclave feature I mentioned earlier in this post.

When you deploy your app on Enclave, we have access to its system image. Last week, we shipped a new feature that lets us extract the list of system packages installed in your app, and submit it to 

To summarize: Enclave with Appcanary can now handle vulnerability monitoring for your system packages, and it’s really easy for you to set up!

However, for app-level packages, you still have to do a little bit of legwork to find and integrate a vulnerability monitoring tool that works with your app. Note that Appcanary does support scanning Ruby and PHP dependencies, so you might be able to use them for app-level scanning too.

Not quite: we still have to look at third-party code you didn’t install via a package manager. Here are a few examples: software you compiled from source, binaries you downloaded directly from a vendor or project website, and even vendored dependencies.

For these, there is — unfortunately! — no silver bullet. Here’s what we recommend:

This time, that about wraps it up! Or does it? Engineering is turtles all the way down, so even if you covered all your bases in terms of software you installed, there’s still the underlying platform to account for.

That being said, unless you’re hosted on bare metal on your own hardware, this is largely out of your control. At this point, your best strategy is to choose a deployment platform you can trust (if you read this far, hopefully you’ll consider Enclave to be one).

Vulnerability Scanning for your Dependencies: Why and How 

Over the last quarter, we released a number of new features and updates for the Enclave deployment platform. We also began helping customers deployed on AWS to manage their organization’s security and compliance using Gridiron.

Yesterday, on a brief webinar, our team reviewed the updates to the Enclave platform and showed how Gridiron helps software developers build and maintain strong security management programs.

In case you missed it, you can download the slide deck and get the transcript in 

, or watch the full event below. We also provide a quick recap in this blog post.

We intend for Enclave to be the best platform for developers to deploy regulated and sensitive software products. This quarter, we focused on improving Enclave in three ways: security and compliance, database self-service, and general usability improvements.

We launched new ways to secure apps and meet compliance goals while improving the security of Enclave itself.

We’ve previously detailed these improvements on our blog. Here’s the list:

Self-serve database scaling is coming soon. The 

, and we will launch self-service database scaling soon.

We launched a few small improvements that should make developers’ lives easier when deploying with Enclave:

Gridiron is our suite of tools that helps developers build and maintain strong security management programs. Gridiron makes the administrative side of protecting data easy and helps to prepare you for regulatory audits as well as customer security reviews.

In the webinar, we gave a short talk-through of how Gridiron approaches security management. This starts with the Gridiron Data Model: an API that integrates data from your business, our experience working with hundreds of customers in securing sensitive data, and industry-wide security standards provided through NIST Guidance, vulnerability and attack databases and shared intel.

Gridiron ingests data about your business through a series of straightforward and relevant questions that are easy to answer but have important implications for your internal security program.

Gridiron uses that data to create deliverables that help you show security and compliance as well as improve your business operations.

If you’d like to improve your organization’s security and compliance and simplify the process for working through customer security reviews and regulatory audits, please 

. For a limited time we’re offering early access pricing for customers who have deployed on AWS.

Register Now for July 2017 Aptible Product Update Webinar

Our next product update webinar will be hosted on July 25, 2017 at 11am Pacific / 2pm Eastern.

All registrants will receive a webinar recap and the recording shortly after the conclusion of the webinar.

Recap: Aptible April 2017 Quarterly Product Update

Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit. HHS’s 

The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

OCR hasn’t clarified what “temporary” means or whether a CDN would qualify, but again, almost certainly not, as data storage is a critical, non-incidental component of CDN functionality.

Again, activate your incident response plan and talk to your lawyer. HIPAA is just one of many data privacy regulations. Many states require companies to report breaches of personally identifiable information belonging to residents of that state.

What if I used Cloudflare for data aside from PHI or PII?

We encourage you to be safe and rotate all credentials that might have passed through Cloudflare from your app, such as session cookies, API keys, and user passwords.

We encourage you to rotate your passwords for any service that used Cloudflare between September 22, 2016, and February 18, 2017. Cloudflare has not released a list of services affected. You can find one security researcher’s list of Cloudflare DNS customers (which is likely overinclusive) 

Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit.

Aptible was not affected by Cloudbleed

We’re proud to announce our role in the world’s first population health study focused on gay and transgender men and women.

Spearheaded by researchers at the University of California - San Francisco, the LGBTQ-focused study is called PRIDE. Researchers’ ultimate goal is to build the largest LGBTQ health database in history so that medical professionals have the proper tools to address the physical, mental and social issues exclusive to gender and sexual minorities. For example, 

 While scientists speculate this statistic means that more of these community members die from cancer and other smoking-related diseases, there is no official data to back these theories. Needing a way to gather loads of sensitive information quickly and efficiently, PRIDE leaders reached out to the tech world, and we of course responded with innovation.

The first contribution to the UCSF study was ThreadResearch’s iOS app, aptly named PRIDE. Employing the newly-released Apple ResearchKit, the app collects public health data using iPhones. Prompted to answer questions about their health history and concerns, LGBTQ participants will inform the longer-term PRIDE study, which kicks off in January of 2016.

To ensure this private information remains secure, we’re powering a streamlined HIPAA- and IRB-compliant platform behind the scenes of PRIDE.

Our CEO, Chas Ballew, says, “The UCSF PRIDE study is a great example of the changing face of health tech. Smart phones and cloud-based data collection are just now becoming viable solutions in the tightly regulated health-data world. We’re excited to be pioneers in this fast-growing technology.”

Confident that their private information is protected under our prudent watch, researchers and study participants alike can now move forward into realms of medical advances that have never before been explored. And hopefully the fresh strategies developed by physicians will make a dent if not eradicate issues that have long plagued this misunderstood field of medicine.

Aptible Powers PRIDE Study iOS App

Having just come through Y Combinator, we frequently get asked whether it was worth it. The answer is absolutely yes, no hesitation. While the experience is still fresh, I want to encourage you to 

You have a early-stage startup, or at least an idea for one. You know Y Combinator is fantastic: the network is legendary, the terms are fair, the other founders are incredible, and it provides an amazing lift for customer acquisition, fundraising, and recruiting.

The catch is that acceptance rates are brutal. Somewhere below 3% of applicants get an offer.

Should you skip this application cycle and apply later, when your company is more mature?

You should apply now, even if you don’t think you are ready.

The application process itself is valuable. Preparing the application requires you to think carefully about your idea, your company, your market, your team, and the obstacles in your way. Forcing yourself to reflect honestly is painful, but extremely beneficial. Seize the opportunity to do it now.

You have a better chance than you think. The traits YC looks for in companies and founders are well-known and addressable. By “well-known,” I mean go read PG and Sam’s essays. By “addressable,” I mean you can improve your chances with focused work and practice. If your company doesn’t have the ideal characteristics, you can acquire the important ones. If you have the right ingredients, you can learn to convey that clearly and concisely.

“Make something people want” is YC’s motto. It’s also what they look for in companies. It’s not always sufficient, but it is necessary. If you do it, the rest can fall into place. If you don’t do it, you’re toast. Or Clinkle.

Others have written about how to find something to make that people want. I won’t get into that here, but I will add that most of the YC application process reduces to proving you’ve made something people want.

How do you prove it? Having paying customers is convincing. Having a lot of users is also convincing.

Showing that people want something similar to what you made or that you could make something people want are not convincing.

Sign contracts, take preorders, get LOIs, fill a waitlist, collect emails from customers saying how they can’t wait to pay you. Stop reading this and go do whatever you can to prove people want what you make. Now!

Now, armed with proof that you make something people want, you are ready to apply.

Spend time thinking carefully about the questions. Don’t spend any time trying to 

The application questions are a subset of the questions you may be asked at an interview.

Writing your answers out will help you formulate concise, consistent responses.

To test our fluency, we did mock interviews with each other, with our startup/tech friends, and with YC alums.

Mock interviews are the best way to practice. You will be shocked and disappointed by how incompetent you sound at first. Don’t worry, you’ll improve dramatically with repetition.

As one of our investors puts it, “You’re going to be telling people what you do eight times a day for the rest of the company’s life. Get good at it.”

Below are the questions we used to prepare. I don’t remember where we found each one, so apologies to the original sources. I’ve grouped them into categories by how important I think they are. The groups are my own and do not reflect YC’s views.

Remember: One or two sentences each. If you prepare longer answers, you’ll be flustered when the YC partners cut you off to ask another question. James Cunningham and Colin Hayhurst (GoScale, S12) built a 

These are the most important questions. They are all different ways of determining if you make something people want. You need to have a good answer, or an excellent reason for not having an answer. Many of these are in the application itself.

These questions concern narrative, team, and tactics. They are important, but only if you make something people want first.

These are questions that have a correct answer.

If you get asked these in an interview, either you’re not doing well or you’re being tested. Try to preempt them with good answers to the more critical questions.

Have answers, but don’t stress about these questions.

Step 3 might be “Accept”, but if you interview, you should have already decided. You give up ~7% of the company for $120k in funding. YC will increase the value of your company by much more than 7%, without question. You will not get a better deal from fairer, more transparent partners anywhere.

You will only have about 100 days between getting accepted and Demo Day to make the most convincing case possible to investors. If you don’t get in, you have about 200 days to prove you can make something people want before you can apply again. Start now.

Good job on making it to the end! Feel free to ping me on 

 or with the contact link above if you have questions. After interview invitations go out, I’ll volunteer a limited number of mock interview spots on Twitter.

You can find the Hacker News discussion for this post 

Update - October 29, 2016: Formatting edits.

Having just come through Y Combinator, we frequently get asked whether it was worth it. The answer is absolutely yes, no hesitation. While the experience is still fresh, I want to encourage you to apply for the next cycle and give some advice for getting in.

How to Get Into Y Combinator

YES! Finally! The Aptible team and I are very happy to announce our public launch.

Frank and I started Aptible because we saw how difficult it was for technology companies to navigate the regulatory environment in healthcare. We believe that many of the most intractable problems in healthcare can be addressed with great technology, and we are working to empower smart, dedicated people to tackle them.

For the last few months, we have been working closely with a group of companies that represent the future of digital health. We are looking forward to telling you their stories in the coming weeks.

We are also excited to announce our relationships with three fantastic organizations:

Aptible is proud to be part of Y Combinator’s S14 batch. All of the partners have been amazing - YC is one of those rare organizations that is every bit as great on the inside as you hope it would be from the outside. Thanks especially to Justin, Garry, Kat, Jon, and Aaron for helping us prepare for this launch.

We are also part of the seventh Rock Health class. Rock Health is the premier advocate for digital health. Their entire team has been wonderful and made it a joy to come to the office every day. We are particularly grateful to Mollie, Halle, and Malay for their help so far.

Cooper is the top user experience design firm in the country. Through a partnership with Rock Health, they are helping us turn some incredibly complex regulatory and technical applications into beautiful, usable, intuitive tools that delight our customers. Lauren Ruiz and Doug LeMoine have been especially generous with their time, and we thank them!

Today is the beginning of something very special. With an incredible team and the support of our customers and partners, we are going to rapidly accelerate the adoption of technology in healthcare, and help a lot of people on the way. If you want to be part of this, 

Blog

Introducing Supercronic - Cron for containers

Vulnerability Scanning for your Dependencies: Why and How

Recap: Aptible April 2017 Quarterly Product Update

Aptible was not affected by Cloudbleed

Aptible Powers PRIDE Study iOS App

How to Get Into Y Combinator

Hello World

Focus on innovation.
Not Infrastructure.

Product

Resources

Support

Company

Blog

Introducing Supercronic - Cron for containers

Vulnerability Scanning for your Dependencies: Why and How

Recap: Aptible April 2017 Quarterly Product Update

Aptible was not affected by Cloudbleed

Aptible Powers PRIDE Study iOS App

How to Get Into Y Combinator

Hello World

Focus on innovation.Not Infrastructure.

Product

Resources

Support

Company

Focus on innovation.
Not Infrastructure.