Developers may be the new kingmakers, as Redmonk is fond of saying, but they’ve hitherto played an anemic role within security. Software engineers and architects are key influencers in platform, technology, and product decisions, in both small organizations and the biggest Fortune 500 companies—except, again, in the area of security. That may be about to change.
The apple doesn’t fall far from the tree
A new kind of security company, Sqreen, just announced the close of a $14 million Series A financing round led by Greylock Partners. Security, long the ugly stepchild of CIO spending, is finally getting its due, with 58% of IT executives indicating that their security spending growth is outpacing the rest of their IT spend, according to a Credit Suisse CIO survey. Across the industry, this has led to a swelling population of security startups, with Greylock on its own investing in security pioneers Imperva, Skyhigh Networks, Sourcefire, and others. But there is so much that’s different about this security startup—one that may break the mold.
First, the team’s security pedigree is top-notch. Co-founder and CEO Pierre Betouin was hired by Apple in 2006 to lead the company’s first so-called Red Team. That is the offensive security team that major technology vendors create to hack into all of the company’s products and services to find vulnerabilities before the bad actors do.
At Apple, Betouin uncovered thousands of vulnerabilities across dozens of products and codebases. Yes, he jailbroke the first iPhone, broke DRM hundreds of times, and made Apple products safer and more secure for Apple customers everywhere. Apple was laser-focused on security, but even within Apple’s approach a key ingredient was missing: Developers.
Adding security to development
What Pierre saw at Apple is that developers were not involved directly in security; indeed, security was seen as a roadblock to getting products and software to market faster. Why? Application security is broken. The existing solutions were outdated. Invented in the 1990s, the solutions hadn’t changed much and certainly had not evolved with the modern developer toolchain.
For decades traditional security solutions have been built for enterprises. These expensive and heavyweight approaches struggle to scale in a cloud-native world and leave many applications unprotected. Network application security tools like Web Application Firewalls (WAF) require constant expert manual configuration and are difficult to deploy in complex cloud architectures. Source code analysis slows down development processes, while application scanners catch only the most obvious problems.
Application security today is where the operations world was 15 years ago. It used to be that Ops was the bottleneck to software development and deployment, but today new tools and processes facilitate the rapid development and iteration of applications, enabling a new world of CI/CD where companies compete and differentiate around time to market for new features and products. Security, meanwhile, has replaced Ops as the bottleneck.
What if you let developers put security directly into a web application from day one and automated the protection process? That’s the insight Pierre and his team had. That’s taking a developer perspective on security, a perspective that thus far has netted Sqreen more than 500 global customers.
For small businesses, especially SaaS companies, Sqreen provides immediate application protection without requiring a security professional, while offering constant visibility into who or what is attacking from where with insight into what they want. For larger companies with security teams, who usually don’t have access to the underlying source code to patch, Sqreen makes it easy to retrieve information from within the application to quickly identify threats. One-click protection modules range from run-time application self-protection, account take-over, suspicious logins, or in-app WAF (updated and configured automatically).
Pierre and his team call their new approach, Application Security Management (ASM). It’s a similar concept for security as Application Performance Management (think New Relic, AppDynamics) is to app performance. ASM decentralizes app security from the network to the application level and adapts to the application stack in real-time. Companies can quickly prioritize security efforts without slowing development cycles.
In this way, Sqreen may be a harbinger of the rise of the developer within security. As Betouin has noted, “The future of security is visibility, delivered in a way that doesn’t slow down dev cycles. The future of security brings security teams and developers together. The future of security will be realized when there’s a security dashboard on every engineering team’s floor, and we won’t rest until that becomes a reality.”