02 Mar Why We See Big Opportunity for Founders Building Developer-…
Cybersecurity remains a huge pain point for many organizations: Last year, a study by incumbent security provider Palo Alto Networks found security teams at large enterprises use more than 130 separate security solutions, on average. At this year’s just-concluded RSA security conference in San Francisco, more than 700 security vendors and exhibitors jostled for mindshare. Some of these companies supply new technology to automatically, instead of manually, address the growing number of security problems generated by the new cloud-native environments inside many enterprises, in which teams leverage new DevOps practices and deploy microservices in public- and hybrid-cloud startups.
We believe the current enterprise-security model is unsustainable given this move to cloud-native practices. With more than 40 million developers on GitHub alone, and billions being spent on developer-led, digital transformation efforts in companies across industries, it’s clear that more and more security concerns will need to be addressed by developers earlier in the software-development cycle. Indeed, many new startups are now emerging to help developers and their organizations, and not just high-level, company-security executives, focus on security in a more pro-active way.
We discussed in our 2019 OpenCloud report that the shift to the cloud is increasing the “attack surface” for bad actors—creating new security vulnerabilities for organizations but also new opportunities for startups seeking to help them fight back. More broadly, the cloud is changing the philosophy of how enterprises approach security by getting developers to think about security earlier, integrating security solutions deeper into their workflows and codifying security as code to keep development moving quickly.
How did we get here?
Historically, chief information security officers (CISOs) were in charge of the security-software purchasing decisions inside enterprises. They oversaw centralized Security Operations Centers (SOCs), which used security software to manually detect and remediate threats and vulnerabilities throughout the organization (think detecting malware on a network, firewall breaches, modification of access permissions, etc.) In a world where infrastructure environments were static and the software-development process took months, this structure was manageable.
But as the cloud took off, infrastructure became dynamic: Open-source software and reusable software modules became foundational building blocks, and development times compressed to days/weeks. Today, the SOC is left to handle only the highest-risk threats and vulnerabilities that need deep security forensic expertise. The remainder of the incidents will be automatically routed to developers and DevOps teams that have the context to remediate the issues. This has created an opportunity for new companies to provide new, more-targeted tools for these developers and DevOps teams to address security issues.
Early companies in the sector
The first wave of companies in this area focused on securing and scanning applications during the development process – primarily because these applications were revenue generating and required high availability and security. These companies included Contrast Security* and incumbents such as Veracode and Fortify. Enterprises also are starting to proactively educate developers about security best practices by delivering personalized programs and communications to help them integrate security into their workflows. Companies like Secure Code Warrior have developed educational platforms for this. While such tools were mandated by CISOs, they were built for developers and not security analysts. This meant deep collaboration between the CISO and chief technology officer (“CTO”) of an organization.
Today, other companies are providing tools that allow developers and DevOps teams to adopt security solutions organically and embed them even deeper into their workflows. JFrog* which started as an artifact repository and now offers continuous security for containers and software artifacts, boasts a community of three million developers. Snyk, which provides code-scanning security for open-source libraries and containers, has 400,000 developers on its platform and raised funding earlier this year that valued the company at more than $1 billion.
In addition, as DevOps teams shorten time-to-production using “infrastructure as code” (IaC) templates, the codification of security practices—or “security as code” (SaC)—has become part of their workflow as well. Companies such as Styra and HashiCorp Sentinel are codifying incident remediation into policy frameworks, while others, such as Bridgecrew, are automating it all together in both build-time and run-time environments.
Outside of enterprises and dev teams, cloud providers, historically focused on attracting developers, are also starting to embed security into their offerings and take security seriously. Github (acquired by Microsoft in 2018 for $7.5 billion) acquired Semmle and Dependabot to improve code quality and check dependency files for outdated requirements. Palo Alto Networks has spent more than $1 billion in the last 24 months on cloud-native security solutions such as Evident.io RedLock, Twistlock, Demisto, and others. In addition, in 2019 cloud giant Amazon Web Services held its first conference dedicated to cloud security: AWS re:Inforce.
Learnings and considerations for founders
At Battery, we have spent the last several years examining the transformation of security and its move to the developer level. We see a few key considerations to keep in mind if you’re a founder building a security-focused company for developers.
The market is still early: We are only in the early innings of this industry transformation. Large enterprises still rely on many old-school security tactics, such as employing SOC analysts and bringing on managed-security service providers. While more responsibilities are continuing to shift down to the developer level, this isn’t happening overnight. Therefore, it is critical that as a developer-centric security startup, you are trusted by the buyer. The stakes are much higher when a third-party solution is…