Our Investment In Sqreen
Sqreen is security at the speed and scale of application development.
Every company is increasingly a software company, but every company — large and small — struggles to secure their software. The dominant industry narrative has been that the application security problem “can’t be solved with technology.” Sqreen, who today announces the industry’s first Application Security Management (“ASM”) platform, is breaking that narrative. Started by the founder and longtime leader of the offensive security “Red Team” at Apple, Sqreen is creating a game-changing new way for security, operations and application developers to succeed in building and running secure applications together, without code changes, reduced engineering velocity, or added operational burden. Sqreen enables security visibility and protection to be built into every app. Read more about Sqreen in this post by Co-Founder and CEO Pierre Boutin.
“Exploits of a Mom” from XKCD
The status quo for companies who want to secure their software is expensive and complex: companies train developers in secure coding practices, institute code review, deploy testing solutions that slow development, periodically engage in vulnerability scanning and pen-testing, and deploy protection at the infrastructure level or the edge. This is hard for even the Fortune 50 to implement, much less the rest of us. Accordingly, most companies have very little application security. Those who have the resources to deploy this complex set of solutions still struggle to scale them and keep up with engineering — especially as software teams accelerate their release cycles, move to complex distributed systems and microservices, incorporate third party services and deploy apps at internet-scale. In the modern software era, unscalable and piecemeal approaches to application security are as sufficient as a screen door on a submarine.
Attackers will go down the easiest path, and applications are increasingly the fat, soft underbelly of security. Insecure apps put at risk customer data and company infrastructure. With today’s protections, all it takes is one developer mistake to be exposed.
If you’re very lucky as an investor, you occasionally intersect those unique engineers who are creative enough, talented enough, have fought the good fight for long enough that they don’t accept the industry narrative around a big tricky problem. They think, “there has to be a product solution to this.” Pierre Betouin and JB Aviat, former leaders of Apple’s offensive security team, who spent a decade on hacking into everything from first iPhone to the current App Store, are those special founders.
First Jailbreak of the iPhone 1
Pierre’s team at Apple was outnumbered 1000:1 by engineers. Over a decade he became increasingly frustrated that they could always find more flaws than the engineering team could fix. It was simply untenable for everyone to write secure code, 100% of the time, when their top priority was speed. A product to solve Pierre’s increasingly acute pain didn’t exist, so he set out to build it.
Sqreeners see themselves as engineers who happen to be really good at security. They have deep empathy for their engineering counterparts. They also rejected the idea that security should be reserved for the expert hackers and the super-resourced; they wanted a tool any business with an application that mattered could deploy — not something that would only work for Apple. Starting with a clean sheet of paper, they laid out key design principles for a new solution — a beautiful, frictionless developer experience, a product that enabled security and development to collaborate without friction, the simplicity, transparency and ease of use of modern SaaS (somehow very rare in security), and the performance, scalability and sophistication needed to support the largest of internet applications.
At Greylock we were lucky enough to be part of the AppDynamics journey from a founder and the founding engineering team camped in our offices in San Mateo through its rocketship growth and $3.7B sale to Cisco on the eve of its IPO. Just as APM (and had become essential to every software business, I strongly believed that a better approach to application security would become as I had spent two years hunting for an approach and team I believed in.
When I met Pierre, he had moved half his team from Paris to a house in San Francisco for YCombinator. They were all in; so was I. I already believed in the market opportunity, and I was blown away by Pierre’s ambition and first principles thinking. Sqreen’s approach of treating security as another component of software was unique, and I could see how it would make customers’ lives better. I quickly met his partner-in-crime JB, also an extraordinary technologist. In parallel, I did some checks with security practitioners and my investing partners, all of whom were enthusiastic. Four days after meeting Pierre, I’d given Sqreen a term sheet for their Series A. I’m privileged to have joined the board for Greylock, and to collaborate with seed investors YCombinator, Point Nine and Alven Capital.
Sqreen Security Flow Map
Today Sqreen announces their unified Application Security Management (ASM) Platform, an industry first. Sqreen ASM enables security at the speed of development, by making it a dynamic component of the software stack. Developers can include Sqreen with a one line integration for any new or existing app — just like they do with logging or APM. The product enables teams to build a house on a foundation with good drainage and an automatic pump, rather than sit in the basement with a bucket, constantly bailing water.
Sqreen deploys in minutes without code modification or traffic redirection — embedding a sandboxed microagent into every application service. These fail-safe, performant agents use dynamic instrumentation to collect security-relevant data and communicate safely with a cloud back-end that does the heavy data lifting. Sqreen microagents are capable of virtual patching, fixing vulnerabilities without developer involvement, and deploying other prepackaged advanced protection modules.
Out of the box, Sqreen offers:
- visibility into application security
- set-and-forget protection against common vulnerabilities
- alerting on attacks and critical anomalies such as unusual volumes of outgoing data
For more advanced security teams, Sqreen supports:
- collaboration, integration automation workflows
- custom business logic protection
- additional single-click deployment of protection modules including RASP (Runtime App Self-Protection), in-app WAF (Web Application Firewall), ATO (Account Takeover Protection), Bot Protection and more
Security has historically never been a piece of the software stack, but only software security solutions can scale with modern software needs. We believe ASM will become a core part of the software stack over the next decade.
Sqreen ASM: The Missing Piece of the Software Stack
It is still early days for the Sqreen team — who are working to support larger and larger global customers while relentlessly keeping Sqreen accessible to all. While we have our work cut out for us, more than 500 businesses have already chosen Sqreen to protect their apps, from internet companies to global consumer electronics manufacturers. I’ve never met another security company with velocity inbound sales and such happy customers.
At a time when applications are increasingly critical to every business but app scale, development speed, and distributed cloud architectures break traditional solutions, we need security that acts like software. Sqreen is security at the speed and scale of application development. What happens when you “shift left” to the extreme with security? You just bake it in.