Connect with us

Hi, what are you looking for?


Cloud Security

AppOmni Raises $10 Million to Help Companies Prevent Cloud Misconfigurations

Software-as-a-Service (SaaS) Security and Management Platform Provider Raises $10 Million in Series A Funding

Software-as-a-Service (SaaS) Security and Management Platform Provider Raises $10 Million in Series A Funding

San Francisco-based startup AppOmni has raised $10 million in Series A funding round led by ClearSky and supported by existing investors Costanoa Ventures, Silicon Valley Data Capital, and Twilio’s COO George Hu. This brings the total raised by the firm to $13 million.

AppOmni was founded in 2018 by Brendan O’Connor (CEO, formerly CTO at ServiceNow and CSO at Salesforce) and Brian Soby (CTO, formerly of Taulia, Salesforce and MITRE). Its mission is to solve a problem that the NSA recently described as “the most prevalent cloud vulnerability”: misconfiguration. 

AppOmni raises $10 millionMisconfiguration is a major cause of cloud-based breaches — 99% of which, according to Gartner, ‘will be the customer’s fault’. “In nearly all cases,” it says, “it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.”

The problem is the sheer volume of SaaS applications used by businesses — dozens for smaller companies and hundreds for the larger enterprises — all of which have different security controls sometimes with user manuals running to a hundred or more pages. “Expertise in one does not give you expertise in another,” explained Brendan O’Connor. 

“While SaaS providers are not perfect, they’re usually doing a better job at security, hardening their host infrastructure, patching, upgrades and so on, than customers can do. But buying a safe car does not make you a safe driver.” The point is clear — it is the driver, not the manufacturer, that is responsible for safe driving; and that means absorbing, understanding and implementing the correct security controls from within potentially thousands of pages.

This is the problem. The customer is responsible for configuring the use, and SaaS users frequently fail to configure their SaaS usage securely. This, in many cases, is aggravated by the customer’s organizational structure. “We generally find there is a disconnect between the security team and the line of business or the IT team that owns the configuration and management of the SaaS application,” said O’Connor. Part of that is the organizational layout. Workday is owned by HR; Salesforce by Sales and Marketing, ServiceNow by IT, and so on. Security often has no insight. “When we talk to customers, we often find the security team doesn’t even have access to the SaaS application — they cannot even log in to look at the configuration.”

The whole problem is exacerbated by the ‘democratization of data’. Individuals can often make the decision on whether and where to share a file. The result is that sensitive data can often be stored in misconfigured SaaS applications. “Our purpose is to help companies scan, secure and monitor their SaaS applications to understand their current state of data access. We can discover misappropriate sharing and can put guardrails around that data access. We help the company drive the car safely.” 

Advertisement. Scroll to continue reading.

AppOmni scans the configuration of the different SaaS applications. “We give the companies the ability to see their current running state. Ninety-two percent of risk assessments that we’ve done,” said O’Connor, “have found critical data exposed externally on the internet. AppOmni is helping organizations solve the growing problem of securely managing and monitoring their disparate SaaS applications by providing much-needed insight, visibility, and governance into cloud services.”

The product deep scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and compare against best practices and business intent. 

AppOmni is one of the ten finalists selected by RSA Conference (RSAC) for its annual Innovation Sandbox Contest, which will be held in San Francisco on Monday, February 24, 2020. Last year’s winner was Axonius, which followed its victory by raising $20 million in a Series B funding round within 5 months. Previous winners include Sourcefire (acquired by Cisco for $2.7 Billion), Waratek and Phantom Cyber (acquired by Splunk for $350 million).

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies 

Related: Thousands More Personal Records Exposed via Misconfigurations 

Related: Cloud Providers Improving Security, But Users Need to Up Their Game 

Related: Thousands of Organizations Expose Sensitive Data via Google Groups 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility