Paris-based start-up Sqreen announced that it has raised a $2.3 million seed round to ship app ‘protection-as-a-service’. This service “provides every developer a simple way to get the security their applications deserve,” the company says.
Traditionally, security teams have been understanding: security is a bolt-on after-thought added to products after development. The business pressure for delivering new product and getting to market as quickly as possible, especially for new start-up companies, has always taken precedence over security.
Security belongs to security experts who have to mitigate the vulnerabilities built by insecure coding practices into what become insecure products. Sqreen wants to change this.
It believes it can help developers produce secure code from the outset. It suggested in its announcement that developers don’t dislike security, they just feel inhibited by its requirements. “Developers have equated [security] to constraints that limit their freedom to code and to painful processes.” The implication is that if secure coding could be made unobtrusive and painless, it would be accepted by developers.
Sqreen automatically detects vulnerabilities in the code as it is being developed. “Sqreen provides real-time defenses that continuously adapt and learn from millions of attacks sourced from the community,” said the company in its announcement. “Thousands of security threats are supported – including SQL injection, cross site scripting, code/command/file injections, and cryptographic weaknesses.”
Rodolphe Menegaux from Alven Capital explains the traditional problem. “Security is overlooked by early-stage companies growing fast, but it quickly becomes a high priority once they are more mature. Few developers are enthusiastic about the extra workload and rigor involved in securing applications.”
The solution, says Pierre Betouin, Sqreen’s CEO, “is to put security back into products and let the developers embrace this [security] role again. It is pretty obvious that products should now be embedding their own security logic to protect themselves.”
Betouin is one of two co-founders at Sqreen. He spent 9 years with Apple leading the team in charge of security assessments for the Internet Services department, hacking products and designing protection. He personally holds 23 US patents. His co-founder, Jean-Baptiste Aviat, also spent five years with Apple, hunting and eliminating vulnerabilities from Apple code. He holds two US patents. Effectively, they started Sqreen to eliminate the need for their earlier functions.
The solution leverages the power of the cloud to build a huge database of vulnerable coding. The company claims that it takes less than 30 seconds to install into the developer’s Ruby-on-Rails (and soon also Python), and from then on it helps to detect and eliminate weaknesses. It uploads some information, such as memory dumps, to the Sqreen cloud in order to continually expand its own knowledgebase of data threats.
It’s early days yet, but the new injection of capital makes it more likely that the vision will succeed. The ultimate goal will be to include machine learning so that secure coding becomes as seamless as possible.
Related: How Good Security Practices Complement Developer Productivity