BoostSecurity emerged from stealth last week with $12 million in seed money that CEO Zaid Al Hamami said will help them extend new development features for customers, hire more developers, and generally grow the business.
SC Media sat down with Al Hamami recently to discuss the magnitude of supply chain attacks and how BoostSecurity offers the kind of automation that before now was only available to hyperscale companies such as Amazon Web Services, Microsoft Azure and Google.
What are the major challenges that DevSecOps teams face in trying to develop code securely?
There are two big challenges. First, development teams are trying to build secure software, traditionally known as application security. The second is developing software securely. This second point implies that the way dev teams are building software could be abused in a supply chain attack. They are both inter-related in that both affect the CI/CD pipeline.
In your recent press release announcing the seed money, you say that many enterprises don't have the resources of a hyperscale company. How do you define hyperscale and what do average companies lack in resources and expertise that the hyperscale companies have?
Hyperscale companies are Amazon, Google and the major cloud providers and tech companies. Many of them have solved these development issues a decade ago. Their needs are so extreme that they had to build this capability in-house. They ended up with a highly streamlined, efficient way to develop code securely. Over the last five or six years, a lot of that knowledge spilled over into the industry in the DevSecOps world. We try to take what the hyperscale companies have done and offer it to the rest of the industry in a SaaS product.
With BoostSecurity, customers get complete visibility into their software pipelines and repositories. Next, once they see everything, they need to put security checks in the software pipelines, so using our tool they can provision the right security checks. Once they understand where they have supply chain security issues they need to work on, they then know what their developers need to focus on and can create policies around that for the developers. That automation comes right out of the box with BoostSecurity. That type of work used to take months, if not years, and our customers can get there on the first day. In the past, companies that have done well with automaton have had to do it in-house. They’ve had to hire AppSec experts and it would take three or four years and cost millions of dollars. While this challenge will exist for a long time, in the future, dev teams won’t have to work with three or four vendors to get full coverage.
I understand that the main goal is to develop code more securely.But isn't the main goal today given the threat landscape preventing supply chain attacks?
Yes, 100%. The world now knows that there are best practices and security processes in place to detect and prevent a SolarWinds-style supply chain attack. For example, we can detect co-tampering with the right cryptographic checks. But what we try to do is to get people to ask the following questions: Can I trust my supply chain? Am I using GitHub properly? Do I trust that the repositories are configured in a way to make it hard for a malicious actor to inject code? Does the team have the necessary checks so that during the code process there was no tampering? Developing code more securely is still an evolving area and it will take some more time before we can detect and prevent a SolarWinds attack with the push of a button.
I know the $12 million seed funding is comparatively modest, but how did BoostSecurity manage to nail down funding in a climate where security companies are laying off hundreds, if not thousands of workers?
Two or three reasons. One, we have a proven team that knows the field very well. Two, we have very good customers already in production for about a year and the product is in place protecting their software supply chains. And third, I also think it’s the magnitude of the problem. People come to me and say the whole field is crowded, but even with all the funding, breaches are still at an all-time high, so there’s still a lot of room for innovation, especially around these software supply chain issues.