Over the last three years, we went from brainstorming crazy ideas at a kitchen table to creating a new category for securing enterprises applications at runtime. We've captured our top 3 learnings in this blog post and have made some exciting new additions to our website.
First, a huge thank you to our customers, our team and our investors!
I lay them out in that order for a reason: without customers there is no company, without a team there are no supporting customers, and without investors there is no fuel to grow.
Keeping these three stakeholders aligned while building a new category is a real challenge. Everyday and everything is a discovery process. It's a constant exercise in adaptation that can get your head spinning quickly. To continue progressing, here at Prevoty we keep our eyes on our grand vision while accepting that the path there will be full of surprises.
Prevoty’s mission is to protect everyone’s data while enabling enterprises to stay ahead of the digitalization curve.
Applications are at the core of our economy and our lives. They are everywhere -- interconnecting with multiple data sources, third-party applications and web services. This apparent complexity allows our data to travel everywhere seamlessly for our own benefit, so that we can communicate, consume, share, and contract…in real-time and without borders.
Enterprises have been undergoing a massive digital transformation for the last decade, and it’s only the beginning. To stay competitive, they build more and more apps that are adapted to their business, customers and ecosystem. What does this mean? Millions of new lines of code everyday. New builds are continuously pushed to production. The rise of DevOps. Unfortunately, it also means we introduce new vulnerabilities everywhere, all the time.
In a perfect world, those vulnerabilities would be identified and fixed before any new release, or logged as exceptions scheduled to be fixed. In the real world, it means backlog of open vulnerabilities in production -- some of which stay open for even a decade.
Hackers understand that reality. Whether they are showing off, spying or stealing, they are always going after the easiest and valuable target; our applications and data. That’s why over 80% of all malicious payloads target the applications we use everyday.
Application security is a people and economics issue. Developers are experts at building value -- not security. Security teams are experts at security, but not code development. It is inefficient to ask developers to be security experts and vice versa. On top of that, our market suffers from a draught of both developers and security practitioners. How do we bridge that gap?
Based on observations revealed to us by our customers and prospects, Prevoty offers an alternative approach by automating application security in the application. Developers can focus on delivering value while security experts have a real tool to secure applications and data. By embedding security in the application itself, Prevoty sees and blocks any malicious activity -- wherever the application is and whatever untrusted data it accepts.
The market (including Gartner) created a new category for our technology that is most often referred to as Runtime Application Self-Protection (RASP).
At Prevoty, we call it Runtime Application Security.
Being a category creator is a risky position. You may take a lot of arrows in the back while spending a lot of resource paving the way for others. It is a double-edged sword. We want to remain unique, but we also welcome healthy competition as it reinforces our vision and validates the market.
Prevoty’s uniqueness is built around three different pillars:
1. Laser-focus on delivering runtime for highly-scaled production environments
Prevoty’s DNA is all about performance. There is no value in a security tool that will slow down your business. There is no value in a security tool that you have to keep in QA. Hackers are hacking real world applications, not dummy, staged apps. That’s where we choose to fight them.
2. Flexibility: One size does not fit all
A standard requirement for all application security technologies should be to offer integrations via agents and SDKs in most languages. It also should be deployable from the cloud or on-premise and as a hybrid solution. Prevoty is all of that and more. AppSec is not just about choosing deployments model or languages, it is far more complex. Language versions, container types, servers, databases, SIEMs, and dependencies are example of variables that security practitioners juggle when attempting to secure an application. In the last three years, Prevoty has evolved into a highly-adaptable platform. We have deployed most of these combinations first-hand with our customers.
3. Contrarian Innovation: Language-theoretic security (LANGSEC)
The secret sauce behind Prevoty’s ability to operate at scale, in production, and without disruption is that Prevoty lives with the application. It is not a wrapper or a proxy. It is embed within the application, and understands its language and grammar. Prevoty does not rely on traditional security technologies such as pattern matching, behavioral analysis or definition lists. Our approach is contrarian in the sense that we don’t look at the data out of context. Knowing what can maliciously execute is not difficult as there is a finite number of possible malicious executions. What makes preventing a malicious payload a very difficult task is the infinite number of ways hackers can hide or fuzz the malicious execution.
Prevoty understands the data the same way it is interpreted by browsers, database engines or operating systems. Our security engine does not make any guesses. It sees data as it executes in the application. It can then decide what is malicious based on the security community's research findings.
Three years seem like both a flash and an eternity. All entrepreneurs know the downs and ups of growing a startup. (I say 'downs' first because they are a lot more 'downs' than 'ups', but the 'ups' get higher and higher everyday to make it worthwhile.) Thank you everyone for the amazing support.
In summary, what we have learned over the last three years:
- They are more vulnerabilities -- existing and new -- than we will ever be able to remediate.
- The industry has begun to embrace highly-performant runtime solutions for production applications
- Application security is more complex than most want to admit, but it’s not worth trying to hide that reality behind a firewall.
As always, the Prevoty team is at your service. Recently, we've made some improvements to our website, which now includes new resources to help you learn more about how we use the novel LANGSEC approach to monitor and protect applications at runtime. Here are a few examples:
Guide to Runtime Application Self-Protection (RASP) [WHITEPAPER]