DevOps Chat: Application Security Management with Sqreen’s Pierre Betouin
Taking the lessons they learned heading Apple’s offensive security team, the Sqreen founding team is moving application security management (ASM) into the mainstream. The company just announced a $14 million series A investment led by blue chip VC firm Greylock Partners.
In this DevOps Chat, we speak with CEO and co-founder Pierre Betouin about how Sqreen is filling a need in the AppSec market between web application firewalls (WAFs), dynamic application security testing (DAST), socio-technical aspects of security and trust (STAST) and other forms of security vital to locking down our applications.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Transcript
Alan Shimel: All right. We’re recording. One, two, three. Hey, everyone, it’s Alan Shimel, DevOps.com, Security Boulevard, and you’re listening to another DevOps Chat. Today’s DevOps Chat features Pierre Betouin, cofounder/CEO of Sqreen. Pierre, I hope my funny French accent didn’t mess your name up too bad.
Pierre Betouin: You’re completely excused. Hi, and I’m very glad to talk to you today.
Shimel: Thank you for joining us. So, Pierre, let’s start right off with Sqreen. We’ve got some news we’re gonna announce about Sqreen, but, before we announce the news, let’s introduce Sqreen to our audience. You’re the CEO, the cofounder and CEO. What is Sqreen?
Betouin: So, to make it short, Sqreen is an application security platform made for engineering teams at large, which means security teams but also developer teams and ops teams. So it’s really a DevSecOp platforms. It stays on a hybrid-SAS infrastructure, which mean it’s hosted on our side, and the Web applications are protected with a Agile-based approach, a micro-agent, which is installed inside the application with a simple library. So it’s like an APM solution, like New Relic, like Datadog or AppDynamics, but for security. The architecture is pretty similar, but fully oriented for security.
Shimel: Yeah. And, Pierre, just so our audience gets to know you a little bit, how did you get to be the cofounder/CEO? How – give us a little bit of your journey on how you get to be here today?
Betouin: Sure. Sure. So I come from the offensive security with an offensive security background. I have attacked applications’ implementations for many, many years – two decades, at least. And I actually started to work at Apple in 2005 and I was leading the first offensive security team at Apple, so we were basically attacking internal implementations, which would be hardware implementations, cryptographic implementations, GRM implementations, and so my team was in charge of attacking products and syncing up with development teams to help them mitigate what we found.
Shimel: Excellent. And I guess that has set you up well here. So, you know, let’s talk about today’s news first of all, Pierre, and that is Sqreen is announcing a new round – oh, it’s actually a Series A round of funding. It’s a substantial amount – $14 million – led by Greylock Ventures, which is a blue-chip firm, especially in the security space. So congratulations.
Betouin: Thank you. We are thrilled to see Greylock joining Sqreen in the journey. Sarah Guo is joining the board as well for Greylock, and, as you know, the Greylock portfolio is quite amazing, on the security side, so we are thrilled to see them joining the journey.
Shimel: Yeah. I mean, as someone who’s been in the security world for 20-plus years, Greylock has had their share of – they’ve been behind some of the great names in security. But Greylock isn’t – I mean, they’re the lead investor in this round, but Y Combinator was in prior to and it continues. Did you guys come out of Y Combinator?
Betouin: So not exactly. The story of the company is a bit – is not straightforward. We are not a usual YC company; we actually founded the company with JB, my cofounder, and he was also in my team at Apple – we were attacking products together. And we built Sqreen together. We actually wrote the first version together. It’s been a – you know, we developed that solution after several iterations. We actually started with a product, which was called “Hackbot.” It was a Web scanner, which was plugged on CIbot. I want to develop that further because it was not a success, but, after a few iterations, we landed on Sqreen.
And so we actually built the initial product together. We built a team of 15, 20 engineers in Paris, _____ _____ _____. And what we did is, after one year and a half of building the technology directing on the product, we decided to join YC, so it was not a usual YC company, where you don’t have yet a product. We were already fitting in the company and I think we had 70 customers when we joined YC, so it’s definitely not a startup company for YC.
The batch has been amazing. We’ve done 120 product meetings during YC, so you can imagine the amount of feedback we could gather during those 3 months. And we ended up raising after a few months after with Greylock, so, yeah, it’s not a traditional journey for a YC startup.
Shimel: Now but still it’s nice to have them involved and it’s not a bad thing. So it’s great to raise money and I’ve lived in the venture startup world for 15, 18 years and it’s very easy of people to say, “Oh, they raised an A round of – oh, it’s only $14 million, not $20 million, or it was $7 million.” For anyone who’s actually raised money, you know how hard it is, right, to get someone to write a check for seven, eight figures. Right?
Betouin: Yeah –
Shimel: And they don’t do it without – you know, it’s a testament, so congratulations on that. We’ll leave it there for a second. I wanna talk more about Sqreen, though, and what it is you guys do. So you’ve kinda coined the term called “application security management.” So, instead of APM, it’s ASM.
Betouin: Yeah. So the stages really came from our background. So, you know, at Apple, we had a single-digit offensive security team and we were _____ dozen of different products. And we had to find a lot of vulnerabilities, yeah, in a very fast pace. And we actually found hundreds of thousands of vulnerabilities during those ten years. And so, even in a company where you have the top-notch engineering organizations, like Apple, it’s really hard to find security talents that can scale with those companies. So even if you have an unlimited budgets or very large budget for security, you cannot hire a team of 100 or 200 security experts quickly. So you have to find another way to do security, and so you have to decentralize security. Security no longer are just the topic for teams of experts; it’s a topic for everyone.
And so the ASM platform, application security management platform, the role of this approach is to be able to provide engineering teams at large security solutions that can fit their needs, so they can under part of the security topics by themselves. Which doesn’t mean that security teams are not accountable anymore on s ecurity – they are; they are the best – but they cannot scale the security when they have thousands of Web applications on the infrastructure.
Shimel: Absolutely. So, you know, when we look at the application security world, Pierre, we basically had application – you know, Metasploit. We had sort of scanners, if you will, or penetration-testing scanners, right? Like a Metasploit framework or other kinds of tools. And then, of course, you know, WhiteHat Security kinda was the first I remember that was kind of a do-it-yourself application scanning. And then the other big piece of the application security world was the WAFs, the Web application firewalls, which are kind of put up in front of the application. And that was, of course, post-deployment. The Web application scanners, you can theoretically deploy pre-deployment, in a staging area, or post-deployment.
Now the Sqreen solution seems to kinda fit – it’s not a WAF, certainly, but it’s not necessarily a scanner. And it’s clearly – I’m not sure – is it just for post-deployment or can you start putting micro-agents in pre-deployment?
Betouin: Absolutely. So it’s really a new category of tools. So, as you said, you have pre-deployment, the “left” solutions, so the solutions which will include static analyses, dynamic analyses, Web scanning. And then you have the “right” solutions, which are post-deployment and, as you said, maybe the only solution which is used today on the edge – it’s Web application firewall, so it’s network-based, HTTP-based.
And so the way WAFs are working is basically inspecting the network traffic and matching with base of signature, so they’ve been invented in the ’90s. The infrastructure and the architecture of applications in the ’90s were very different from what we have today, where you didn’t have so many applications and traffic was less complex. You didn’t have microservices and APIs everywhere. And so the world has changed, but the WAFs are still pretty much working the same way. You had several iterative enhancements on the WAFs, but they are still monitoring the edge.
So what we do is we decentralize this logic on the edge into the application themselves, which means each Web application embed its own logic of security, for the monitoring part and also for the protection parts. And so you can enable, in each application, different security modules, like in-app WAF, so, basically it’s like a WAF, but it’s tied to the application stack, which means, if you have a PHP application which is not using a database, you don’t need to enable Node.js or Java root set. And we have different modules like in-app WAF RASP, runtime application self-protection – it’s another way to protect application – account takeover, and so on. So it’s a high-level way to protect applications inside the applications.
Shimel: Excellent. Now these – in reading the website and everything, it talks about these lightweight agents, if we can call them that, or runtimes or whatever, being you don’t have to change any code; they go in; it’s up and running in five minutes. Explain if you can, without giving away secrets, right, how exactly are they so easily deployed? I mean, you know what I’m saying?
Betouin: Yeah, yeah. I won’t give away secrets because the agents are super documented – the code is available – and so I’m very glad to talk more about this. So the agents are actually dynamic instrumentation agents, exactly like APM agents, so, instead of monitoring the performance, we monitor the security anomalies, the security metadata inside the applications, and we do that automatically without modifying the code.
So it’s just a library, so you load the library. In Java, it will be a JAR; in Node, it’s gonna be a NPM. And, as soon as you load the library, a screen starts to instrument the critical routines inside your application. So, for instance, we are going to monitor the authentication routines, the SQL driver routines, the NoSQL driver, and we are going to monitor the _____ _____ _____ for the XSS attacks. And so different points inside the application would be automatically monitored. And if a _____ makes a behavior _____, we modify the behavior of the execution at runtime. So, if you face a SQL injection, we’re going to stop the injection inside the application, before it actually eats the SQL database.
Shimel: Got it. And there’s a SAS element to this, right? So the agents, the runtimes, the libraries, are installed in the application, at the application server level, but then the monitoring and management is at a centralized location. Is that the SAS piece of it?
Betouin: Absolutely. So it’s a SAS-based solution, so the agents are deployed inside the applications. These are on the cloud or on-prem, wherever the applications are. But all our dashboard and all our infrastructure is SAS-based, which means the deployment for Sqreen just takes one line of code and not more, so it can get really installed in three minutes into any Web applications, API, or microservices.
Shimel: Excellent. Now the command and control, the SAS management portal – is that a multi-tenant type of environment that Sqreen maintains? Or does each client have their own command and control management – I don’t wanna use the word “portal,” but interface –
Betouin: So, yeah, we have actually both options and the reason is that Sqreen is self-served, so anyone can create an account on Sqreen and start to use the solution one minute after, so we are very aligned with DevOps solutions or dev tools, where you can try any product in just two minutes, so Sqreen is available that way. It’s documented. And, so far, all the self-service plans, all the data sit together. We don’t provide multi-tenant options, but we also provide business and enterprise plans, where you can decide to keep your data on your side and you can also decide where you want to host the data. For instance, if you want to host them in US or in Europe, that’s the kind of options you can take.
Shimel: Excellent. Sorry for so many – peppering you like this, but give our audience an idea how do you price this kind of thing?
Betouin: So it’s priced with the value of the product, which means, for instance, if you use a in-app WAF module, the value is based on the volume of traffic. And if you use an account takeover protection module, the value of Sqreen is based on the number of icons which will be protected. So the different modules can be enabled from the dashboard directly and the pricing goes with the value, which means based on “These are the volume of requests or the number of icons.” We have different dimensions like this.
Shimel: Excellent. And is this more for enterprises with hundreds of applications or geared to startups with one to ten applications? Or it really doesn’t make a difference?
Betouin: No, it’s – so I think, you know, if you look at the product today and the market, so the SMB and the mid-market today have almost no access to security. The reason is they often don’t have dedicated resources and the solutions are not made for them, so it’s a very good cheat force in _____ market companies, for sure, but the problem with enterprise and large organizations is also to scale the security. And if you talk to CISOs of large organizations, they usually have visibility on 20, 30 percent of the Web applications hosted on the infrastructures. They can’t no more because they’re monitoring the edge, which means Sqreen is also a very good fit for enterprise companies. And if you look at the APM space, like AppD – AppDynamics – or NewRelic, work both very well for small and large companies.
Shimel: Yeah. True. True. Speaking of companies like AppDynamics and NewRelic, it would seem to me a natural to have some sort of integration, right? ‘Cause I’m a believer – you know, security shouldn’t exist in its own silo, right? It has to be built into the whole _____ –
Betouin: Absolutely. Absolutely. And we already provide several integrations with NewRelic, with Splunk – we used to use _____ – and _____ extension of what we’re doing. And we also provide webhooks and automation playbooks, so you can decide to plug in new tools whenever you want and it’s done a very easy way, with just a few lines of code.
Shimel: Sounds excellent. Pierre, I’m sorry. I wish we had more time to dive in here, but we’re about out of time already. But, hey, you know what? First of all, as I said before, congratulations on the Series A. it’s not a trivial thing to go out and raise that kind of money, so congrats to you and your whole team. But, more importantly even, keep up the great work. This is an area, frankly, we need more. We need better solutions; we need more solutions; we need new ways of thinking about how to do application security better. It really is – app-sec is the battleground where the war is being waged right now, so –
Betouin: Absolutely.
Shimel: Yeah. Thank you, you and the team, for doing what you’re doing and keep up the great work.
Betouin: Okay. Thank you very much for your time. I really enjoyed the chat, Alan, and talk to you soon.
Shimel: All right. This is Pierre Betouin, cofounder/CEO of Sqreen. And, by the way, that’s Sqreen – S-Q-R-E-E-N-dot-com. You can check them out. Web application security management. Kind of a new entrant in the Web app field. This is Alan Shimel for DevOps.com and Security Boulevard. You’ve just listened to another DevOps Chat.
