Build.security, a Tel Aviv and Sunnyvale-based startup that aims to make it easier for developers to bake authorization policy management right into their applications, today announced a $6 million seed funding round led by cybersecurity-centric firm YL Ventures.
CrowdStrike CEO and co-founder George Kurtz also participated in this round, in addition to former Zscaler CISO Michael Sutton, former Bank of America Chief Security Scientist Sounil Yu, Fireglass co-founder Dan Amiga, Cynet CEO and co-founder Eyal Gruner and Hexadite co-founder Eran Barak. That’s an impressive group of angels who clearly believe that build.security is solving an important problem in the industry.
Founded by Amit Kanfer (CEO) and Dekel Braunstein (CTO), who have previous experience at Intel, Fireglass, Symantec, Cymmetria and other companies, the company wants to build the “first true platform for authorization” for developers — it’s basically policy-as-code, somewhat similar to how the likes of Pulumi and others are delivering on the promise of “infrastructure-as-code.” In addition to using code to declare policies, though, build.security also offers a drag-and-drop user experience.
At the core of build.security is an open-source project: Open Policy Agent, first developed by Styra.
At first glance, “authorization policy management” may not sound like the most exciting problem to solve. Authorization — unlike authentication — remains a problem that is mostly unsolved, though, and there are few enterprise-ready services available. That means developers — who are increasingly tasked with managing the security of their applications — are using a mix of policy engines and other tools which inevitably leads to errors and potential vulnerabilities.
“Authorization remains a big challenge for engineering teams,” Kanfer told me. “It’s a big challenge, because, taking into account attributes on identities, resources and context — and then combining all of them together into a concise policy that’s easily managed and scaled — that’s a pretty mind-blowing task. Just to model the hierarchies and the roles and permissions and relationships between them. It’s not an easy task.”
And as Kanfer also noted, as enterprises move to a microservices model for their application development, the complexity here only increases. Today’s solutions, however, aren’t flexible enough to solve this problem. “The list of permissions can change according to multiple factors,” he explained. “It could be identity, the time of the day, working from home or from the office. Is it a trusted device? Is it a workday or weekend? What is the relationship between you and the resource?”
The company offers its service both as a cloud service and on-premises solution. Currently, the company’s focus is on containers and the company uses a Kubernetes sidecar container that fetches the configurations and policies from the build.security control plane. The company offers SDKs and plugins for many popular programming languages and frameworks (think Python, Node.js and .NET). The service integrates with all of your standard identity providers and other API-based services.
“Build.security’s innovation is an incredible win for the developer community — they’ve made authorization easy,” said John Brennan, partner at YL Ventures and build.security board member. “We’re excited by Amit and Dekel’s unique plug-and-play approach to API and function-level authorization, as well as the breadth of visibility their control plane offers. Their approach will enable developers and enterprises to build secure software at scale.”