A new startup is entering the fray in the market of application security: Kodem, a company out of Israel founded by a team of security veterans from none other than the NSO Group, focuses on determining and mitigating risks by tapping into the runtime intelligence of individual applications. Today, it is emerging from stealth, armed with a total of $25 million.
The funding includes both a Series A of $18 million led by Greylock with a seed of $7 million co-led by TPY Capital and Greylock. Kodem’s CEO Aviv Mussinger said it has been using the funds to build and now launch its platform globally. Founded in 2021, Kodem said that it already has customers in financial services, insurance and technology.
In the landscape of enterprise security risks, application security remains one of the more complicated to get right. Not only is there an ever-revolving and changing carousel of services that need to be identified and tracked, but using an app regularly runs the risk of creating a vulnerability in another. Application management becomes not just a matter of human management but policy management, too.
But ironically that makes it a lucrative area, as well. The messiness of application security means that typically companies do not have the resources to build tools internally to manage it. It’s estimated that application security will be a $9.9 billion market opportunity this year, growing to some $22 billion by 2020.
Mussinger, along with his co-founders Pavel Furman (CTO) and Idan Bartura (head of engineering) came to found Kodem after working for years as security researchers at NSO, the controversial cyber-intelligence firm behind Pegasus spyware.
Mussinger — unsurprisingly, given the NSO’s public profile right now — speaks of that pedigree with some remove. His take is that as researchers, he and his co-founders were not directly involved in the aspects of NSO and Pegasus that got essentially weaponized by state organizations and others. And the focus at NSO, he said, was not really anything close to what Kodem is setting out to fix, although it gave the three of them insights that informed their ideas about what kind of company to start and what to tackle.
“Our focus today is to help protect enterprises against any attacks,” he said. “At NSO, we saw everything from the inside and understood how things could be built in a better way.”
One of their takeaways, he said, was that “open source has destroyed the traditional approach to security.” But given its ubiquity in the market right now, that is what its approach is aiming to fix.
The crux of the issue, he said, is that the current range of application security tools has a common issue: all of them are designed to flag all potential issues in a kind of no-stone-unturned approach. For security operations teams, this eventually starts to sound like noise, since many of these alerts are irrelevant or not issues. That also means that when something truly bad does come up, it’s not seen, or it’s ignored. (This reminds me also of my email inbox, but that is another story…)
Kodem’s solution is to analyze applications’ runtime data and to run models on that to understand what else is running alongside that. It then merges and sorts this data, and then only produces application security alerts that are relevant to an organization’s particular stack of applications and services. On average, Kodem believes less than 10% of all software is actually used in runtime, and less than 5% of runtime software is actually vulnerable. (Note: each organization is assessed and might have different percentages.) And all in all, the process reduces the number of alerts by 95%, the company claims. Fewer alerts means a greater likelihood that the ones a security team is getting are relevant. And in any case, the smaller load means it’s considerably easier to triage the list.
“As enterprises continue to move their workloads to the cloud, application security is growing in importance and priority for IT cybersecurity teams,” said Asheem Chandna, Partner at Greylock, in a statement. “Kodem has assembled an exceptional product team that is developing the next generation of application security – one that is cloud-native, deploys seamlessly, and provides the highest levels of accuracy with strong growing coverage.”