BoostSecurity CEO Zaid Al Hamami on the evolving field of developing software securely to stop supply chain attacks
BoostSecurity emerged stealthily last week with $12 million in seed capital which CEO Zaid Al Hamami says will help them expand new developer features for customers, hire more developers and generally grow the company.
SC Media recently sat down with Al Hamami to discuss the scale of supply chain attacks and how BoostSecurity delivers the kind of automation that was previously only available to large-scale enterprises like as Amazon Web Services, Microsoft Azure and Google.
What are the main challenges that DevSecOps teams face when trying to develop code securely?
There are two big challenges. First, development teams attempt to build secure software, traditionally known as application security. The second is to develop software securely. This second point implies that the way development teams build software could be hijacked during a supply chain attack. They are both related in that they both affect the CI/CD pipeline.
In your recent press release announcing seed capital, you say that many companies lack the resources of a hyperscale enterprise. How do you define hyperscale and what do midsize companies lack in the resources and expertise that hyperscale companies have?
Hyperscale companies include Amazon, Google, and major cloud providers and technology companies. Many of them solved these development problems a decade ago. Their needs are so extreme that they had to develop this capacity in-house. They ended up with a highly streamlined and efficient way to develop code securely. Over the last five or six years, a lot of this knowledge has trickled into the industry of the DevSecOps world. We’re trying to take what hyperscale companies have done and offer it to the rest of the industry in a SaaS product.
With BoostSecurity, customers get full visibility into their software pipelines and repositories. Then, once they’ve seen it all, they need to put security controls in place in the software pipelines, so that using our tool, they can put the right security controls in place. Once they understand where they have supply chain security issues they need to work on, they then know what their developers need to focus on and can create policies around that for developers. This automation is ready to use with BoostSecurity. This type of work took months or even years, and our clients could get it right from day one. In the past, companies that did well with PLC had to do it in-house. They had to hire AppSec experts and that would take three or four years and cost millions of dollars. While this challenge will exist for a long time, going forward, development teams won’t have to work with three or four vendors to achieve full coverage.
I understand that the primary goal is to develop code more securely.But isn’t the main focus today, given the threat landscape, to prevent supply chain attacks?
Yes, 100%. The world now knows that there are best practices and security processes in place to detect and prevent a SolarWinds-type supply chain attack. For example, we can detect co-tampering with the right cryptographic checks. But what we’re trying to do is get people to ask themselves the following questions: Can I trust my supply chain? Am I using GitHub correctly? Am I to believe that the repositories are configured in such a way as to prevent a malicious actor from injecting code? Does the team have the necessary checks to ensure there was no tampering during the coding process? Developing code more securely is still an evolving area and it will still take time before we can detect and prevent a SolarWinds attack at the push of a button.
I know the $12 million seed funding is relatively modest, but how did BoostSecurity manage to find funding in a climate where security companies are laying off hundreds, if not thousands, of workers?
Two or three reasons. First, we have a proven team that knows the terrain very well. Second, we have some very good customers who have been in production for about a year now and the product is in place to protect their software supply chains. And thirdly, I also think that’s the magnitude of the problem. People come to me and say the whole field is cluttered, but even with all the funding, breaches are still at an all-time high, so there’s still a lot of room for innovation, especially around these issues of software supply chain.