Authorization policy management innovator build.security emerges from stealth

build.security has developed a platform which makes it simple for developers to implement authorization policy, and which is likely to be put to numerous use cases, some of which will be conceived by partners.

build.security co-founders Amit Kanfer, CEO (rt.); Dekel Braunstein, CTO

build.security has emerged from stealth with a platform designed to revolutionize authorization policy management. While authentication has been well-covered for years, authorization has always remained problematic. The build.security solution focuses on empowering developers, who increasingly have been given the responsibility to secure code, without the proper enterprise tools to do so. The platform decouples authorization policy from code, letting developers implement access policies with a unique drag-and-drop policy builder, or by using declarative policy language.

With the launch, the company also announced $6 million in seed funding, led by YL Ventures, which focuses on Israeli tech startups. Joining this seed round as investors are: Michael Sutton, former CISO of Zscaler; Sounil Yu, former Chief Security Scientist at Bank of America; Dan Amiga, former CTO and Co-founder of Fireglass, which was acquired by Symantec; Eyal Gruner, CEO and Co-founder of Cynet; and Eran Barak, former CEO and Co-founder of Hexadite, which was acquired by Microsoft.

The company is originally out of Israel, and has set up shop in the U.S. in Sunnyvale CA. Amit Kanfer, the CEO, and Dekel Braunstein, the CTO, are the co-founders. Kanfer laid out the basic problem that build.security was created to address.

“You have authentication and authorization. The first is who is the identity. The second is the access the identity has in the system. You have that in almost every system. Building the enforcement model for authorization and enforcing it has been the challenge. We fix that, and make it easy for developers.”

The problem, Kanfer said, has become worse in recent years because of the combination of many things, including the trend towards microservices architecture, the shift left trend towards developers, and the movement to the cloud.

“Businesses expect more fine-grained controls, even as the task of controlling has been made more difficult,” he said. “Authorization has always been important, and the problem has always existed, but it has become more of a problem in recent years as performance issues have become more complex.”

build.security simplifies building authorization into applications through open-sourced tooling that gives developers a single control plane and the tools needed to implement authorization directly into an application’s code. It provides a plug-and-play approach to API and function-level authorization, which facilitates fine-grained access controls and full visibility into policy enforcement at runtime, to allow developers to build secure software at scale.

“We give companies the ability to authorize policy, to publish it and to manage it at scale,” Kanfer said. “The other part of the equation is that we give you a service that you deploy on-prem right beside the application being protected. It then enforces that application, and gets back with an allow or deny verdict.”

The plug and play APU capability allows integration with any API-based service  database or application

“We have a generic API component you can use to integrate with any database, but we have an easier and nice way to integrate with the databases that we do support,” Kanfer indicated.

Out of the gate those supported integrations include PostgreSQL, MongoDB, ElasticSearch, ticketing systems like JIRA and ServiceNow, and source code repositories such as git and Bitbucket. build.security promises new ones will be added at a fast and furious pace.

Currently, the platform does not provide internal user access to third-party SaaS applications.

“That’s something for the future,” Kanfer said. “We don’t do that today. We just support the applications you build, and not the ones you use. But it would be amazing to have that one single pane of glass to support it all for engineers and developers.”

The customer base is broader than just large enterprises.

“We have a very small health care company as a customer,” Kanfer indicated. “It’s more about the use case and the data that the company stores. We appeal to highly regulated kind of companies – government, health care, insurance, financials, travel – as well as more complex use cases.

“It’s very easy to deploy and to see the value right away,” Kanfer added. “I don’t expect the sales cycle will be very long.  I expect early next year to see cashflow.”

build.security will offer a free-tier authorization policy management solution for developers and a premium version of its platform for enterprises. That’s a common model for open source-based companies like build.security, but the details of how it will work haven’t been finalized.

“We are still thinking about it,” Kanfer said. “It’s not final. The approach is to have a self-onboarding experience until it reaches certain limits, but we haven’t decided what they will be.”

Normally, with the developer freemium model, the developers are the company’s main evangelists, but Kanfer said they need channel partners on board for this as well as developers.

“I see the channel role as having impact even in the short term,” he said. “To have developers be our advocates will take a while. It’s not an either-or situation. We need both.”

Out of the gate, build.security doesn’t have any partners, but they are in the plan.

“MSSPs are probably the companies we would want to work with, because authorization is a security problem,” Kanfer said.

“The platform is very flexible and interesting for the channel,” he added. “You can plug and hook it into security applications and enforce policies on them. We are still just seeing the surface of how deep we can go with this platform. We envision it being used to enforce policies in ways we don’t yet understand.”