Headline
AppSec Looms Large for RSAC 2023 Innovation Sandbox Finalists
Application security is the dominant trend for this year’s startup contest, but AI, blockchain, and compliance are all represented as well.
The need for complying with government rules, securing post-pandemic distributed workforces, and improving artificial intelligence (AI) capabilities is driving the cybersecurity startup scene this year, as demonstrated by the 10 finalists for the RSA Conference 2023 Innovation Sandbox competition.
"[A]pplication security (AppSec) is well represented in the competition, which is symptomatic of where we are in the digital transformation process," wrote Omdia senior principal analyst Rik Turner. (Link requires registration.)
Turner attributed the continued rise in AppSec interest to the growth of remote access fueled by the COVID-19 pandemic that closed offices and schools worldwide and forced organizations to adapt to remote access.
“The WFH trend is, at least in part, certain to continue, even as the pandemic ebbs into endemic status,” he said.
At the live event on Monday, April 24, at RSA Conference in San Francisco, judges will hear presentations from these 10 finalists, listed in alphabetical order: AnChain.AI; Astrix Security; Dazz; Endor Labs; HiddenLayer; Pangea; Relyance AI; SafeBase; Valence Security; and Zama.
Big Year for AppSec
The importance of AppSec — eliminating security vulnerabilities at the application level during development and implementation — was underscored by the Log4j crisis.
“With modern app architecture increasingly componentized and ever more willing to reach out to third-party apps for services such as payments and maps, threat actors can now compromise one website to gain access to the apps on many others,” Turner said.
Astrix aims to secure the communications between apps of all kinds, an area sometimes called SaaS-to-SaaS security. It emphasizes extending access management to machine and other nonhuman identities to make connecting an organization’s core systems to cloud services safer.
Dazz offers “accelerated cloud remediation,” which uses automation to winnow down security alerts and smooth out developers’ workflow. Besides its potential to improve the speed and accuracy of a first wave of incident response, automation can reduce alert fatigue, a much-discussed element of burnout.
Endor Labs focuses on tracking and managing open source components, which Log4j revealed as a largely untracked and widespread source of potential vulnerabilities. Software bills of materials (SBOMs) grew in prominence when US President Joe Biden issued an executive order in May 2021, mandating the creation of SBOMs in the wake of the Colonial Pipeline hack.
"[E]ven before then, the sheer amount of open-source libraries that developers were embedding in their code had become a major source of concern, giving rise to the emergence of an entirely new market segment, called software composition analysis (SCA)," Turner pointed out.
Pangea helps organizations create secure, compliant cloud security services by using a block-based API builder and hosting the services itself.
“Organizations don’t necessarily know whether the APIs written by their own developers are secure, let alone the third-party APIs that their apps may be using once they’re in production,” Turner wrote.
By using this library of secure APIs, developers avoid the entanglements of open source libraries typically tapped when building applications.
The Role of AI
AI has been hot, but with ChatGPT having a pop culture moment — and raising its own security concerns — companies are couching their products in AI terms wherever sensible. And while some AI hype is just jumped-up automation, AI has brought a lot of benefits to cybersecurity.
Relyance AI emphasizes machine learning as a way to track personal data as it moves through internal and third-party APIs, as well as other systems, in order to ensure compliance with privacy regulations. Turner classed the company as “a data security company that also has one foot in the AppSec world … with technology designed to address the business environment that digital transformation creates.”
HiddenLayer looks to secure an underrated business asset: machine learning data sets. Its technology, which the company calls machine learning detection and response (MLDR), monitors ML algorithms’ inputs and outputs to look for “anomalous activity consistent with adversarial ML attack techniques,” the company says.
The stakes are high — if the machine learning training data is corrupted, its outputs will be faulty, and it’s difficult to peer inside the black box to see what the problem is.
“After all, anyone who can ‘poison the well’ of data being used in such analytical exercises has the potential to skew their outcomes, resulting in bad or erroneous insights, whether they be for business decisions, medical procedures, or even military strategy,” Turner said.
Web3 Protections
AnChainAI secures a very Web3 asset: the blockchain. With a recent wave of cryptocurrency heists and concomitant calls for regulation, organizations that maintain crypto wallets need to ensure they are not a victim of — or party to — crime. The company built a predictive engine to identify and flag suspicious transactions, and it aims to sell its Know Your Wallet, forensics, and contract evaluation services to financial institutions, asset owners, and governments.
Zama also addresses Web3 concerns with a set of open source cryptographic tools for building fully homomorphic encryption (FHE) applications that protect data security. The company says its tools allow data to be processed without being decrypted, which allows true end-to-end encryption. Zama sees its technology as enabling the next stage of Web security, “httpz,” which the company says goes beyond https-based security to encryption.
Serious Business
SafeBase creates a centralized repository of security policies and compliance documentation to make security reviews faster. It addresses a specialized but necessary part of third-party risk management, including distributing updated certifications and managing nondisclosure agreements.
Turner noted the value of a "single source of truth, but pointed out, “The big question must be how those customers can then verify that the data they are receiving from the Trust Center is legitimate.”
Valence Security secures cloud workflows using SaaS security posture management (SSPM). It uses a combination of services to monitor a client’s mesh of third-party SaaS applications, detect and remediate misconfigurations, and manage identity security. Turner noted that while there’s lots of opportunity in the SSPM space and cloud security market, that means Valence faces a fair amount of competition as well.
The winner will be announced at the end of the presentations. The judges this year are Niloofar Razi Howe, senior operating partner at Energy Impact Partners; Paul Kocher, independent researcher and founder of Cryptography Research; Shlomo Kramer, co-founder and CEO of Cato Networks; Barmak Meftah, co-founder and general partner at Ballistic Ventures; and Christopher Young, executive VP of business development, strategy, and ventures at Microsoft. All but Meftah are returning as judges from last year.