Friday, May 19, 2017
Signal Sciences: Protecting Web Apps In The Era Of DevOps, with Andrew Peterson
Story by Benjamin F. Kuo
In today's world of web application development, speed is everything. Developers are now turning out code and releasing it live to the world in near real time--what is called DevOps and Agile development. In that world, the risk of security holes is huge. Venice Beach-based Signal Sciences (www.signalsciences.com) has created sofdtware designed for those application developers to help protect those web applications. We spoke with CEO and co-founder Andrew Peterson, who told us how his team's experience at Etsy resulted in the founding of the company.
What is Signal Sciences?
Andrew Peterson: We have what we call a web protection platform, that provides other companies with protection against attackers who are attacking their web applications.
How did you start the company?
Andrew Peterson: We have three founders, and we all worked together at Etsy, in Brooklyn, New York. It's an interesting back story. Lots of people know about Etsy, which is publicly traded and does 3 billion in transactions a year. However, what only the engineering folks and technologists know, is that Etsy is one of the pioneers of something called DevOps, and which is also called Agile or Continuous Deployment. What that means, is what Etsy was doing, is changing the code of their web applications on a really rapid basis. That actually forced us to think about what we're doing now, which is looking at application security in a different way. We were building and learning different approaches there, and at the time, no one else was doing application development as fast as we were at Etsy. Our web security seemed a niche solution for Etsy, but then it turned out that the entire industry started moving to this new style of application development. With the rise of the cloud and Agile, it's really changed how developer are coding their websites. We saw that things were changing, and lots of companies were going through the same learning curve and the same pain in building tools like we were in house. We decided we'd take this solution out, and help solve that same pain for a broad group of people.
How it is you were at Etsy, and ended up here in Southern California?
Andrew Peterson: We talked to a bunch of folks about the best way to start a company, and Los Angeles made the most sense. There's both a massive amount of talent here, and also a large number of really big businesses. Those are the companies we are building our security software for in the first place, all major enterprises. I think that one thing you get sucked into in the Bay Area, is you're only building solutions for other tech companies. There are a whole lot of companies outside the realm of Silicon Valley who you need to build and design for as well. It was that combination of great talent, the great companies we can sell to here, and of course, the great lifestyle of living next to the beach, which is a no brainer.
How does this look like to those developers?
Andrew Peterson: It's all software. A lot of the legacy technology which exists in this space has been hardware-based. You buy a piece of hardware, and install it on a local server you have, and on your local server farms. We're entirely born in the cloud, so it's a piece of software installed within a customer's system. There are a number of different ways these get installed, and the point is, to give folks as many options as they need to choose from on the menu, and have the best option for their team.
Why is it that your software is so important for DevOps?
Andrew Peterson: DevOps is a new paradigm of how people do application development. The other paradigm is waterfall development. The biggest different between waterfall and DevOps, is that waterfall deploys changes to applications once every six months, or once every three months. When we left Etsy, which was over three years ago, we were doing 50 deployments a day, which is 50 changes to the website in a single day. What that means, is you're introducing new code to your live application every day. But that also means you're introducing new bugs into your application every day, too. Those bugs that are in there often lead to security vulnerabilities. The old model of application security, was fix all the bugs before our release, before someone can find and explot them. With code now changing so often and rapidly, that goal is just unreachable. What we've had to tell people is, you have to embrace the fact that bugs exist in your applications. As a side note, those bugs also existed in the waterfall model when you were trying to find those bugs, so it really never worked. So, you have to assume that bugs exist, and that attackers are going to try to attack your applications, so you have to be reactive to those actual attackers, rather than just assuming they are not getting in because you've fixed all your bugs.
Let's talk about your funding. How are you backed and funded?
Andrew Peterson: We've been really lucky to have a lot of investors who have great experience in working with both SaaS companies, and especially, security. We tried to look for folks along the way, who had the experience at the phase of the company we're at. The most recent round, with Charles River Ventures, was great, because they have had so much experience in the Series B stage. They've worked with companies, and really help to scale them to become really large, well known household brands. That's why we are so excited to have their addition to this round.
What's the biggest lesson you've learned from this so far?
Andrew Peterson: I've learned a bunch. Not to plug myself, but I've done some writing and published a book with O'Reilly, talking about security misconceptions. That's one of the biggest things I've learned from this. There are a whole series of misconceptions about what modern information security means, and what challenges are out there. One of the ones that keeps coming up, over and over again, in the discourse about security, is the assumption that all of your attackers are extremely sophisticated, and all of their attacks are sophisticated attacks. But, when you start looking at the reality of attacks, and evaluate the information, you start seeing that if you just do some basic things, it doesn't have to cost a lot of money to be pretty effective against a whole class of attackers.
Finally, what's next for you?
Andrew Peterson: We're growing. That's the reason we raised our most recent round of funding, is to hire a lot more people. We've gotten some great feedback from our customers so far on our technology, that it's solving problems meaningful for them. So, we decided we'd doubel down, and bring this solution and technology to as many people as we can. We know the industry is really suffering from a lack of effective tools, especially as we see this new wave of product development that joins DevOps and cloud. The challenges are getting bigger, not easier. We want people to hear about us and our product, and how we can help them.
Thanks, and good luck!