Backslash Security Marries App and Cloud Protection
Israeli startup Backslash Security sees itself as the overlap in a Venn diagram of securing code and its deployment in the cloud.
“Imagine that there is the left side and right side. The left side is in the actual code where it sits in the git repository, and the right side would be the actual cloud environment where the application is being deployed. Until this point in time companies were either your code security company or your cloud security company. And what we’re doing is tapping into both areas,” said co-founder and CEO Shahar Man.
He came from Aqua Security and SAP, and his partner, Yossi Pik, also formerly at SAP and cofounder and CTO of FARMIGO (acquired by GrubMarket).
“[At Aqua Security] I learned that there’s a big wall between infrastructure security and application security,” he said, something customers were asking for.
“So we said, ‘How about taking this very interesting approach that companies like Aqua, later on with Orca , brought into the cloud security space and apply this approach to the application security space?”
From Code Through Production
As Jit CTO and cofounder David Melamed wrote previously:
“Modern application development’s push for ‘everything as code’ … requires security testing at multiple levels on the infrastructure, application software and data layers to protect from a variety of possible attacks. We are no longer looking just at the application security itself, but the configuration of other infrastructure and services that may pose a target through code. … To add to this, it comes with a constantly changing threat landscape, with new findings, CVEs and exploits being discovered daily.”
The problem is that many application security tools that are not purpose-built for the cloud native era and overwhelm teams with a firehose of low-value alerts.
Backslash Security provides visualization of the application threat models and correlation between alerts coming from the code with insights from production deployment in the cloud to minimize the number of alerts and help prioritize them by the actual risk.
“Let’s assume that you have a potential SQL injection in your code. This is a pretty common symptom in your code … however, when you have hundreds of those, some of them would be false positives, and some of them are not real issues that need to be addressed. And it takes a lot of manual work and finds out which are the ones that are real and need to be addressed,” Man explained.
“With our approach, we’ll look at the cloud and see what are the actual flows of the application that really goes and works through this flow. So out of the 100, SQL injections, there are only two actually being used in the cloud. So these are the two you should address first.
“So that the overall idea [is] we leverage the understanding of how the application is deployed to … focus the application security teams to the most burning things and prove the risk on it.”
It enables enterprise AppSec teams to see, prioritize and act upon high-risk code combinations that it calls “toxic code flows,” in their cloud native applications.
“Developers need an accurate way to efficiently identify and fix code issues in their workflows, without being overwhelmed by alerts or false positives, while security needs a scalable way to manage risk,” said Melinda Marks, senior industry analyst at ESG.
“Backslash has developed a solution to address this gap utilizing the properties of the stack and modern development environments to give security teams the context they need to support development as it scales.”
Analyzing Interconnectivity
There’s nothing to install. You just tap into to two read-only connectors: your git repository (GitHub, GitLab) and the cloud account where the application is deployed (AWS/Azure/GCP). It supports the most common languages used in cloud native development such as Golang, Java, JavaScript Typescript and Python.
Backslash will analyze the microservices from the code and their interconnectivity and present a clear, visual shortlist of risks requiring the highest attention. Man maintains it can replace a host of AppSec tools including into a single platform including static application security testing (SAST), software composition analysis (SCA), secrets management and more.
Backslash Security faces a crowded field of application security rivals including Snyk, Synopsys, Veracode, Wix and others. The company came out of stealth in March and announced an $8 million dollar funding round. It’s in the late beta stage, looking to announce general availability during Q2.
“AppSec teams are struggling as companies rapidly shift to cloud-based deployment environments because the traditional solutions just aren’t keeping up,” said Brian Fielder, an investor and general manager, CTO Enterprise Security at Microsoft. “The Backslash team has built a truly cloud native approach to application security, bringing a new, visual, lightweight paradigm to the AppSec industry.
