The application layer is a "black hole" of enterprise security, said Julien Bellanger, co-founder and CEO of Los Angeles-based startup Prevoty, a provider of runtime application monitoring and protection.
"It is not difficult to find scalable solutions for network security and endpoint security, but there is nothing you can actually call application security the way you can call a network appliance network security," he said.
Yet applications are more important now than ever before, Bellanger said, with companies using cloud-based apps and platforms to satisfy the needs of both their customers and employees.
"Applications are not necessarily protected by the network layer or the endpoint layer," he said. "Both are necessary, but the application itself is a piece of software that is exposed to employees, to the Web, to any untrusted source of data. Applications are extremely exposed and extremely hacked."
While a growing number of enterprise infosec teams are aware of this security shortcoming, he said, there is "a critical lack of human resources in application security today." While some longtime software developers are beginning to apply their skills to application security, it will take time for supply to match demand, he added.
Though it just marked its two-year anniversary, Prevoty has attracted high-profile clients like Visa, Time Warner and Macys.com.
"Our customers tend to be early adopters of technology," Bellanger explained. "They understand the value of their applications and the data within them. They realize their apps are vulnerable. Often, they are companies that have used scanning tools to look at the vulnerabilities in their code. They realize there is really no scalable way to mitigate vulnerability across hundreds or even thousands of apps."
What about a WAF?
Though Web application firewall (WAF) providers often position their products as providing application security, Bellanger said WAFs provide limited protection because they lack visibility and context into the content executing within apps. He likened WAFs to bouncers working the door at a nightclub, who can keep out miscreants they recognize but might miss the same troublemakers if they wore disguises.
"[WAF] can look at what is coming in and malicious hacks, but if you transform your hacks it can go through the WAF because it has no context as to what is happening in the app," he said.
Because Prevoty offers runtime security and application monitoring, it can enhance the value of a WAF for companies that have invested in one."We can work with the WAF by feeding contextual data from app to the WAF, so the WAF can better anticipate a hack," Bellanger said, noting that Prevoty's solution can interact with other network security appliances as well.
Right Product, Right Time
Bellanger believes Prevoty hit the market at the right time, an idea seemingly confirmed by the $11 million it has raised, including an $8 million Series A round with U.S. Venture Partners earlier this year. The importance of launching the right product at the right time was a lesson he learned after founding his first company, a French social network site, in college.
Another lesson learned that is serving him well at Prevoty is the importance of a strong support network, Bellanger said.
"At my first company we did not have investors, potential partners or advisors; we were all by ourselves," he said. "From the beginning at Prevoty we surrounded ourselves with amazing investors and amazing advisors, and we pulled in the best executives we could hire, even in the very early stages."
Prevoty will use much of its latest infusion of capital to hire marketing and sales staff. Its product goal for 2015 is to "enhance or add value to the ecosystem," Bellanger said. "We can give actionable data to a SIEM and to scanners and the firewall, so that is going to be our focus this year. We want to enhance the multi-layered security approach by aligning infosec professionals with the application security layer information."
Fast Facts about Prevoty
Founders: Julien Bellanger and Kunal Anand, the company's CTO
Product: Runtime application monitoring and protection
HQ: Los Angeles
Customers: Large and medium enterprises, including Visa, Time Warner and Macys.com
Funding: $11 million, with investors including U.S. Venture Partners
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.