After decades of ‘scanning and chasing’ code weaknesses, it was clear: the combination of rapid cloud-based product development and growing cyberthreats to applications demanded a major rethink of the AppSec paradigm.
My co-founder Yossi Pik and I ‘grew up’ together in SAP during the great shift to the cloud. Then, and later in my career, Yossi and I were part of an industry created around cloud native infrastructure and security. We were part of a major technological disruption. Yet we felt like a key element of this disruption had been left untouched: AppSec.
Cloud native development had evolved, but AppSec had not. To be honest, we both felt like ‘enough is enough’ - it was time to disrupt the undisrupted. Backslash was born because we realized that legacy Application Security (AppSec) Paradigm was in desperate need of change.
New Market - Old Paradigm
Applications are the lifeblood of any digital organization. And because they are so central to the digital enterprise, they are also an increasingly popular attack vector - squarely in the crosshairs of threat actors, large and small.
Yossi and I had lots of customers that knew this. They wanted to secure more than ‘just’ their cloud infrastructure - they wanted to secure their cloud native code.
Yet while there were plenty of vendors creating security solutions for infrastructure, VMs, containers and the cloud – and plenty of vendors doing deep code analysis - nobody was doing both.
We watched clients struggling with traditional AppSec tools that delivered an overwhelming number of false positives because they simply were not designed for the needs of modern microservices-based, cloud-native applications. We watched as agile releases made it impossible for AppSec teams to catch up with developers – because they were (and still are) massively outnumbered. For example, one current design partner has 4000 developers and eight AppSec engineers, another has 1500 developers and only four. On the flip side, we saw how Cloud Security (CloudSec) teams – even with their sleek and modern toolsets – simply couldn’t drill down into code.
Basically, we saw that the lines between AppSec and CloudSec had blurred, mostly owing to cloud-native architectures and tech like Infrastructure as Code (IaC). And we understood that this change required us to change our thinking and develop new AppSec models accordingly.
The Backslash Solution
We created Backslash to provide a solution to three key challenges facing AppSec stakeholders:
Backslash is a solution born in the cloud. Just like Cloud Security Posture Management (CSPM) solutions disrupted the Cloud Security paradigm, Backslash is changing the paradigm for AppSec by offering AppSec teams unprecedented visibility into modern application architectures. It’s not only the birth of Backslash, it’s the birth of a new category: Application Security Posture Management (ASPM).
We do this by identifying what we call ‘toxic code flows’ - unique combinations of undetected insecure code and/or configuration weaknesses, combined with ‘toxic’ conditions, that together increase risk dramatically. For example, while an average code base may have hundreds of potential SQL injections, AppSec teams would want to first address those in public-facing APIs, running in production, or that are part of a crown-jewel business app.
The Bottom Line
Given that CloudSec and AppSec are getting closer and that CloudSec has already made the leap into a modern paradigm of infrastructure security - AppSec is next. Backslash has experienced founders, great investors and most importantly the right team of code and cloud experts. Together we’re delivering a new "fused" paradigm of AppSec in the cloud - empowering skilled AppSec engineers with solutions for the cloud native workday.
Yossi and I came to Backslash with a clear vision and the decades of experience required to bring it to reality. Together with our outstanding team of code and cloud experts and doctors, we’re doing just that. The end result is more confident, more secure, and far smoother cloud deployments – alongside more effective and more cost-effective AppSec.