CEO blog – Introducing build.security

Amit Kanfer November 18, 2020

The true authorization policy management platform for developers

Building security into applications is uniquely challenging; As developers, we’re responsible for eliminating a dozen different attack vectors inherent in application software while some of them, like authorization, are entire universes of complexity of their own. We’ve come a long way to resolving many of AppSec’s more complicated problem spaces, like authentication, with dedicated solutions. However, the  convoluted nature of authorization modeling seems to have put the market off authorization as a problem space.

Luckily, it turns out that a group of masochistic developers were willing to give it a try! 

Alongside my Co-Founder, Dekel Braunstein, I’m pleased to introduce build.security – the first Authorization Policy Management platform and an important step towards bringing maturity to authorization as a field. Built by developers for developers, our platform simplifies authorization with automated policy discovery, policy as code, and a single pane of glass for policy visibility and management. With our solution already available to a limited group of customers and developers, our journey towards market standardization for authorization, and creating a strong open-sourced community dedicated to keeping applications safe, is well underway! 

Why Authorization?

Authorization is everywhere. This is one of the key security measures in application development, meaning that the confusing and time-consuming nature of today’s modeling and enforcement best practices are becoming less sustainable and scalable with every new attribute we need to account for. Developers can‘t afford the market’s authorization void any longer! 

Shouldn’t we simply be able to know what a certain identity can do within an application—and when and how—when authoring end user access policies? Why can’t we easily apply similar access policies on service-to-service communications by adding user context into the equation? Wouldn’t it be nice to easily authorize internal employee access to internal resources like kubernetes deployments, SSH access and internal APIs?

After asking ourselves these questions over and over, we realized that these issues boiled down to policy and a serious need for simplicity. It didn’t take long for our vision of a single platform to manage all these actions to follow. This true platform potential seems to have everyone most excited- authorization offers an endless host of cognitive hurdles for us to overcome. 

Authorization’s Endless Problem Potential

Developers building authorization into code need to account for three dimensions of an access request—its identity, resource and context—with each dimension introducing its own unique set of attributes.

  1. Identity – Who is the identity that is trying to access the resource- What do we know about them? Does the identity have the necessary security clearance for this request? Where are these attributes stored?
  2. The resource – What is the resource being accessed? How do we account for its vendor, type, location, and sensitivity? What is the relationship between the identity and the resource? Where are these attributes stored?
  3. The context – How is the identity attempting to gain access to the resource? Can their device be trusted? What is their geo-location at the time of the request? And, of course, where are these attributes stored?

These questions only begin to scratch the surface of authorization’s unique complexity as a problem space. Next, engineering teams must build authorization models and hierarchies, turn them into 100% performant policies and then successfully enforce them at application runtime. This is an extraordinary resource-intensive and time consuming feat.

A New Approach to Building Authorization

It has become clear over the last six months through over one hundred customer calls that the few authorization solutions currently available are insufficient for resolving attribute complexity, or scaling to meet the production speed of modern developer environments. We’re solving this by approaching authorization through policy management. 

We’ve created a managed service to easily express use cases, integrate with a marketplace of SDKs, plugins, middlewares and database connectors; enforce policies with cutting-edge technology; and monitor and manage the policies at scale. With our platform, developers can easily define role- and attribute-based access controls, source attributes from databases and ticketing systems in real-time, deploy policy engines, and enforce decisions with open sourced SDKs and authorization middlewares. Better yet, these features are available in a single, sleek UI  that generates policy-as-code, integrates with any Git repository and seamlessly integrates with all CI/CD pipelines.  

But don’t take our word for it! With our, soon to be GA, easy self on-boarding freemium version, we warmly invite you to experiment with it for yourself. 

…Curious?

We appreciate that seeing is believing for developers. We’re building a service that developers can consume off-the-shelf. The good ol’ “sign-up” -> “sign-in” experience. Deploy our freemium version in just a few minutes to begin seeing immediate returns.

As developers, we also appreciate that our solution needs to work for any app, regardless of its programming language, cloud platform or deployment method. We further understand that it has to be “set and forgotten”, which is why we abstracted build.security’s security and opted to decouple policy from the code. This means that, once the code is deployed, it never needs to change again – decoupling the policy, allows teams to change the underlying implementation and policy decisions at any time, for any reason, without having to retest, re-review or redeploy the code in production.

Let’s Get Building

With excitement from YL Ventures—which led the seed round—George Kurtz (CEO & co-founder of CrowdStrike)—who immediately joined as a distinguished backer—and other industry luminaries like Amol Kulkarni, Michael Sutton, Sounil Yu, Dan Amiga, Eyal Gruner, Eran Barak, Liron Levin and Danny Zion on our side, we feel like we’ve got an excellent foundation for success. We’re growing even more confident as we continue to bring in incredible talent to join our expanding team. We look forward to building out authorization’s first true set of best practices and standardization. In the meantime, we hope you’ll join us on our platform and through our online communities. 

Exciting times are ahead!

Amit

Subscribe to build.security’s newsletter

Keep up with the latest news on our authorization policy management platform