Former MySpace and NASA security exec raises $700k, launches Prevoty to defend websites against malicious user code
Web security is like a generational game of leapfrog being played between malicious users on one side and site administrators and security specialists on the other. Every few years (or even months) a new class of exploit emerges against which the good guys must scramble a response.
“The more freedom a site gives to a user, the greater risk the site faces of XSS attacks. But this is also one of the best ways to drive engagement,” Prevoty co-founder Julien Bellanger says. “We’re enabling companies to give unlimited freedom to their users without being at risk of XSS attacks.”
Historically the preferred defense against XSS attacks has been Web Application Firewalls (WAF), which can be likened to a bouncer at the door of a popular nightclub – if you’re not on the list, or if you don’t look the part of a club-goer (aka, authorized site visitor), you’re not let in. The problem is, looks can be deceiving and, once inside, a club or website visitor can act in unauthorized ways. Under a WAF, the only way to decipher the good from the bad is to check against a list of past-signatures, making them especially vulnerable to new attack variants, or “zero-day” exploits.
“More than half of all websites are currently extremely vulnerable to XSS,” Bellanger says. “The only ones that aren’t are extremely simple and don’t allow the user to engage by submitting content – for example Chevron.com.”
SmartFilter can be deployed as a binary/virtual machine in Linux, as an IIS add-on for Microsoft, as a plugin for SharePoint 2010 and 2013 editions, as a WordPress plugin, or as a cloud-based solution with libraries developed for C#, Go, Java, PHP, Python, and Ruby. SmartFilter comes configured with standard algorithms defining unauthorized behavior, but companies can create custom rules to accept or deny certain types of links or formatting, and other potentially dangerous user actions.
Prevoty is a member of the current Spring 2013 class of the Launchpad LA accelerator and has raised $700,000 in a Seed round led by Plus Capital with participation from Double M Capital, Paige Craig, former Netscape CTO Eric Hahn, and other angels.
The company is testing per-request pricing initially with mobile carrier-like pre-purchase volume discounts. There is currently a free tier available, and paid tiers targeting mid-size and enterprise scale clients. This structure may change in the future, depending on market feedback.
It’s rare to find a Web security company in Los Angeles, but Anand and Bellanger have found it to be an advantage. In past ventures, the pair found it excessively expensive to hire good talent in the Bay Area, yet difficult to foster employee loyalty in the grass is always greener northern California market. With strong roots in LA and the quality of life advantages working well to attract NorCal talent down south to the beach, the pair have had little trouble assembling a strong team for Prevoty. At the same time, the founders view LA, New York, and the Bay Area as equal sources of potential customers, and would thus spend time traveling amongst these markets regardless of where they choose to base the company.
The questions I kept coming back to in my discussions with the founders and their investors was, if this is such a big problem, how is it that massive companies like Yahoo and Ebay – let alone paid security companies like Symantec, Barracuda, Trend Micro, Cisco, and others – have yet to solve it. The answer, according to Prevoty’s founders, is a combination a lack of focus on and understanding of this particular issue and misplaced loyalty to existing solutions into which they’ve made significant investments.
Few individuals have had more exposure to the problem than Anand, by way of his perch atop MySpace’s security division. The result appears to be entirely new type of solution for combatting XSS attacks that, at least currently, is best of breed. There’s no arguing the demand for a solution of this type. But whether Anand and Bellanger can scale this into a massive business is another question.
The Web security environment is a fast changing one, in which malicious users are constantly cooking up new exploits to address the measures introduced to stop them. Whether the small LA company can stay one step ahead, while fending off larger and more well known security industry challengers remains to be seen. In the meantime, this is one of the more exciting early stage companies I’ve seen in recent months and certainly one to keep an eye on.