Roadhouse

Web security is like a generational game of leapfrog being played between malicious users on one side and site administrators and security specialists on the other. Every few years (or even months) a new class of exploit emerges against which the good guys must scramble a response.

Today, one of the most common methods of attack is Cross-Site Scripting (XSS), against which up to 70 percent of websites are thought to be vulnerable according to Kunal Anand, co-founder of Web security startup Prevoty. XSS is the execution of malicious JavaScript code by the user in Web or mobile browsers and rich clients. As the former director of technology at the BBC, director of engineering at Gravity, security engineering manager at MySpace, and a lead software architect at NASA Anand has been working at the forefront of this problem for years and may have the first viable solution in Prevoty.

XSS code can be executed in a variety of contexts, including commonly in the comments sections of many content publisher sites, within webmail, and within collaboration applications such as SharePoint. While XSS was once used mostly by cyberpunks to deface websites – like MySpace profiles – today it is being used by sophisticated hackers in more nefarious ways, such as to steal user or administrator credentials and gain deeper access to systems, where real damage can be done. Ebay for example, allows users to use Javascript and HTML to create custom listings, and is thus regularly exploited by XSS attacks. Yahoo Mail is also a common target due to the way it allows email senders to mask the content of embedded hyperlinks.

“The more freedom a site gives to a user, the greater risk the site faces of XSS attacks. But this is also one of the best ways to drive engagement,” Prevoty co-founder Julien Bellanger says. “We’re enabling companies to give unlimited freedom to their users without being at risk of XSS attacks.”

Historically the preferred defense against XSS attacks has been Web Application Firewalls (WAF), which can be likened to a bouncer at the door of a popular nightclub – if you’re not on the list, or if you don’t look the part of a club-goer (aka, authorized site visitor), you’re not let in. The problem is, looks can be deceiving and, once inside, a club or website visitor can act in unauthorized ways. Under a WAF, the only way to decipher the good from the bad is to check against a list of past-signatures, making them especially vulnerable to new attack variants, or “zero-day” exploits.

“More than half of all websites are currently extremely vulnerable to XSS,” Bellanger says. “The only ones that aren’t are extremely simple and don’t allow the user to engage by submitting content – for example Chevron.com.”

In Prevoty, Anand and Bellanger have created the equivalent of in-club security which monitors the ongoing behavior of every guest and ejects them at the first sign of trouble. The company’s SmartFilter product sits between application and the firewall to provide contextual security. Rather than simply relying on past malware definitions or heuristics, SmartFilter uses “tokenizers, parsers, and profilers that in unison have the ability to perform syntactic/semantic operations on content,” according to the company. In other words, its algorithms understand how HTML and JavaScript code behaves within application and how that impacts users. When potentially dangerous activity or code is detected, the system prevents it from running and ejects the user responsible.

SmartFilter can be deployed as a binary/virtual machine in Linux, as an IIS add-on for Microsoft, as a plugin for SharePoint 2010 and 2013 editions, as a WordPress plugin, or as a cloud-based solution with libraries developed for C#, Go, Java, PHP, Python, and Ruby. SmartFilter comes configured with standard algorithms defining unauthorized behavior, but companies can create custom rules to accept or deny certain types of links or formatting, and other potentially dangerous user actions.

Prevoty is a member of the current Spring 2013 class of the Launchpad LA accelerator and has raised $700,000 in a Seed round led by Plus Capital with participation from Double M Capital, Paige Craig, former Netscape CTO Eric Hahn, and other angels.

The company is testing per-request pricing initially with mobile carrier-like pre-purchase volume discounts. There is currently a free tier available, and paid tiers targeting mid-size and enterprise scale clients. This structure may change in the future, depending on market feedback.

It’s rare to find a Web security company in Los Angeles, but Anand and Bellanger have found it to be an advantage. In past ventures, the pair found it excessively expensive to hire good talent in the Bay Area, yet difficult to foster employee loyalty in the grass is always greener northern California market. With strong roots in LA and the quality of life advantages working well to attract NorCal talent down south to the beach, the pair have had little trouble assembling a strong team for Prevoty. At the same time, the founders view LA, New York, and the Bay Area as equal sources of potential customers, and would thus spend time traveling amongst these markets regardless of where they choose to base the company.

The questions I kept coming back to in my discussions with the founders and their investors was, if this is such a big problem, how is it that massive companies like Yahoo and Ebay – let alone paid security companies like Symantec, Barracuda, Trend Micro, Cisco, and others – have yet to solve it. The answer, according to Prevoty’s founders, is a combination a lack of focus on and understanding of this particular issue and misplaced loyalty to existing solutions into which they’ve made significant investments.

Few individuals have had more exposure to the problem than Anand, by way of his perch atop MySpace’s security division. The result appears to be entirely new type of solution for combatting XSS attacks that, at least currently, is best of breed. There’s no arguing the demand for a solution of this type. But whether Anand and Bellanger can scale this into a massive business is another question.

The Web security environment is a fast changing one, in which malicious users are constantly cooking up new exploits to address the measures introduced to stop them. Whether the small LA company can stay one step ahead, while fending off larger and more well known security industry challengers remains to be seen. In the meantime, this is one of the more exciting early stage companies I’ve seen in recent months and certainly one to keep an eye on.