Source: Kirbyphoto via iStock Photo
The concept of shift left, or integrating security earlier in the software development life cycle, is important for application security, but it can be difficult to achieve. Developers need to take on some security responsibilities, but that means they need to be properly equipped with integrated security tools that fit their workflows.
This is the issue that Symbiotic Security, which launched this week, is tackling with its software-as-a-service platform, which integrates vulnerability detection and remediation capabilities directly into the application developer's integrated development environment (IDE). The platform also provides just-in-time training to developers so that they have the information on how to write secure code.
"Using Symbiotic is like having a personal security coach right next to you as you code," says Jerome Robert, co-founder and CEO of Symbiotic Security. "It provides real-time feedback on the security mistakes you're making, and it's training you so you don't repeat these mistakes."
The plug-in in the developer's IDE continuously scans code — as the developer types as well as the code that has already been written — and identifies potential security threats. The developer gets contextual remediation advice right in the IDE.
"Our security nudges are perceived as coaching," Robert says. "It's a tool that'll make them save time by not having to come back to fix old code."
Developers can also access the training materials — in the form of capture-the-flag (CTF) content — to learn what the problem is and why it is a problem. They see examples of secure and vulnerable code and are presented with a snippet of insecure code to find and fix as part of a game to help improve secure coding skills.
The difference between Symbiotic Security's plug-in and other code security tools is where the issues are identified, Robert says. Many of the others catch mistakes after the code has been written, often during code commits or when integrated with the rest of the build.
"Nobody feels bad making a few mistakes here and there in a draft, and that's the mental state we want developers to be when we advise them on security," Robert says. "If we were at commit [or, more commonly, in the CI], we'd be basically flagging issues after a developer said, 'This is my final release, this code is good to go.'"
As part of the launch, Symbiotic Security also raised $3 million in seed funding from investors including Lerer Hippeau, Axeleo Capital, and Factorial Capital. Symbiotic Security said its product is currently deployed at eight companies.