Why we invested in Oligo: Bringing zero authority to your runtime application environment
Today, Oligo comes out of stealth and announces $28M in funding. The company protects what matters most, bringing AppSec + observability to your software running in production, without the compromises of legacy architectures.
By Jake Seid, Co-Founder and General Partner, Ballistic Ventures
What is zero authority and why will you hear this theme again and again from Ballistic Ventures?
It’s the belief that least-privileged access and zero trust are not the purview of one product but instead a fundamental architectural sea-change that will transform every product category.
Bringing zero authority to runtime AppSec
When I first met Oligo’s co-founders Nadav Czerninski, Gal Ebaz and Avshalom Hilu, I was so impressed with their insights into runtime application security and how closely we were aligned on what zero authority could mean for the important pillar of cybersecurity.
In addition to the team, we invested in Oligo because they leverage a new architecture to finally bring zero authority to your production application environment. This is a big deal because, traditionally, AppSec has done good work by focusing on build-time or pre-production, but the driver of business is your production environment. Historically, building a large AppSec platform company in the production environment wasn’t possible because there was too much friction, and it forced a fundamental tradeoff between security and performance. And of course, performance (including stability) and the needs of business will win every time.
For the first time, Oligo eliminates these tradeoffs.
The rise of cloud architectures and open source makes Oligo a necessity
One of the critical value propositions of the cloud to enterprise customers is the ability to move very fast. In the cloud, the traditional enterprise security model of “ticket and fix-it” breaks down. A new security model of putting guardrails in production environments is needed in order to be aligned with the pace of deploying code to the cloud. Oligo’s approach enables these guardrails in your production environment without impacting performance or application stability.
The rise of open source software (OSS) means that the vast majority of applications that businesses develop internally or use today are made up of OSS components – in fact, 98% of applications, according to one report. For every benefit OSS brings to businesses, there are also the risks because they are developed by an ever-changing, vast network of third parties. As we saw with Log4j and many others, detecting and preventing vulnerabilities in OSS (and across your entire software supply chain) is a critical challenge.
But with the vast amount of OSS used, engineers are now overwhelmed with the number of vulnerability alerts that are showing up in their repos and build-time environments. By focusing on the subset of OSS in the production environment and the further subset of OSS actually running in the production environment, Oligo both improves security and developer productivity.
Ultimately, this also has material business impact. Businesses live and die based on the resiliency of their production environments. Yet, solutions on the market today to secure these environments are noisy, create large volumes of false positives, and don’t provide runtime application context – making it all but impossible to achieve application security and observability and, therefore, bringing us back to the tradeoffs of legacy approaches.
Enter: Oligo Security
With Oligo, developers, DevOps and security teams all win. The company’s breakthrough approach is the first to offer true runtime application security and observability – for all production stakeholders – without any compromises.
That’s why we’re excited to announce our investment in Oligo Security. Today, Oligo exits stealth with $28M in funding and a talented and highly technical leadership team – trained by the cyber unit of the Israeli Defense Force. The company has an impressive list of early adopters and an opportunity to be a fundamental part of every company’s production environment. We’re excited to invest with our friends at Lightspeed and TLV, as well as the many well-regarded angel investors.
What separates Oligo from others in application security?
Most successful application security startups and public companies out there today do very important work by focusing on the build environment. Build-time application security companies are highly valued (like Snyk at $7.4B in its last round), but they’re not architected to work in runtime. Oligo provides an important runtime complement to these now widely used build-time tools.
Oligo is able to complement build-time AppSec not through an extension of features, but rather through a fundamental architectural difference leveraging technologies like eBPF.
We believe both build-time and runtime AppSec solutions are important and that by bridging build-time and runtime, enterprises will get the most value out of their overall AppSec investments.
In fact, one of the critical benefits Oligo offers by bridging production and build-time AppSec is through the prioritization of vulnerabilities based on runtime context. Developers struggle with the large number of alerts generated in their build-time environment and for the first time they can prioritize based on what’s most important: knowing what’s running and not running in production. Developers can also use Oligo for virtual patching and real-time attack prevention so they can take the time needed to properly update production systems without fear of one of those systems being compromised while updates are still in process.
In the runtime world, RASP (runtime application self-protection) historically offered the promise of security but suffered from the friction of complexity, adding application load and risking stability. But just like there was a moment in time where technical innovations converged to make a frictionless iPhone do what an Apple Newton couldn’t do, we believe that moment in time has arrived to remove the friction from runtime application security.
How the Oligo platform works
Currently in production environments, applications take a “trust-all” approach to integrated third-party components. Every component of an application has the same permissions as the parent application. Oligo’s founders realized how profound the implication of this is when researching OSS components used by Instagram. If we want to use Instagram, we all know that we have to tell our phone to give Instagram full access to everything. The implication is that each OSS component used by Instagram has full access to everything.
That legacy trust-all approach worked when we built our own libraries. Oligo’s founders realized in a world where most software is now cobbled together through a vast software supply chain of OSS components developed by third parties, the trust-all approach can no longer be accepted.
Oligo enables the runtime application equivalent of zero authority (or least-privileged access), which can protect the production environment from any unexpected action taken by any OSS library in a highly deterministic way.
Oligo’s runtime platform leverages eBPF as well as proprietary software which connects high-level application calls to kernel-level actions. This protects production environments from application security threats in a way not possible with legacy RASP products.
Further, legacy RASP only stopped generic attacks. Oligo changes the game by focusing on the library’s behavior and not the attacks. This makes Oligo’s solution much more generalizable and scalable than previous approaches.With eBPF now embedded into modern versions of Linux, this allows Oligo to get visibility on application components without impacting performance. Because eBPF has become the industry standard, it also helps answer many initial questions that customers have for a RASP-type product. And while eBPF is an open technology available to anyone, Oligo’s IP focuses on making eBPF usable to create a zero-trust production application architecture. The company’s IP, combined with eBPF, not only supports granular visibility of application calls, but also enables enforcement of granular permissions for each library.
It’s also important to note the company has taken great care to simplify the deployment model. Their plug-and-play approach to deployment means 1) no code changes 2) instant time-to-value and 3) de minimis operational impact. Oligo’s position in the stack also provides benefits to developer and DevOps teams, including observability, reduced OSS component updates, prioritized patch management and virtual patch management – all win-wins for uniting DevOps and security.
Oligo is making runtime AppSec and observability possible, and we’re excited to welcome them to the Ballistic portfolio.