I’m excited to announce that Canonic Security, the product we’ve been working on for over a year, is now generally available! Canonic helps you reduce your SaaS attack surface and quickly respond to SaaS-native threats.
We’re also excited to share we’ve raised over $5.7M in seed funding led by Josh Kopelman at First Round and Yaron Elad at Elron Ventures with participation from SV Angel, Operator Partners, and toDay ventures.
So what’re SaaS-native threats you say?!
Business Applications are decomposing. From standalone monolith to hyper-integrated, highly-extendable ecosystems. Why wait for IT to get HubSpot going when you can get 5 freemium add-ons to collect leads in a google spreadsheet, enrich them, launch a drip campaign and auto-qualify leads onto AirTable?
In your own life, you've probably connected so many apps to your personal Gmail. You might have even built an IFFT workflow to pause Roomba before a Zoom meeting starts.
What does security look in this kind of world?
How do you map and analyze your new app estate and the attack surface it introduces? How do you control third-party API access to your data? How do you continuously monitor it, detect abnormal behavior, and uncover abused, compromised or misconfigured integrations?
A proxy or an endpoint agent won't help -- business apps live far beyond your data flow. Federating access to your business apps won't help -- third-party API access doesn't care about your SAML IDP. Making sure your business platform is configured according to the latest CIS benchmark and shooting Jira's when it invariably drifts, might mitigate some mishaps -- but what does configuration mean for thousands of integrations and native-code automation, most of which you didn't even know existed? ..you may throw some telemetry at your favorite analytics tool (err...XDR you say), that's if you know whose telemetry that is, what their activities actually meant and whether they were actually theirs or attackers...
That's kind of where the map stop fitting the territory. Where security took a pause and stopped pacing with technology. Where our L3 FW was begging an L7 NG. Where AV was begging for an EDR. Where CASBs and other decade-long inventions were begging to be disrupted.
I've been passionate about 3rd party apps ever since my early CASB days at Firelayers and later while at Proofpoint, where I had an opportunity of scaling the Firelayers solution to thousands of customers and tens of millions of end-user accounts protected. Coincidentally, Niv, my partner and Canonic Security CTO, was working on OAuth weakness as early as 2011 (RFC 6819, 6749).
But how do you automatically assess millions of integrations and the risk they pose, across dozens of SaaS platforms supporting OAuth add-ons?
We've set out to solve that riddle and have some great news coming up shortly... stay tuned!