Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
ForAllSecure, which today announced raising a $21 million series B funding round, said that the customer base for its autonomous application security testing solution has quadrupled over the past year. The company also debuted a free version of its Mayhem product aimed at helping developers to secure open-source projects.
The company is working to bring an algorithmic approach to enabling automated, rapid identification of vulnerabilities for application security (AppSec) teams, according to David Brumley, cofounder and CEO at ForAllSecure.
“We’ve carefully chosen and architected our approach to make autonomy possible in AppSec,” Brumley said in an email to VentureBeat. “We are getting rid of the scan and making all results actionable — and if you dare, [you can] even remove the human from the loop.”
ForAllSecure’s enterprise-focused autonomous app testing product, Mayhem for Code, launched at the beginning of 2020. The company also offers Mayhem for API for testing application programming interfaces.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
ForAllSecure now has more than 100 customers, up from 25 at this point a year ago, Brumley said. Customers include the U.S. Department of Defense, Cloudflare, Roblox, Motional and Subspace.
Launching the free version of the product — Mayhem for API Free — is “just the right thing to do,” Brumley said. “In order to test the world’s software for exploitable bugs, you need to recognize the value of the independent developer. We built Mayhem for API Free to help them.”
Ultimately, ForAllSecure is seeking to make it easier for enterprises to bring security earlier into the application development process, commonly referred to as “shifting left.”
According to a report from NTT Application Security, 50% of all web apps were vulnerable to at least one serious exploitable vulnerability throughout 2021.
While software vulnerabilities have long ranked as a concern for businesses, awareness of the issue has grown amid the discovery of widespread critical flaws, such as the vulnerability in Apache Log4j. Meanwhile, high-profile compromises in the software supply chain, such as the attacks on SolarWinds and Kaseya, have also led to greater awareness of the potential threats.
“Cybersecurity starts with safe software,” said Brumley, who is also a full professor at Carnegie Mellon University in computer science. “Unfortunately, there hasn’t been any innovation in application security for two decades. And at the same time, we’re at a crisis point in staffing the cybersecurity workforce.”
ForAllSecure’s offerings are “what modern application security looks like,” he said, with its goal of automatically finding exploitable bugs before attackers can succeed — an approach known as “fuzz testing.”
With the solution, a user uploads their software, and Mayhem automatically performs deep, attacker-like penetration testing. Importantly, the tool also learns from the application logic itself, Brumley said.
The team at ForAllSecure has spent two decades in academia researching why legacy application security doesn’t work, and how to improve it, he said.
“It’s crazy, but a lot of companies believe that a scan that takes minutes will point out all problems and defeat attackers who spent days, weeks and months finding new vulnerabilities,” Brumley said. “That’s not reality. Mayhem automates attacks, and can run continuously.”
Main competitors include Synopsys and Snyk, according to Brumley.
Amid a severe shortage of cybersecurity talent, ForAllSecure contends that “autonomy is what’s needed to bridge the AppSec workforce crisis,” he said.
Mayhem operates autonomously to “work like attackers,” finding and creating exploits, ForAllSecure said in a news release. The product is faster, more accurate and less-expensive than manual approaches — and is “truly automated” because it’s not necessary for humans to double-check the results, according to the company.
Founded in 2012, ForAllSecure became active in 2014 to prepare for the DARPA Cyber Grand Challenge that year. The competition from the Defense Advanced Research Projects Agency (DARPA) focused on automatic cyberdefense systems, and ForAllSecure took the top prize, worth $2 million.
Brumley, who holds a Ph.D. in computer science from Carnegie Mellon University and a master’s degree in computer science from Stanford University, has been a professor at Carnegie Mellon since 2009.
The other founders of ForAllSecure are vice president of engineering Thanassis Avgerinos, who holds a Ph.D. and master’s degree from Carnegie Mellon University, and advisor Alex Rebert, who has a master’s degree from Carnegie Mellon.
The company’s series B funding round was co-led by Koch Disruptive Technologies and New Enterprise Associates. ForAllSecure has now raised $36 million to date.
The funding will go toward expansion in the market, further product development and hiring. ForAllSecure did not disclose its headcount, but expects to increase its headcount by 50% this year, Brumley said.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.