Symbiotic Security, which announced a $3 million seed round today, watches developers as they code and flags potential security issues in real time. Other companies are doing this, but Symbiotic also emphasizes the next step: teaching developers to avoid these bugs from the beginning.
Ideally, this means developers fix security bugs before they enter the code repository, which should also speed up the overall development process. Developers can also learn on the job and in the environment they already work in, making it much more likely that they will be able to successfully implement the changes they need. This is more effective than having them go through annual security training at SuccessFactors.
Founded earlier this year, the company released an MVP focused on infrastructure-as-code languages like Terraform about a month ago. Symbiotic co-founder and CEO Jerome Robert told me that the company did this to win MVP and prove its vision. Over time, the team plans to expand to the rest of the application stack, supporting languages such as Python and JavaScript.
Image credit: Kyosei Security
Robert pointed out that even the most developer-friendly security tools are still essentially tools for security teams. “They enable security teams to become better police officers. These are not tools that make developers good people,” he said. “These are tools that allow security teams to send out hundreds of messages throughout the week that say, “You made a mistake.'' need to fix that. ”
Meanwhile, developers are constantly forced to choose between fixing security issues and developing new features.
The idea behind Symbiotic Security is to point developers in the right direction, similar to the code completion tools they are already familiar with. Ideally, Symbiotic helps developers fix bugs in inner loops while they are coding, long before continuous integration and delivery platforms start scanning the code for issues. When this happens, the process quickly slows down and Jira tickets and additional code review processes take over.
Image credit: Kyosei Security
This is also where Symbiotic goes a step further. “Simply allowing amendments is not enough. [the issues] and detecting it,” Robert explained. “You also need to be trained on security. Developers love training, that's an absolute, 100% certainty. But security training is a pain.”
Robert argues that for developers, on-the-fly training is relatable. It focuses on immediate needs rather than abstractions. And it's short, only a few minutes.
For now, these training lessons and videos are pre-recorded, but over time they may become more AI-driven, allowing Symbiotic to further address the specific problems developers are working on. It allows you to make it more relevant.
There is another interesting development here. To best train a model to automatically fix security issues, you need a corpus of code containing security bugs and fixed versions of those code snippets. Symbiotic recognizes problems and tells developers how to fix them, ideally allowing them to create high-quality datasets on which to build repair models. However, for now, it's a long-term project.
Symbiotic is backed by Lerer Hippeau, Axeleo Capital, Factorial Capital, and others. “Jérôme and co-founder Edouard Viot have a deep understanding of the underlying issues of traditional code security and have shown remarkable foresight in their approach to addressing the growing demand for shift-left security solutions. said Graham Brown, managing partner of Lerer Hippo. “Symbiotic has the potential to transform the industry and empower both developers and security teams.”