Signal Sciences: Enterprises still overlooking web app security

Ransomware threats are everywhere these days, but one startup is focusing on the most common cause behind data breaches.

Signal Sciences is a Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP) company that protects customers' web applications and APIs, regardless of the software architecture or deployment model used, such as on-premises, cloud, containers or hybrid approaches. The company believes web application security is often eclipsed by ransomware threats, despite the fact that Verizon Data Breach Investigations reports have named web apps as the leading cause of enterprises breaches.

The next-generation WAF startup raised $35 million in Series C funding last year, bringing its venture capital funding to more than $61 million. Signal Sciences co-founder and CEO Andrew Peterson discusses how his company distinguishes itself from other WAF vendors, the challenges enterprises face with securing web apps and e-commerce platforms, and why application security is often overlooked.

Editor's note: This interview has been edited for length and clarity.

Tell me how Signal Sciences was founded.

Andrew Peterson: We started about five years ago, and I've been working with my co-founders on this for probably closer to 10 years in the space and on this specific technology. The specific product category according to Gartner that we play in is called Web Application Firewall or WAF, as well as Runtime Application Self-Protection or RASP. That's a particular favorite of mine. In both areas, essentially what we're doing is protecting websites and mobile applications and APIs. As you can imagine, as people are starting to develop more and more software, and using that software to connect with their customers, this has become a rising focus in the security world; attackers have been having a lot of success attacking the web layer of different organizations. It's been about eight years running now in the rise of data breach report that web apps are often the most breached part of an organization, but it's only in the last few years that I think companies have really started to understand the big deal. Our experience was being in-house at a retail company called Etsy in New York, and that's where we cut our teeth and got a lot of exposure to these problems that we saw growing in importance and severity for the rest of the industry. That's what really led to me and my two co-founders starting Signal Sciences, and where we are today -- we've made a ton of progress in the last five years. From a business perspective I think we've had a lot of success, but I think it's really due to keying in on some really clear pain points for organizations as they're making this transition into developing more software, developing more in the cloud and then really trying to manage what that looks like over time.

How does Signal Sciences distinguish itself from other WAF companies?

Peterson: Probably almost 80% of our competition at this point comes from the sort of major legacy players in this space, and that would be Akamai and Imperva and F5 [Networks]. When we go against them, we are winning 85-90% of those deals, and it really comes down to a number of key things that we do. I think because we're a cloud-native company and have really been born from the world software is moving toward. We are able to give them coverage over the new types of applications in software development in the cloud. So you can get coverage over any type of application architecture you're developing, which a lot of these legacy [WAF] companies have frankly had a hard time understanding what these new architectures mean. That's a big part of the reason why folks choose us, but then the second piece is that we're practitioners. We actually come from the background of built and protected large scale cloud and DevOps-focused software platform. And we know what the problems are that the customer is dealing with and facing because we dealt with them firsthand. Our solution is meant to be just that it's meant to be a solution to the problems their facing rather than just technology and throwing sort of words at something. And I think both of those pieces, customers really realize that we have an interesting technology in the space.

Could you tell me a bit about your various solutions?

Peterson: A lot of people get confused in the security space when people talk about protecting apps or protecting software. We're not protecting SaaS applications that your employee base might be using. There are a number of different companies that say, they'll be able to protect your employees' usage of Gmail or Office 365, but that's not what we do. And we're not a sort of mobile app development company, specifically. We protect the applications that companies are building. For example, Under Armour is a customer of ours, and DoorDash is a customer of ours. It's the e-commerce platform they have in both of those systems where folks are going to try to abuse those platforms to be able to do things like account takeover or steal customer data behind it;  they'll use automation and bot attacks to try to take over the authentication systems they have internally or various APIs by overwhelming them with traffic to try to take those systems offline. We are providing a one-stop solution for companies to be able to get protection over all those different types of attack patterns across any type of software that they're generating that allows their customers to access those systems or their internal software being used by internal employees to help people.

How much of your day do you spend thinking about ransomware?

Peterson: Ransomware is interesting. I think it gets a lot of focus because it's a very visceral thing that completely shuts down systems that people have access to. That makes it very easy for people to understand what a ransomware attack looks like. It also happens on systems where you're pretty much completely debilitated in terms of how you can act and work as an organization.

This is why it's always interesting to hear people say, "Wow, ransomware isn't the number one place where data is getting breached and stolen? It's actually being stolen through the website itself?" I spend the majority of our time really focused on website breaches rather than ransomware because, number one, it's sort of our wheelhouse of what we're trying to protect against. And number two, it is the most common breach out there happening even though it's not the most talked about. The Equifax breach was via their website, the Capital One [breach] was via their website, the SEC was breached through their website. But because the way these people are getting breached is much more technical in nature, and more taking advantage of what people call bugs or flaws in the software itself, I think it becomes a lot harder to write about. And it's not something the people within the organization are actually experiencing because it's essentially virtual data that's being stolen all the time. I think that's why you tend to see a big focus on ransomware, at least in the press, and less on web-based attacks.

You just raised a $35 million Series C in February. How are you utilizing this new funding?

Peterson: We've actually been doing a lot better financially than we were expecting. We're way ahead of our financial plans this year, so we've had pleasantly unexpected growth. So we haven't used much of the funding to date to be able to fund growth. And dare I say, we're a startup that's actually tried to think about and embrace these concepts of profitability. I know very few people know what that term means in Silicon Valley sometimes. I'm kind of joking, but for us it hasn't really been a case of, oh, we have all this money and we're blowing it all. I think we've raised our money and we're really trying to think about how we can sustainably and effectively grow the business.