IriusRisk lands $29 million to automate threat modeling for apps – TechCrunch
IriusRisk, a threat modeling platform, today announced that it has raised $29 million in a Series B funding round led by Paladin Capital Group with participation from BrightPixel Capital, SwanLab Venture Factory, 360 Capital and Inveready. In a conversation with TechCrunch, CEO Stephen de Vries said the proceeds will be used to grow IriusRisk’s sales and marketing teams in the US and Europe, Middle East and Africa, the the company’s total having raised nearly $40 million.
De Vries, who previously worked for cybersecurity firm Corsaire, KPMG and ISS as a principal security consultant, said he realized that companies were wasting resources performing security tests on software that the developers had not designed with security in mind. If developers could understand security flaws in their designs through threat modeling – that is, identify the types of threats that cause damage to software – it would reduce the bottleneck caused by security reviews , theorized de Vries.
Indeed, threat modeling does not seem to be a priority in many organizations. In a Golfdale Consulting investigation commissioned last year by cybersecurity vendor Security Compass, less than 10% of developers said threat modeling was performed on 90% or more of the applications they developed in their organization. Only 25% said their organizations had done threat modeling during the early phases of software development, such as requirements gathering and design, before moving forward with development.
“Threat modeling is now established as a required activity for secure software development,” de Vries said, citing President Joe Biden’s recent statement. Executive Decree establish threat modeling as a “recommended minimum” for verifying application code. “Since threat modeling as an activity is still relatively new, organizations need to share strategies, tips and tricks on what works when deploying a threat modeling program – and what does not work.”
IriusRisk relies on a rules engine to “reason” client-side and cloud-hosted codebases, taking a model-based approach to modeling threats. Users of platforms like Amazon Web Services (AWS) CloudFormation, HashiCorp Terraform, and Microsoft Visio can tap IriusRisk to import code and automatically generate a diagram and threat model from it.
IriusRisk also provides an analytics module with reports and logs, which can be used by data analysts and scientists to interpret threat data within their organizations. To increase the granularity and accuracy of this data, customers can add components unique to their industry or company to IriusRisks’ pattern detection library, including those for AWS, Google Cloud, Azure and industrial control systems.
“IriusRisk enables technical decision-makers to embed security early in the software development lifecycle, turning it into an easy-to-implement practice that can be applied consistently across the entire product portfolio of organization, creating security by design at scale,” Vries said. “Organizations benefit from IriusRisk’s extensive security standards libraries that include existing threat models for known components, comprehensive security standards and compliance libraries, helping teams build secure software first and automatically meet regulatory requirements.”
Asked about the competition, de Vries admitted that startups like Spectral take a similar approach to IriusRisk in some ways. But he claimed his company’s biggest competitors are lagging behind, doing threat modeling manually with “whiteboards and perhaps rudimentary tools”.
“We are focused on solving the problem of threat modeling consistently and at scale, with minimal friction for developers. We often speak to organizations… looking to mature their approach by removing it from the security team to engineering teams,” de Vries added. “We are making a significant investment in the broader threat modeling community.”
IriusRisk claims to have more than quadrupled its partner base through 2021 and increased its free offering, IriusRisk Community Edition, by 120% in terms of active users (to just over 5,400). More than 4,000 projects have been run on the free platform over the past year, de Vries said — a number he says will increase when IriusRisk launches a new open threat model format, slated for November. , to enable better interoperability between threat modeling tools and security architectures and tools.
“Our customers include six of 30 global systemically important banks and nine Fortune 100 companies…Government organizations use the tool, as well as a digital forensics firm, which supports military end users,” de Vries said. “It’s very common for application security or cybersecurity teams to adopt our software and then deploy it across the engineering organization so they can use a threat modeling capability themselves. We have grown our annual recurring revenue by more than 106% year-over-year for the past two years and are currently growing at a 120% year-over-year growth rate.”
IriusRisk currently has 137 employees and plans to increase its workforce to 160 by the end of the year.