Default Blog Header

Securing Apps From the Very Beginning: Why Sapphire Ventures is Excited to Partner with StackHawk

Sapphire Ventures is excited to lead StackHawk’s Series A funding round, and to work with founder and CEO Joni Klippert and the team. StackHawk is an innovative cybersecurity startup that sits at the intersection of what we believe to be two of the most robust, high-growth technology investment sectors: DevOps and Cybersecurity. As software eats more and more of the world, it’s critical to ensure that this software is secure.  

By bringing together developer operations (DevOps) and cybersecurity in the open-source world, StackHawk is taking a brand new approach to an existing sector of security called Dynamic Application Security Testing (DAST). With its platform, StackHawk enables software developers to make sure that the software code they’re producing is secure as they're writing it, and prior to release.

Here’s more on why we’re so excited about StackHawk:

Baking security into the software development lifecycle

Most of the time, developers build and publish code to live environments before security testing takes place. If errors are found, the security group has to work with developers to make updates. Not only does this allow security issues into live environments,  but it can lead to tension between developers and the security group.

In addition many legacy offerings, which are still frequently used today, were built for security and not development, so they operate on software already in production. As a result, traditional DAST tools are expensive and are primarily used after a product has shipped, if at all. StackHawk introduces a new way to uncover security flaws by finding vulnerabilities early in the software development process. This is part of a new and growing “shift left” movement, which delivers numerous benefits to developers and the companies they work for, including cost cutting due to less testing required, a quicker path for apps to get to market and fewer unexpected errors when an app goes live.

With its developer-first approach, StackHawk provides a set of workflows and integrations around a core DAST engine based on an OWASP open source web-app scanner called Zed Attack Proxy (ZAP). StackHawk can be integrated into a project’s CI/CD pipeline from the start, ensuring common vulnerabilities are found and resolved before an application is in production. The platform is deployed via Docker and integrates with tools already used in the development workflow like Jenkins, GitHub Actions, and CircleCI (a Sapphire investment), as well as workflow tools like DataDog, Slack and Jira.

A burgeoning market with opportunity for rapid growth

StackHawk is well positioned to succeed in a growing business segment. The application security market was recently valued at $2.8 billion, and is expected to grow to $9 billion by 2022, according to MarketsandMarkets estimates. The increased usage of gaming apps, social media platforms and ecommerce apps are all key drivers of economic activity.

Meanwhile, as app usage rises, the attack surface for applications is quickly expanding. Cloud and mobile apps, APIs and IoT solutions are all areas where we expect to see more security risk. As the number of exposures for these apps increases, so too will the need for security. 

Last but not least, today’s apps are more frequently built on open-source components that can benefit from testing, a fact painfully borne out by the 2017 Equifax breach resulting from an Apache Struts RCE vulnerability. The data breach exposed the personal information of 147 million people, making it one of the largest cyber crimes related to identity theft. 

A team with success to look back and forward on

StackHawk was founded in July 2019 by Chief Executive Officer Joni Klippert, Chief Operating Officer Ryan Severns and Chief Security Officer Scott Gerlach--a trio with an impressive record well before their latest project.

Prior to StackHawk, Joni oversaw product and Ryan was responsible for marketing at VictorOps, an alerting and incident management company bought by Splunk in 2018 for $120 million. Scott was head of security for Twilio and SendGrid. The three founders have a proven track record of serving customers in DevOps and security. Furthermore, Joni is a charismatic and intelligent leader, and the team is extremely knowledgeable of the space, which shows. In our discussions, we were especially inspired by their motivation to become the most developer-friendly security product.

With this new funding, we are excited to see the StackHawk team continue to expand its Dynamic Application Security Testing capabilities, grow the open source ZAP project and get their product in the hands of the growing ranks of DevOps teams at companies both small and large. 

We’re excited to have StackHawk  join a long list of developer-focused Sapphire portfolio companies, including current investments such as Auth0, CircleCI, Contentful and InfluxData, and recently exited companies such as JFrog (NASDAQ: FROG), Portworx (Acq. by Pure Storage), Segment (Acq. by Twilio) and Sumo Logic (NASDAQ: SUMO). And we couldn’t be more thrilled to partner with StackHawk on its mission to make the digital world safer for thousands of developers and millions of users!

Disclaimer: Nothing presented within this article is intended to constitute investment advice, and under no circumstances should any information provided herein be used or considered as an offer to sell or a solicitation of an offer to buy an interest in any investment fund managed by Sapphire Ventures (“Sapphire”). Information provided reflects Sapphires’ views as of a time, whereby such views are subject to change at any point and Sapphire shall not be obligated to provide notice of any change.Companies mentioned in this article are a representative sample of portfolio companies in which Sapphire has invested in which the author believes such companies fit the objective criteria stated in commentary, which do not reflect all investments made by Sapphire. A complete alphabetical list of Sapphire’s investments made by its direct growth and sports investing strategies is available here. No assumptions should be made that investments listed above were or will be profitable. Due to various risks and uncertainties, actual events, results or the actual experience may differ materially from those reflected or contemplated in these statements. Nothing contained in this article may be relied upon as a guarantee or assurance as to the future success of any particular company. Past performance is not indicative of future results.