Uniting Security for Builders

A Passion for Building Secure Products

Like many of those who have founded companies in cybersecurity, my passion for security began long ago, in the days when hacking was still a gray area, sometimes turning into a job, and ultimately, a career in the cybersecurity industry. I learned to program BASIC on the Apple II as a kid in elementary school, Pascal on MS-DOS when I ran a bulletin board system on a 286 that my father bought, and then C on SunOS 4.1.3 at the University of Manitoba when they offered me a job after a visit from the RCMP (Royal Canadian Mounted Police), who said: you decide which path to take - either we’ll arrest you one day, or you can turn this into something more productive.

Needless to say, I opted for the latter. My first professional programming job came in 1996 when a good friend of mine, Alfred Huger (we met on #hack on IRC), asked me to join him in building an Internet security company - cybersecurity wasn't even a term used then. Our company, Secure Networks, scanned corporate networks for security vulnerabilities - what companies like Tenable, Qualys, and Rapid7 are well known for today. This meant low-level network programming on all of the common UN*X operating systems at the time: SunOS (Solaris), OpenBSD, FreeBSD, BSDi, AIX, and eventually Linux.

Back then, finding security vulnerabilities was like shooting fish in a barrel – everything was vulnerable, since the notion of secure or defensive programming didn’t exist. Our product, Ballista, checked for over 700 known vulnerabilities at the time (many we discovered through our own research), and we eventually joined forces with McAfee in 1998 as they consolidated many smaller companies in the security space.

Two and a half decades, and four companies later, I’ve had the chance to build many enterprise security products, ranging from the vulnerability management product mentioned (Secure Networks), Internet early warning systems and threat intelligence services (SecurityFocus & Bugtraq), endpoint anti-malware (Immunet), and security automation platforms (Phantom).

Everytime we build an enterprise-grade product… besides the basic logic that the product needs to deliver, we have to write security capabilities from scratch. It always starts with the table stakes - authentication and authorization (role-based access control), but then you quickly discover that you need to add audit logging - ideally tamperproof - so that you can record important events and config changes.

If you need to collect files from customers, you need a secure way for them to share them with you. You then need a secure object store to store them, and you may need to scan them for malware to ensure they’re clean. You may also want to remove any PII from those files on write to ensure compliance.

If you want to enforce export restrictions (a lot of software can’t be made available to certain countries - ITAR compliance) then you need to block those countries - a moving target as we’ve seen recently based on evolving sanctions.

The list goes on and on, but I’ll stop there before I reveal our entire roadmap.

Think about building a new application. Where would you go to start building the foundation of your App? It’s not a trick question, rather, it’s pretty obvious: you would likely go to AWS, GCP, or Azure. Last year, over 50,000 startups joined AWS to embed compute, storage, database, machine learning, analytics, and many more API-first services into their Apps.

Now, where would you go to embed security capabilities into your App? This question isn’t as easy to answer. That’s because there is no one place you can go. Many don’t yet exist, so you can either build them from scratch or source them from countless other vendors - most of whom are not API-first and certainly not API-only. Wouldn’t it be great if there was a single source that provided an API-first approach to embed security capabilities into your App with a single line of code?

That’s Pangea.

Similar in nature to AWS for Compute APIs, Twilio for Communications APIs, Stripe for Billing APIs. Now, we have Pangea for Security APIs.

Backed by Ballistic Ventures with participation from SYN Ventures as well as cybersecurity luminaries such as Godfrey Sullivan (Former Chairman & CEO, Splunk), George Kurtz (Founder & CEO, CrowdStrike) and Dan Plastina (Former VP AWS Security Products), Pangea launches today to provide a comprehensive portfolio of API-based Cloud security services in a single platform.

I’m really excited about the engineering team that we’ve put together, led by my co-founder Sourabh Satish (who has an astonishing 200+ patents to his name)!

An industry-first, we’re committed to transforming how Cloud and mobile App developers, SaaS platform providers and security operation centers access and embed security and compliance features into their applications.

Sign up and get in line for early access to our first set of security services, Secure Audit Log, Redact, and Embargo.

Introducing API-Based Security Services For Today’s Builders

As Jeff Lawson (Co-founder and CEO of Twilio) astutely says in his book, “Ask Your Developer”, every company is now a software company. If you aren’t building software to interact with your customers, your days are limited.

Cloud Apps were already on rapid growth, but due to the pandemic, they’re now exploding. AWS, the starting point for many cloud Apps saw $62.2bn in revenue in 2021.

Worldwide end-user spending on public cloud services hit $410.9 billion in 2021 and is expected to grow to nearly $500 billion in 2022 and $600 billion in 2023, according to Gartner.

If you’re a builder today, you have a rapidly expanding list of responsibilities including deployment, automation, performance management, user experience, and security. You don’t have the time or expertise to add security capabilities, leading to slower go-to-market and less secure apps. Layer on to that the growing list of complex compliance needs - GDPR, SOC2, ISO27001, PCI, HIPAA, and more - it’s a lost cause.

As you can see, the opportunity to help today’s app builders has never been greater. Similar in concept to Amazon Web Services, but with a focus on cybersecurity, Pangea will be releasing several dozen API-based microservices. In addition to offering our own services, we plan to aggregate and offer third-party APIs via partnerships.

API-first service delivery

Pangea services are built on the following four core tenets that drive the decisions about what we build and how we build it:

1. Compliant faster
   Becoming compliant in GDPR, SOC2, PCI, HIPAA, and ISO27001 is hard and takes a lot of time, especially when you’re building an application from scratch. The security services and APIs from Pangea can help to accelerate compliance. The Pangea team has built many of these services, like secure audit logging, to meet the requirements defined in the end controls from these compliance frameworks.

2. Regionally Intelligent
   Every Pangea service will be globally accessible and regionally intelligent. Services are available on AWS and GCP (Azure coming soon), across multiple geos and availability zones, to maximize availability and minimize latency. This manages the complexity of GDPR data residency, service resiliency, redundancy, regional availability, and performance – so you don't have to.

3. Managed
   Pangea manages the services and infra, storage, compute, operations, upgrades, and maintenance for you. Many of our services have backend resource requirements. We take care of that burden for you.

4. Simple Integration
   API-first plug and play services mean less time procuring and customizing code. And our SDK makes it easy to integrate these services into any development environment. With all of this, you buy back more of your time that can be spent building your App, rather than building security features.

All of this adds up to getting your App into production faster.

We’ve been building products for security operations teams now for decades. With several thousand cybersecurity companies targeting that audience, I’m pretty excited about how different Pangea is - delivering code that directly helps App builders. With so much emphasis on detection and prevention in our industry, I look forward to solving some of these problems at the root - by delivering a secure App experience from the start!