Baking Security Into App Development — Why We Invested In Hdiv Security
Ross Strachan, Principal, Adara Ventures
We are excited to announce our recent investment in Hdiv, a cybersecurity startup from San Sebastián, Spain.
The company provides a suite of application security products that protect and detect threats to web applications and APIs. We are delighted to welcome CEO Roberto Velasco and the rest of the Hdiv team to the Adara stable and look forward to the journey ahead.
Why did we choose to partner with and invest in Hdiv?
Web application security: a painful status quo
The number of web applications has grown rapidly in recent years, due to a combination of advances in mobile phone penetration, computing power and cloud infrastructure. At the same time, a shortage of cybersecurity professionals has given rise to developers relying on third-party solutions as they seek to secure web applications and APIs.
As the number of applications increases, so do the threats from cybercriminals to both users and businesses. Users expect security to be baked into the applications they interact with. However, the reality is that web application cybercrime is increasing, and existing solutions are not fit for purpose. In its Application Security Statistics Report, Whitehat estimated that 30% of total breaches reported in 2017 related to web applications, the highest percentage ever.
Many developers view security as an afterthought to the design and build phase. At present, separate security teams undertake extensive penetration testing (hacking) of the application only once it has been built. This process is costly and is a bottleneck in bringing innovations to market.
Moreover, once a web application has been launched, it is protected via a set of firewalls, which are external to the application, looking inwards and monitoring activity. Firewalls are a double-edged sword. On the one hand, they block malicious traffic from entering into the application, but on the other, they block non-malicious traffic too, generating false alerts to the security team and more importantly blocking non-malicious users. These false alerts are time consuming to investigate and a major pain point of any dev team looking to release product at speed.
Hdiv: an innovative approach to detecting and protecting from attacks
Hdiv provides a contrarian approach to the status quo, offering a suite of developer tools that can be integrated into the application at the design and build phase, monitoring it from the inside out, and alerting developers to potential vulnerabilities as they are building the product.
Hdiv’s product portfolio helps software developers and architects secure web applications by enabling DevSecOps methodologies that include protection (RASP) as well as detection (IAST) capabilities. Hdiv not only unifies these two capabilities into one solution but also runs on all leading developer platforms including REST APIs and is 100% software, cloud-ready, and deployed within web applications.
At Adara, we find developer tools particularly compelling as developers are product owners and decision makers with tight schedules, making them responsible for and frustrated by product delays. In a recent Developer Survey, it was estimated that a developer spends on average 17 hours/week fixing on maintenance and bad code, resulting in $300bn of lost productivity per annum.
We believe that Hdiv’s toolkit will make their life easier (by reducing manual penetration testing time) whilst increasing the security of their product. These are two significant drivers of value for developers. We believe Hdiv can embed itself within enterprises’ software stacks for the long term.
Whilst the tools themselves are exciting, we have been even more impressed with Hdiv’s ability to attract developers via open-source collaborations and free community downloads. With virtually zero marketing spend, the community version of Hdiv’s flagship RASP product has been downloaded 500 times a month on average, and is trusted by a community of over 10,000 developers. Moreover, a significant percentage of these downloads are from Fortune500 companies, including four out of the top ten US Banks.
However, it is one challenge to secure a client download, and another challenge completely to retain a developer and convert them to the enterprise model. We were surprised to learn that with just 10 people, Hdiv has had minimal churn in the free version, and good traction of converted clients to the enterprise version. Both existing and prospective clients with whom we spoke attributed this to Hdiv’s dedication to the developer experience and their responsiveness and attentiveness to client feedback. They also emphasised that Hdiv’s solutions outperformed many more established and better funded competitors in testing environments.
It is rare to find a bootstrapped company that has such a competitive and complete product offering. We believe these are early indicators of a business that can scale with its clients’ needs, and as such will become a trusted partner at the enterprise level. We’re grateful and excited that Hdiv has allowed us to partner them on their journey!
Lucky Number 13
As an aside, Hdiv becomes Adara’s 13th and last investment from our second fund, being a seed stage investment in the burgeoning area of Cybersecurity. It is interesting to note that Adara’s 13th investment from our first fund was AlienVault — a seed stage investment in the burgeoning area of cybersecurity.
No pressure, Hdiv.
About the Author
Ross focuses on the origination and execution of new investment opportunities and supports the existing portfolio with corporate and strategy development. Ex-WPP M&A, completing 30+ investments at the intersection of data, digital and media. MBA alumni of IE Business School. Scotsman in Madrid. You can follow him on Twitter here.