We are thrilled to announce that we secured our Series A funding round of $12 Million to fulfill our vision of a world where security is a given, not a hope. The round was led by US-based Tola Capital and introduced experienced business angels such as Thomas Dohmke. We will use the funds to add support for more programming languages, provide further dev tool integrations and grow the team.
Application Security Is Shifting Left
Trends such as Dev(Sec)Ops and Shift-Left are rapidly changing how developers build software. Instead of complex and time-consuming software testing procedures shortly before release, product teams are starting to prioritize application security throughout all phases of the software development lifecycle. Shifting left implies that the responsibility for application security is distributed among everyone involved in the development process. This requires usable and effective application security testing solutions that allow developers to continuously test their code, without false positives. Code Intelligence is at the intersection of three important trends:
- Gartner predicts that API attacks will become the most frequent source of data breaches for (enterprise) applications, which increases the demand for API-focused testing solutions.
- An increasing number of regulations and standards for cybersecurity and software verifications such as ISO 21434, NIST, and many others are making application security best practices mandatory, including, fuzzing, error reporting of test runs or code coverage measurements.
- Enormous advancements in dynamic testing techniques, including feedback-based fuzz testing, concolic and symbolic code execution, and advanced run-time bug detection based on code instrumentation.
Shifting Left Is Not Enough
Although it has been one of the most important currents in application security during the past years, shifting left alone is insufficient to ship truly secure products that people can trust and rely on. We believe that software testing tools have to become so usable that every developer - regardless if they have a security background or not - can deploy them. Our vision is to unify the “dynamic renaissance” advancements with existing tooling and integrations so that developers can reliably find and fix vulnerabilities before they are even merged into the main. For us, it is important that developers don’t have to deal with time-consuming false positives or requirements to change their codebase. Empowering developers to secure their own code can tremendously speed up software development while giving security folks the room to focus on other things, like retrieving compliance reports for every given repository state.
Thomas Dohmke, CEO of GitHub and one of our newly welcomed business angels, shares this vision: “Most application security solutions are built for later stages of the development lifecycle. If detected, vulnerabilities are caught too late in the game, making them increasingly long, difficult, and expensive to fix. Code Intelligence helps developers ship secure software by providing the necessary integrations to test their code at each pull request without ever having to leave their favorite environment. It’s like having an automated security expert always by your side.”
Our Path to Series A
After Khaled, Matthew, and I met while researching in the field of usable security at the University of Bonn, we quickly found that although fuzzing was the most effective software testing approach on paper, it had only been rolled out by tech leaders such as Google and Microsoft. We quickly learned that to enable dev teams to ship more secure code, we would have to make the most powerful software testing methods so usable that every developer can deploy them as part of their daily work. Based on this mission, we founded Code Intelligence and moved it out of the university in 2019.
2021 was one of the most decisive years for Code Intelligence, crowned by the launch of our open-source testing platform Jazzer, which has since been used to find hundreds of vulnerabilities and is now integrated into Google’s OSS-Fuzz. Here are some of the last years’ main achievements:
- Launching Jazzer, the first large-scale Java fuzzer for open-source and commercial use
- Starting a fruitful collaboration with Google, during which we implemented Jazzer into OSS-Fuzz, Google’s open-source fuzzing framework
- Enabling dev teams of our enterprise customers to secure their products with our platform
- Expanding feedback-based fuzzing to new program languages (Java, Kotlin, Go) and bug classes (RCEs, injections vulnerabilities, XSS, etc.)
- Hosting Europe’s largest fuzzing event series with over 2000 attendees and speakers
- Finding over 500 bugs and vulnerabilities in open-source libraries
- More than doubling our team size (btw, we’re hiring)
What’s Next?
Looking back, we are genuinely proud of the milestones we have achieved so far. With the new investment in the bag, we have set ourselves even bigger goals for the next year. These are the main points of our product roadmap:
- Building on Trusted Workflows
Writing fuzz tests should be as easy as writing unit tests. Therefore, we will provide an OSS solution that tightly integrates into all common build systems and IDEs. Developers will be able to have their first findings within 15 minutes, which they can then share and triage without leaving the workflow they know and love. - Support for Additional Tech Stacks
Currently, we are providing mature fuzzing solutions for JVM-based languages, Go and C/C++. To make further developer ecosystems more stable and secure, we are adding additional languages, including their typical stack, e.g., JavaScript, and the support for testing for Node.js applications out-of-the-box. - Improving Support for Enterprise Processes
In enterprises, finding a security issue is often only the first step of a larger process. We will soon provide numerous integrations to process tools like JIRA and vulnerability management systems to ease the process workflow. - Explaining the Results to Multiple User Groups
We will introduce various features to visualize and understand the state of the software under test, e.g., with more intuitive dashboards, alerts, and meaningful reports, tailored for the user group, e.g., developers and security managers.
We Are Growing
As we improve our enterprise and open-source offerings, we are planning to grow our team… by a lot. Join us to help developers ship secure products people can trust and rely on. In an accelerating environment, we provide space for you to grow and develop new skills. All of our teams work at least partially remotely, so don’t hesitate to apply, even if you are not based in the vicinity of our headquarters in Bonn.
