Build.security, a startup operating from Tel Aviv and Sunnyvale, is dedicated to simplifying the process of integrating authorization policy management directly into applications. The company today announced a $6 million seed funding round, spearheaded by the cybersecurity investment firm YL Ventures.

This funding round also saw participation from prominent figures in the cybersecurity space, including CrowdStrike CEO and co-founder George Kurtz, alongside former Zscaler CISO Michael Sutton, ex-Bank of America Chief Security Scientist Sounil Yu, Fireglass co-founder Dan Amiga, Cynet CEO and co-founder Eyal Gruner, and Hexadite co-founder Eran Barak. This distinguished group of investors signals strong confidence in build.security’s ability to address a significant industry challenge.

The company was founded by Amit Kanfer (CEO) and Dekel Braunstein (CTO), both of whom bring extensive experience from companies such as Intel, Fireglass, Symantec, and Cymmetria. Their goal is to create the “first genuine platform for authorization” tailored for developers – essentially, policy expressed as code, mirroring the “infrastructure-as-code” concept popularized by companies like Pulumi. Beyond code-based policy declaration, build.security also provides a user-friendly drag-and-drop interface.

The foundation of build.security’s technology is an open-source project: the Open Policy Agent, originally developed by Styra.

While “authorization policy management” might not immediately appear to be a pressing issue, effective authorization – distinct from authentication – remains largely unresolved, with limited enterprise-level solutions available. Consequently, developers, who are increasingly responsible for application security, often rely on a combination of policy engines and other tools, which can introduce errors and potential security weaknesses.

“Authorization presents a substantial hurdle for engineering teams,” Kanfer explained. “The difficulty lies in considering attributes related to users, resources, and the surrounding context – then consolidating these into a manageable and scalable policy. Modeling the hierarchies, roles, permissions, and their interrelationships is a complex undertaking.”

Kanfer also highlighted that the shift towards microservices in application development further amplifies this complexity. Current solutions often lack the necessary flexibility to address these challenges. “Permission lists can fluctuate based on numerous variables,” he elaborated. “These factors include user identity, time of day, location (home or office), device trustworthiness, and whether it’s a weekday or weekend, as well as the relationship between the user and the resource.”

The company delivers its service as both a cloud-based offering and an on-premises solution. Currently, the platform focuses on containers, utilizing a Kubernetes sidecar container to retrieve configurations and policies from the build.security control plane. The service supports a wide range of programming languages and frameworks through SDKs and plugins, including Python, Node.js, and .NET, and integrates seamlessly with standard identity providers and other API-based services.

“Build.security’s innovation represents a significant benefit for the developer community – they’ve simplified authorization,” stated John Brennan, partner at YL Ventures and a member of the build.security board. “We are impressed by Amit and Dekel’s unique and easily integrated approach to API and function-level authorization, as well as the comprehensive visibility offered by their control plane. Their solution will empower developers and organizations to build secure software at scale.”