Symbiotic Security, which is announcing a $3 million seed round today, watches over developers as they code and points out potential security issues in real time. Other companies do this, but Symbiotic also emphasizes the next step: teaching developers to avoid these bugs in the first place.
Ideally, this means developers will fix security bugs before they ever get into a code repository, which in turn should also speed up the overall development process. And since the developers get to learn on the job and in the environment they are already working in, they are far more likely to correctly implement the required changes. That’s more effective than making them sit through an annual security training in SuccessFactors.
The company, which launched earlier this year, released its MVP about a month ago, with a focus on infrastructure-as-code languages like Terraform. As Symbiotic co-founder and CEO Jerome Robert told me, the company did this to get an MVP out of the door and prove out its vision. Over time, the team plans to expand to the rest of the application stack and support languages like Python and JavaScript.
Robert noted that even the most developer-friendly security tools are still, at their core, tools for the security teams. “They are enabling the security teams to be better cops. They’re not tools that make the developers the good guys,” he said. “They are tools that allow security teams to send hundreds of messages all week long, saying, ‘You’ve made a mistake. You need to fix it.’”
Meanwhile, the developer constantly has to choose between fixing security issues and developing new features.
The idea behind Symbiotic Security is to nudge developers in the right direction, similar to the code completion tools they are already familiar with. Symbiotic, ideally, can help developers fix bugs in the inner loop, while they are still coding, and long before the continuous integration and delivery platforms start scanning the code for issues. Once that happens, the process slows down immediately, with Jira tickets and additional code review processes taking over.
This is also where Symbiotic goes a step further. “It would not be sufficient to just allow them to fix [the issues] and to detect it,” Robert explained. “We also need to train them on security — and developers love to train; it’s an absolute, 100% certain thing. However, security trainings are painful.”
For the developers, Robert argues that doing the training on the spot is something they can relate to. It’s focused on their immediate needs and not something that is abstract — and at just a few minutes, it’s short.
Right now, those training lessons and videos are prerecorded, but over time, they could become more AI-driven, which would allow Symbiotic to make them even more relevant to the specific issues the developer is working on.
There’s also another interesting twist here. To best train a model to automatically fix security issues, you need a corpus of code with security bugs and the fixed versions of those code snippets. Because Symbiotic is seeing the issue and then telling the developer how to fix it, it could ideally create a high-quality dataset for building a remediation model. For now, that’s a long-term project, though.
Symbiotic is backed by the likes of Lerer Hippeau, Axeleo Capital, and Factorial Capital. “Jerome and co-founder Edouard Viot have a deep understanding of the problems underlying traditional code security and demonstrated remarkable foresight with their approach to addressing the growing demand for shift-left security solutions,” said Graham Brown, managing partner, Lerer Hippeau. “Symbiotic has the potential to transform the industry, empowering developers and security teams alike.”
