Making Backend Infrastructure Security Not Terrible for Developers and Ops
Sam and I first met in the summer of 2018 at a cafe near Bryant Park. He had finished his PhD in Cryptography not long before and was tinkering with some new ideas. I was still at MongoDB, where I’d been for 6 years, and had the good fortune of serving a community of developers that love the product.
Sam tilted his head and shared three observations. One, there are a number of very smart people in academia working on security, who are doing great research but are incentivized to publish, not to code. Two, most developers and ops engineers in the real world don’t have a background in security, and they don’t really care to have it either. Why should they? Security isn’t the thing they’re working on – it’s a means to an end, something to ensure that the real thing they care about doesn’t get popped. Three, the upshot of this is that the experience for developers and ops when it comes to security is...just terrible.
I think we should fix it, he said.
This modest idea – making backend infrastructure security not terrible for developers and ops – is what started a nearly year-long journey that we are now beginning to share with the world. Since last summer, we’ve met with over 50 companies of various shapes and sizes, with individual developers, CISOs, heads of devops, VPs of engineering, and most every kind of person that’s had to touch a certificate authority, JWT or god forbid write some Kerberos code. The feedback varies, as you’d expect, by each person’s job, preferences, industry and all kinds of other factors.
But taken together, the conversations present a mosaic with one, clear, overriding tone: groaning. No one is happy with what’s out there.
So we started tinkering. Several months of building things and talking to people and following our nose has brought us to the vision we are just beginning to share today. If you can recall the feeling you got the first time you spun up an EC2 instance, added Stripe to a web site, or sent your first SMS through Twilio, then you know the kind of experience we are building. We are building something that will give the kind of attention and care to backend security that developers and ops have come to expect from anything they would actually care to use day-to-day, and the kind that will actually make it a no-brainer to adopt good security.
Oso makes backend infrastructure security invisible for developers, and simple for ops. It is a normalized and consistent interface to core service-to-service security controls – authentication, authorization, end-to-end encryption, and auditing. It works the same no matter where you run it – on bare metal, VMs, containers, or even serverless. And it is not terrible.
Building a Team
So now we’re building a team. We need a small number of sharp engineers that are interested in working on distributed systems and cryptography problems, and people who want to get involved on the ground floor. We are building the product in Rust, which we think is both a good design choice for our use case and a fun choice for the team. Given the importance of these hires and magnitude of their contribution, they will get a meaningful equity position. We are backed by Sequoia, Company Ventures, and a small number of high-caliber individuals who know what it takes to do what we’ve set out to do.
Our company is Oso, and we are based in New York City. If you want to be a part of it, know someone who might be interested, or just want to learn more, please drop us a line.
Graham, Cofounder & CEO
graham [at] osohq [dot] com
Sam, Cofounder & CTO
sam [at] osohq [dot] com