Putting Security in the Hands of Developers
Over the last 15 years, companies like AWS, Stripe, and Twilio have helped developers offload anything not core to their apps so they can focus on what matters to their users. Despite a lot of progress in developer tooling, developers still roll their own authorization, because there hasn’t been a solution that’s generic enough to be broadly relevant but flexible enough to be useful.
At Oso, we see the patterns, the use cases and the problems, and we built Oso so developers can focus on their users. Oso is the first batteries-included library for building authorization in your application. At the core of Oso is Polar, a declarative policy language built in Rust. This serves as the foundation for expressing authorization logic, i.e., who can do what in your application. On top of Polar, we built a set of APIs and guides to enforce that logic and to model common patterns like multi-tenancy, hierarchies and relationships, plus a debugger and a REPL. As a result, developers using Oso spend less time building authorization, which is pretty much the point.
Today, we're thrilled to announce our $8.2M Series A led by Sequoia. SV Angel is also participating, along with Company Ventures and Highland Capital, plus entrepreneurs like Dev Ittycheria (CEO, MongoDB), Calvin French-Owen (Founder, Segment), Charity Majors (Founder, Honeycomb.io), and Edith Harbaugh (Founder, LaunchDarkly). This brings our total funding raised to $10.9M, which includes Sequoia’s original seed investment in 2019. With this additional funding, we're doubling down on our vision of putting security in the hands of developers.
Started from the Bottom (of the Stack)
When we founded Oso 2.5 years ago, we were originally working on infrastructure security for developers. Same vision, different product. We actually built an alpha product and went back to the prospects who'd told us they wanted what we were working on. The response was not what we expected.
"That's interesting," I remember one of them saying. "You know, we actually spent 12 months rebuilding how we do application authorization...is that something Oso would help us with?"
We met with another company who gave us a similar answer. Then another, and another and another... We figured: "We should probably pay attention to this."
We ended up tossing our codebase and went on to build the Oso you know today, a batteries-included library for adding authorization to your application. It started with a small PR that one of our engineers put up on a cold winter day. Since then...
- Users have launched Oso into production for everything from manufacturing ERP to certificate authorities, student loans, subscriptions, stream processing and government safety net programs
- The community has adopted Oso in every corner of the earth, including the US, France, Mexico, Panama, the Netherlands, Norway, Canada, Romania, India, Nepal and China
- We have built out libraries in 6 languages – Node.js, Python, Go, Rust, Ruby, and Java
- We have gone fully remote and boosted our productivity
- We have spoken to dozens and dozens and dozens of users about their authorization problems and how we can keep making Oso better
So, today we’re also excited to announce Authorization Academy, a free course for developers on how to build authorization into an application. Developers are often coming to us looking for best practices on how to model authorization patterns, what pieces of the puzzle to keep in mind, or where to insert authorization checks in their stack. We want to equip developers everywhere with this knowledge. Authorization Academy is a series of technical guides that explains how to build authorization into an app, including architecture, modeling patterns, enforcement, testing, integration at the UI level and more — whether you use Oso or not. You can learn more here.
The Road Ahead
We are humbled by the community's excitement about and adoption of Oso, but we're just at the start of a multi-year journey. Here is what's in front of us:
- More batteries - We have just begun to scratch the surface on the work we can do for our users. We have more libraries, APIs and thinking we can do to continue to decrease the amount of work that developers have to do to implement authorization for every use case and stack – and to make sure that every error message, sample repo, and API definition is what we would want as developers, too.
- The Internet's Authorization - Oso is currently available only as an open source library, but we plan to build on on top of the open source library with managed products. Imagine a cloud service capable of powering the Internet's authorization. To deliver on this vision, we'll contend with complex distributed systems problems around availability, latency, and data migrations.
- The Polar Language - Polar is the foundation of Oso. Everything we do is built on top of it. In order to support future authorization use cases we will continue to build out the language. We have work to do at the surface – like query explanations, new operations, and distributed policy evaluation – and under the hood – like tail-call optimization, policy precomputation, and other performance work.
Join the Team 🐻
Today, the team is a mosaic of different accents, text editors, language preferences, degrees and time zones. We have iterated on Oso hundreds of times over multiple years to get to where we are now. Through this experience, we have collectively developed the muscle to listen to developers and ship a tool they're excited to share with their friends and colleagues.
We're proactively building a culture that is diverse, equitable, and inclusive. We're hiring for technical and non-technical roles. If you'd like to be part of the team, please drop us a line.