UK security upstart Secerno takes on America

UK database security startup Secerno is set to close a second round of venture capital and open up office in the US – but can it compete with the giants?

A year after launching its software and racking up numerous awards in the UK for allegedly achieving what in database security circles is something akin to alchemy, British start-up Secerno is about to close its second round of venture capital funding for a US launch.

This is, by all accounts, the only option Secerno has for getting any recognition in the States. Two of the most influential global analyst firms - US-based Forrester and Gartner have paid Secerno scant attention

"That says something about the depth of their due diligence, although Secerno has been very focused on breaking in the UK, and both Forrester and Gartner tend to be US-focused," says Charles Grimsdale, who sits on Secerno's board as partner of Eden Ventures, the security firm's lead investor.

Secerno claims to have created a security tool that stops all malicious and bumbling queries on a database. It supposedly does this without creating any false positives - that is, without calling foul on a good query. This is crucial if, say, you are a financial firm allowing customers to get quotes or make transactions electronically.

But without independent oversight how can Secerno's claims be checked? "I've not validated their approach," admits Jeffrey Wheatman, security research director at Gartner, but: "I don't know any vendors that do intrusion prevention that get zero false positives. Maybe they've done something that's been elusive in the past."

Market leader Guardium cannot eliminate false positives, admits its marketing vice president Phil Neray: "I don't think any technology can eliminate false positives entirely, but we can help you reduce them".

Guardium produces only "minimal" false positives, he says: "A few percentage points in initial deployments and then it quickly approaches zero as the system is fine-tuned."

It is said that the whole point of these tools is that they can be used to block malicious database queries before they can be executed.

"Customers spend a lot of time and money on these solutions and then never put them into blocking mode and that's a well kept secret," says James Spooner, a security consultant at Lodoga Security Limited who recommends Secerno to his customers. Security managers don't have confidence in the tools so they end up being used merely to alert bad queries after they have been executed.

Gartner has warned customers not to use these tools in blocking mode, while Neray says alerts are "sufficient" for customers to satisfy their auditors and most customers think blocking an "unnecessary risk".

Spooner says that Guardium can be used to block, "but it would take four or five times as long to train the software to do it". He worked on three sites that employed Guardium, none of which blocked. Two of his customers use Secerno, and both did.

Secerno's co-founder and chief operating officer Paul Davie says half of its 24 customers use its software in blocking mode. Guardium's Neray says that of its "several hundred" customers "a handful" are blocking.

Secerno's apparent edge stems from its other co-founder and chief technical officer Steve Moyle, who created the technology while a research student at the Oxford University Computing Laboratory. He used machine learning techniques to analyse SQL queries.

The software is not wholly adaptive, as some machine learning systems try to be, because hackers are more likely to find ways around systems that put all their faith in computer reasoning. Neither is it of the statistical school of machine learning, which bases its conclusions on intelligent guesswork drawn from experience. It treats queries individually. What it learns is the language, which is comparatively simple for something as structured as SQL.

"Secerno understands the ontology of a query," says Spooner,"and recognises the verbs, key words, variables, all the things that make up the SQL language. And from that says, 'this is something I've not seen before but I can allow it'".

Other tools, like Guardium, generate lists of strings, or examples, of bad queries and match them against live queries on a database. Neray says that Guardium also considers the "context" in which a query is placed. This involves considering what sort of user has placed a query, what sort of queries they are allowed to place, and what operations are permitted on particular objects in the database. But when it comes down to it, it still matches strings.

Secerno is supposed to be able to distinguish between badly written queries that appear malicious and those that really are bad - hence, zero false positives. This is crucial, says Spooner, because hackers try and bury their dirty deeds in amongst long queries that are by all appearances genuine, while legitimate users sometimes write unusual, benevolent queries.

Funnily enough, Spooner says he still prefers to do things manually and not use Secerno's software in blocking mode, even though he endorses it, because, "we are a consulting company and we have to get it right first time".

This appears to be something of a contradiction. But perhaps, if Secerno is as good as is made out, it might make a few database security consultants redundant, along with the established tools they are punting. 2008 should clear up some of the unanswered questions, when the analysts take a proper look and Secerno's US office opens for business.

Read more on Application security and coding requirements