With the rise of sophisticated cyber threats,
integrating security into the design phase of software development has become
more crucial than ever. Recently, Prime Security
emerged from stealth, unveiling an AI-powered solution that enables security
teams to establish guardrails early in the design process, helping to detect
and mitigate risks before development even begins.
To explore how this new solution is reshaping
security processes, I spoke with Michael Nov,
co-founder and CEO of Prime Security.
VMblog: You
recently launched Prime Security and the Prime Product Security Platform. Tell
us about the background of the company.
Michael Nov: Prime Security started ten months
ago, born out of a pain point we encountered as Technical and Security leaders
in our respective companies. We constantly saw friction between security and
engineering, which slowed down product velocity and stifled innovation. While
there are plenty of tools to secure the SDLC once code is written, the design
stage-the first stage-remains manual. Security teams don't yet have a scalable
way to monitor and mitigate risks at this early phase. As a team of four co-founders
and long-time friends, we knew we could change this. Advancements in Generative
AI finally provided the infrastructure needed to automate design-stage
security, which is where Prime Security comes in.
VMblog:
What can companies expect from the Prime Product Security Platform?
Nov: After a 10-minute integration, companies
using Prime Security typically see initial value within 24 hours of deployment.
Our product delivers value across three critical areas:
- Risk Visibility: Prime enables
security teams to proactively identify emerging security and compliance
risks in planned development work, solving a problem that was previously
managed manually through long conversations between security and
engineering teams.
- Context Interpretation: Every
development task has a history, often spanning multiple components and
sources across the organization. Prime aggregates and interprets this data
to provide a clear, concise summary for the security engineer, allowing
them to quickly understand the task's goals and potential risks.
- Mitigation Recommendations:
For every identified risk, Prime generates customized recommendations
tailored to the customer's environment. These recommendations can be based
on standard frameworks like NIST and PCI or internal policies. The
recommendations are easy to review and share with technical teams at the
click of a button.
VMblog:
What are the benefits of starting security product design at code, and what are
best practices?
Nov: The two main benefits are:
- Enhancing Product Security: Design
flaws can be critical to the overall security of a product, but they are
often only detected through manual reviews. Automating this process makes
it more reliable.
- Improving Product Velocity:
Late-stage security remediations are both costly and slow down the
business. Addressing risks at the design stage eliminates delays caused by
last-minute fixes.
At a certain scale-typically around 50
engineers-organizations become acutely aware of the need to integrate security
into the SDLC. While there are many tools to secure code post-development, the
design stage remains manual. Teams address this in various ways, including
Security Design Reviews, Threat Modeling, or training Security Champions, but
these approaches don't scale well, especially when you have one security
engineer for every 100 developers. As a result, critical risks are often
missed.
VMblog:
How does the platform leverage AI?
Nov: AI, particularly Generative AI, is at the
core of Prime Security. Since the majority of our input data is unstructured
(e.g., text), we leverage large language models (LLMs) to assist with risk
identification, context summarization, and generating actionable
recommendations. We also incorporate deep learning techniques to continuously
improve the accuracy of our insights. The combination of LLMs and traditional
AI methods allows us to offer precise and actionable risk management.
VMblog:
How are enterprises using it now, and are there any use cases that you can tell
us about?
Nov: Enterprises are using Prime Security to
gain visibility into risks during the planning stages of development, quickly
grasp the context of tasks, understand potential risks, and generate actionable
recommendations. One of our customers said, "Prime Security turns a single
security engineer into a one-person army with AI-driven automation and
insights. Your engineering and product teams will think you hired five extra
security engineers."
In terms of use cases, our product helps
customers identify and mitigate risks across three key areas:
- Gaps in security architecture, like a lack of
authentication for a new API.
- Design-stage security violations, such as
disabling HTTPS for testing purposes.
- Compliance violations, including moving PII to
a non-PII zone.
VMblog:
Is there anything else our readers should think about?
Nov: While we began by focusing on the design
stage of software development, we don't plan to stop there. We are building a
platform targeting product security, which is broader than just Application
Security. True product security covers applications, infrastructure, and policy
management. The design stage is just the first step in a much larger journey.
##
Bio:
Michael Nov is the co-founder and CEO of Prime
Security, where he is helping organizations scale security from the design
phase of software development. With a strong background in technology
leadership, Michael previously held key roles at companies including Deloitte
and OwnBackup. Michael is also an angel investor and actively supports startup
initiatives in the Greater New York City area.