January 18, 2002

SPI Dynamics Receives $2.5 Million in Funding

Atlanta Business Chronicle

Atlanta Business Chronicle - January 18, 2002by Mary Jane Credeur Staff Writer

A trio of former engineers with Internet Security Systems Inc. and S1 Corp. believe they have the know-how to keep your Web applications safe from prying eyes.

SPI Dynamics Inc.'s Web-based program can probe the applications used by other businesses to find weaknesses and suggest repairs that will enhance security. The program could help fortify applications from online financial data for major accounting firms to shopping cart programs for online merchants like Amazon.com Inc.

Now the 18-month-old company has a $2.5 million first round of venture funding to help bring more of its products to market and attract new customers.

This financing round was led by Southeastern Technology Fund with additional money coming from Gray Ventures Inc., local investment banker Croft & Bender LLC and Alabama-based Jemison Investment Co.

"We direct all kinds of personal information to the Web, from credit card numbers to account numbers and passwords," said CEO Brian Cohen.

Cohen said the bulk of the new funding will go toward hiring new salespeople to market SPI's products. By the end of 2002, Cohen hopes to grow the company's revenue tenfold (it was less than $1 million in 2001) and increase the staff from 14 to 50 employees.

SPI's ideal customer is a Fortune 1000 company that uses several Web applications to serve its customers and exchange information with its suppliers.

"Companies don't typically protect the Web server like they protect other parts of the network because they think firewalls and intrusion-detection devices are enough," said Cohen, who in 1999 sold his previous security software company, Technologic Inc., to Denver-based eSoft Inc., which recently was delisted from the Nasdaq market. "If your Web site is not secure, anyone can bypass log-ins and access information."

SPI's flagship product, called WebInspect, is a scanning tool that probes the weaknesses of a company's Web site, then ranks the vulnerabilities based on severity of risk. The software can be programmed to alert network operators when a breach has occurred or is in process.

SPI maintains a database of more than 2,300 known Web application susceptibilities, and that list expands by at least a handful of new weak spots each week, Cohen said. WebInspect prices range from monthly fees of $2,500 per server to annual fees of $20,000 or more. The software is not compatible with Macintosh computers.

Demand likely to increase

Security experts say the demand for products such as the WebInspect program is likely to increase during the coming years because more businesses are taking sensitive processes, such as purchasing and account management, online.

If a hacker is able to penetrate Web applications and see the architecture or coding of those applications, he might be able to use that information to gain access or manipulate other parts of an operating network or e-mail server, said Graeme Payne, a security expert with Ernst & Young LLP who teaches anti-hacking seminars.

"Protecting the Web applications is an emerging area in the risk assessment field," Payne said. "More and more companies are putting their applications on the Web because it means better service for customers. But it also means greater risk of exposing your customers to hackers."

Several companies in the security industry have begun working on software that can safeguard against attacks on Web applications.

SPI's chief competitor is an Israeli company called Sanctum Inc., which makes a product called AppScan. Other companies working on similar technology include San Jose-based Entercept Security Technologies and KaVaDo Inc., with headquarters in Tel Aviv, Israel.

SPI does not compete directly with Atlanta's top security software-makers, ISS and S1. Although all three companies are essentially going after the same customers, each addresses a different security need, SPI executives say.

Field experience

SPI, which stands for security protection intelligence, was founded in early 2000 by Wade Malone, Caleb Sima and Brian Christian. The three had spent several years in the security software industry, and learned firsthand about the vulnerabilities in Web applications.

Malone left his job with S1 in early 2000 and began drafting a business plan while the other two continued to work for ISS. By the summer of 2000, all three were working without salaries to build the software that would become WebInspect.

Aside from a small angel investment in the $200,000 range, the company has not raised any venture funding until now. SPI had a term sheet in the spring of 2001, but the deal fell through.

The founders sold their cars and emptied their savings accounts, then drafted a 90-day survival plan to keep the business afloat.

"I knew there would be some [correction] in the economy because everybody had been living in such excess, but I had no idea it would get this ugly," Malone said of the harsh investment climate the founders encountered in 2000 and 2001. "We drained everything we had. We painted garages on the side and did consulting when we could."

When the software was nearly finished, the three again met with investors.

"We knew then that this team was on to something that would be in high demand," said Ramsay Battin, a principal with the Southeastern Technology Fund. "This team is at the forefront of where Web application security is going."

In the months ahead, SPI hopes to convince major Web applications companies to integrate their software into off-the-shelf products like shopping cart programs, account management systems and content management. SPI also plans to release two new products before the fall -- one that keeps a log file of hacking attempts, and another that acts as a "sniffer" on Web servers to reject would-be hackers, Cohen said.

Reach Credeur at mjcredeur@bizjournals.com.