NEW TECH: Brinqa takes a ‘graph database’ approach to vulnerability management, app security

By Byron V. Acohido

Imposing just the right touch of policies and procedures towards mitigating cyber risks is a core challenge facing any company caught up in digital transformation.

Related: Data breaches fuel fledgling cyber insurance market

Enterprises, especially, tend to be methodical and plodding. Digital transformation is all about high-velocity innovation and on-the-fly change. The yawning gap between the two is where fresh attack vectors are arising, creating a candy-store environment for threat actors.

Brinqa, an Austin, TX-based security vendor has come up with a cyber risk management platform designed to help companies take a much more dynamic approach to closing that gap, specifically in the areas of vulnerability management and application security, to start.

Brinqa was founded in 2009 by Amad Fida and Hilda Perez, industry veterans seeking to leverage their collective expertise in risk management and identity and access management. Early on, a customer of their cyber risk management solution asked if they could assess a physical location, down to the fire extinguishers.

An early version of their platform was already live. But that assignment led Fida and Perez to re-architecture the platform around graph databases and knowledge graphs. It was an approach they felt would be flexible enough to keep up with rapidly-evolving enterprise technology infrastructure.

I had the chance at RSA 2019 to meet with Syed Abdur, Brinqa’s director of products, who provided more background. For a full drill down, please give a listen to the full Last Watchdog interview via the accompanying podcast. Here are the key takeaways:

Blistering pace

On-premises data centers look to remain a big part of hybrid cloud networks, going forward, and keeping these systems up to date, with respect to vulnerability patching, isn’t getting easier.

By many measures, the vulnerability management challenge companies face is getting steeper. The National Institute of Standards and Technology’s National Vulnerbility Database, logged around 14,000 unique vulnerabilities, up from 13,000 in 2017 and 6,000 in 2016.


“Hackers are getting more proactive; they’re not only looking for more vulnerabilities to exploit but also spending significant time and resources to identify those that can cause the most damage,” Abdur said. “With cloud, containers, IoT, OT, and mobile devices the enterprise technology infrastructure is expanding really, really rapidly while the policies and processes that we have in place to manage these risks are falling behind.”

So what is Brinqa bringing to the table? Co-founders Fida and Perez realized they had to  materially improve upon the treasure trove of security analytics systems already in the market – technologies that companies have spent billions to install.

 Vulnerability management

Flashback to the assignment Fida and Perez initially took on: to do a physical location risk analysis, down to the fire extinguishers. They quickly learned how difficult it was going to be to correlate a wide variety of evolving component components using a relational database, the traditional approach. So they re-architected Brinqa’s nascent platform, and its underlying technology stack, and pivoted to basing it on a graph database, specifically Neo4J.

Originally designed to digitize paper documents, relational databases remain in universal use in enterprise settings. Their rigid design remains well-suited to structured, on-premise business processes. But graph databases are much more well-suited to making lightning-fast correlations in complex hierarchies.

Graph databases are what major league baseball teams use to calculate how to position infielders with specific hitters, in certain ball parks, facing specific pitchers, in a mid-week night game vs. a weekend day game. Similarly, Brinqa’s platform leverages graph databases to help companies correlate vulnerability, asset, and intelligence data across multiple on-premises and cloud sources — under circumstances that can change day-to-day.

Application security

The company is also focused on helping large enterprises become more agile and effective at assuring all of their business applications are secure, whether those applications are developed internally or supplied by third-parties.

Abdur pointed out how the tools and services companies rely on to test for security flaws often overlap – and just as often result in lingering gaps.

“It has become very important, on the AppSec side of things, to make sure that policies, processes and practices are uniformly applied across the software infrastructure and throughout the SDLC process. We help customers consistently analyze data from all of these different tools – static testing, web application testing, software composition, penetration testing – regardless of where they’re coming from, or what type of application it is, and have a universal approach to effective application risk management.”

Abdur told me Brinqa has received strong positive feedback from its customers, the early adopters to this approach. And he said the company has plans to extend its platform by directing graph databases toward doing risk analysis and management of software containers and other cloud computing components.

What Brinqa is doing makes a lot of sense. Using graph databases to assess security risks is a case of applying the best-available technology to mitigate a complex, rising challenge: helping companies stay secure, while also being able to move fast and grow very big. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone