Veracode CEO Bob Brennan on the Future of Software Security
(Page 2 of 4)
a flood of technology over the last 7-10 years. Think about the way we pay, eat, drive, collaborate, manufacture, read, listen to music, watch… Everything’s changed very dramatically very quickly. This hyper-connectivity has been the result of all the legacy apps that exist, on one end of the spectrum, and on the other end, you have the proverbial mobile phone with all these apps on it that are coming in unfettered and unvetted by the enterprise.
The other side of this is the need to be secure. Verizon says 71 percent of attacks occur through the application layer. The average corporation has 390 critical applications that cut across the entire enterprise. And we have our own records, we’ve been doing this for six and a half years: we know more about the vulnerability of applications than any company on the planet. We do it as a service in one place, and 80 percent [of apps] fail a basic security test the first time through.
So the need for speed is in conflict with the need for security. We come into this and say, “All right, there’s a better way.”
X: How does it work?
BB: The secret to our technology is we don’t need access to the source code. That allows us to get to everybody else’s software, to secure the software supply chain.
We’ve defined criteria for what constitutes secure software at [big Web and manufacturing companies]. And then when they meet that capability, they’re in. We just have to coach them through it. Eight-five percent of what they wrote is good and secure. But that 15 percent leaves it wide open, and we can help them get through that. We address things like SQL injection—attackers get into the database, burrow into core IP, get into payroll data, and so forth. And cross-site scripting—jumping from one website to another. Veracode does the work, and vendors pay for it.
X: So what does your service actually do?
BB: We can scan the entire IP address range of the biggest companies in the world and understand all the properties that sit within that. This allows us to do something called a massively parallel view—we’re able to look across all the micro-sites that [connect] to Xconomy, say. And based on the components they were written in, create a heat map and tell you, ‘Here’s where they’re most vulnerable.’ That lets us do deeper levels of authentication. Our core intellectual property is around looking at the application from the inside out, without seeing the source code— it’s known as binary static analysis. [Veracode creates a model of the application from the executable code and tests all possible paths of data through the program—Eds.]
We also provide e-learning tools to teach vendors how to do it, so you never write this kind of error again. We have a policy engine that allows us to define the 3-10 things you need to pass. And we provide deep analytics on this. We integrate into their development environment, so for internally developed apps, we want it to be part of the nightly build—they don’t even know we’re there. Not unlike the PC backup thing at Cisco, where I didn’t know I was running it.
X: But big guys like HP and IBM compete with you on internal app security, right? As I see it, what makes you different is you work on external apps too.
BB: Historically, Veracode has competed with HP and IBM. We have always fought over, “Let us secure the development of your internal applications.” That’s the only thing you have access to the source code to. HP and IBM would say, “We sell you these tools, you ask your developers to use them, they scan their code, and they can tune that system.”
We said, “Leave the driving to us.” Instead of having people, we can put a program on it. We can have the vendors pay for it, because they’re paying for the privilege of selling to [big companies]. But we also provide a service that allows you to secure all the applications you have—mobile, internally developed, externally developed, whether you have the source code or not. We take a much more expansive view of the problem to include all third-party applications. Otherwise we’d be getting killed by them.
X: Let’s talk about how your business is doing, and what’s in store for the coming year. Will you expand via more acquisitions like Marvin Mobile Security?
BB: Next year we expect to grow around 75 percent. The plan is to cross over to profitability sometime during the year. The big opportunity to track with us is how well we do in securing the software supply chains of the world’s largest companies. We’ve done it in part for about 70 corporations to date.
As for M&A, there are many types of companies that … Next Page »