Veracode CEO Bob Brennan on the Future of Software Security
One of the Boston area’s most intriguing tech companies operates in a danger zone. The software security danger zone, that is. To give a sense of what we’re talking about here, national security expert Richard Clarke is on its board of directors.
Yes, the trajectory of Veracode could play a big role in the future of how software applications get secured—and how cyber warfare is waged. And conversely, the proliferation of Web and mobile apps—and the increasing seriousness of cyber attacks—could mean big business for Veracode.
The Burlington, MA-based company started in 2006 and has raised $74 million from investors including Atlas Venture, Polaris Ventures, .406 Ventures, and Symantec. That puts Veracode in the top 10 biggest VC-backed technology bets around Boston.
Right now, that bet looks like it could pay off. Veracode, which has some 225 employees, expects to bring in $36-39 million in revenue this year. Its sales are growing by more than 75 percent year-over-year. And it says it’s just getting started.
Just over a year ago, the company brought in a new CEO: Bob Brennan, the former chief executive of data management firm Iron Mountain (NYSE: IRM). Brennan took over from chairperson and interim chief Maria Cirino, who succeeded founding CEO Matt Moynahan earlier in 2011.
Brennan has a very interesting background. The New York City native (but longtime Bostonian) ran American Internet Services in the mid-1990s, sold it to Cisco in 1998, and served as a vice president and general manager at the networking giant for two years. From there, he joined Connected, a PC data protection company that was bought by Iron Mountain in 2004 (more on that below). Brennan served as president and chief operating officer and worked his way up to CEO in 2008.
Last month, I had a chance to sit down with Brennan at Veracode’s headquarters. In a wide-ranging interview, he talked about how the application security industry is approaching a tipping point; how Veracode’s technology and strategy differ from its competitors; and also some interesting leadership issues around hiring, culture, and psychology.
Here’s an edited transcript of our chat:
Bob Brennan: I was working on an acquisition for Cisco when my PC died. It was a moment of metaphysical terror. The IT guys said, ‘No, no, it’s backed up.’ But I hadn’t been backing it up. It did it automatically with this product called Connected. I thought it was amazing that I got all my stuff back, including the details on this acquisition. I realized that I wanted to be in charge of something more fully. I knew some of the investors in Connected, met with them, and became CEO.
We had the company going public, and it really wasn’t ready to go public. And the markets were cresting, it was the spring of 2000. So we went about building that company the old-fashioned way, ultimately selling it to Iron Mountain in 2004.
X: So why did you join Veracode?
BB: I fell in love with Veracode because every corporation needs the service that we provide—which is essentially to secure their application layer. There were very committed investors, tremendous talent here, and a large expanding market opportunity. And the opportunity for Veracode to be an independent third party that made the technology industry a better industry. So that software vendors were developing more secure code, and corporations were buying more secure code. And that we could be in the middle of all that, and potentially build a large independent company in Boston. So I was a sucker for all that.
X: Tell me about the big problem you’re trying to solve here.
BB: Our customers are the largest corporations in the world. In today’s day and age there’s a need for speed. That has produced a flood of technology over the last 7-10 years. Think about the way we pay, eat, drive, collaborate, manufacture, read, listen to music, watch… Everything’s changed very dramatically very quickly. This hyper-connectivity has been the result of all the legacy apps that exist, on one end of the spectrum, and on the other end, you have the proverbial mobile phone with all these apps on it that are coming in unfettered and unvetted by the enterprise.
The other side of this is the need to be secure. Verizon says 71 percent of attacks occur through the application layer. The average corporation has 390 critical applications that cut across the entire enterprise. And we have our own records, we’ve been doing this for six and a half years: we know more about the vulnerability of applications than any company on the planet. We do it as a service in one place, and 80 percent [of apps] fail a basic security test the first time through.
So the need for speed is in conflict with the need for security. We come into this and say, “All right, there’s a better way.”
X: How does it work?
BB: The secret to our technology is we don’t need access to the source code. That allows us to get to everybody else’s software, to secure the software supply chain.
We’ve defined criteria for what constitutes secure software at [big Web and manufacturing companies]. And then when they meet that capability, they’re in. We just have to coach them through it. Eight-five percent of what they wrote is good and secure. But that 15 percent leaves it wide open, and we can help them get through that. We address things like SQL injection—attackers get into the database, burrow into core IP, get into payroll data, and so forth. And cross-site scripting—jumping from one website to another. Veracode does the work, and vendors pay for it.
X: So what does your service actually do?
BB: We can scan the entire IP address range of the biggest companies in the world and understand all the properties that sit within that. This allows us to do something called a massively parallel view—we’re able to look across all the micro-sites that [connect] to Xconomy, say. And based on the components they were written in, create a heat map and tell you, ‘Here’s where they’re most vulnerable.’ That lets us do deeper levels of authentication. Our core intellectual property is around looking at the application from the inside out, without seeing the source code— it’s known as binary static analysis. [Veracode creates a model of the application from the executable code and tests all possible paths of data through the program—Eds.]
We also provide e-learning tools to teach vendors how to do it, so you never write this kind of error again. We have a policy engine that allows us to define the 3-10 things you need to pass. And we provide deep analytics on this. We integrate into their development environment, so for internally developed apps, we want it to be part of the nightly build—they don’t even know we’re there. Not unlike the PC backup thing at Cisco, where I didn’t know I was running it.
X: But big guys like HP and IBM compete with you on internal app security, right? As I see it, what makes you different is you work on external apps too.
BB: Historically, Veracode has competed with HP and IBM. We have always fought over, “Let us secure the development of your internal applications.” That’s the only thing you have access to the source code to. HP and IBM would say, “We sell you these tools, you ask your developers to use them, they scan their code, and they can tune that system.”
We said, “Leave the driving to us.” Instead of having people, we can put a program on it. We can have the vendors pay for it, because they’re paying for the privilege of selling to [big companies]. But we also provide a service that allows you to secure all the applications you have—mobile, internally developed, externally developed, whether you have the source code or not. We take a much more expansive view of the problem to include all third-party applications. Otherwise we’d be getting killed by them.
X: Let’s talk about how your business is doing, and what’s in store for the coming year. Will you expand via more acquisitions like Marvin Mobile Security?
BB: Next year we expect to grow around 75 percent. The plan is to cross over to profitability sometime during the year. The big opportunity to track with us is how well we do in securing the software supply chains of the world’s largest companies. We’ve done it in part for about 70 corporations to date.
As for M&A, there are many types of companies that provide a rich set of information about the state of applications out there, and we’re interested in having partnerships with them. Some of them, we will choose to build it ourselves, because we didn’t think they did a great job. Others we will choose to partner with them because we think they did a great job, but it’s not important to own it. And others we’ll buy. So inorganic growth will play a role, but all of the growth I’m speaking about for 2012 and 2013 is organic.
X: Are you looking to hire a lot more people?
BB: Here’s the thing that I’m mindful of. We hired over 100 people this past year. I’m coming up on my one-year anniversary. I don’t consider myself fully ramped. I’m pretty ramped, but most of those 100 are less ramped than me. So there’s a lot of productivity in our system that has yet to be realized. That’s not necessarily intuitive to the people we’re holding to very high standards for performance. I can say we’d like to hire between 50 and 80 during 2013.
X: What about your IPO prospects down the road?
BB: The IPO, if it marks anything, it marks the end of the beginning. I have a low badge number, and I’ve only been here a year. We’re still in the very early stages of this company, even if you’ve been here six years. When I talk about these big customers, they’re just getting going on this. With an IPO, you’re selling 15 to 25 percent of your company. So it’s very much the beginning. I don’t see it as an end state. I see it as a way to attract capital so that you can continue to grow as fast as possible.
It should be a byproduct of the business we’re building. We’re trying to build a sustainable Veracode. If you think about the elements of a sustainable company: you need spectacular market conditions, check. You need a business model that is predictable and recurring, check. You need good team DNA, check. You need leverage in your model, and our third-party program provides an obvious point of leverage. And you need a culture that responds quickly to changing conditions. That’s evolving but I feel good about it.
I worry if I seek out the markets. Let the markets pull you in, don’t try to push your way in.
X: You mentioned culture. Can you talk about Veracode’s culture, and what you have brought to it over the past year?
BB: It is a culture of competence. People really understand their role and the domain. The best application security experts in the world work here. And some of the best general security experts in the world work here. I believe you can affect the culture at the margin, but you cannot change the culture. One of the reasons I wanted to join the team was that there is a deep-seated belief that we do meaningful work, that we are making the technology industry better.
Our culture may have been described a year ago as a culture of expertise. We’ve been successful in bringing in more general business athleticism, and have that mix with the expertise. I’d say a culture of competence is emerging from one of expertise.
X: Is it closer to Iron Mountain’s culture or Cisco’s?
BB: Neither. Iron Mountain’s culture is one of operational excellence. If you have an appendicitis attack, we need to have your medical records in front of your doctor as you get there. Cisco’s culture was one of being able to maintain customer intimacy as it grew torridly. But I don’t think you pick your culture. You have to work on the margin of those things. I don’t think in terms of another company. And I love both those companies. But we’re not them.
X: What about the transition from a small startup to a mid-sized young company? How’s that going?
BB: There’s an issue of kinetic energy to process. We need to develop a Veracode way of doing things. There’s a Veracode way of hiring, on-boarding, responding to customers, dealing with conflict, setting expectations. If you just pivot the company from startup qualities to the right [big company], you basically get a really small big company. And that’s a nightmare. You need to keep everything on the left [startup qualities] while we go to a Veracode way of doing things.
The company was very conservative with how it spent money. We grew 76 percent last year going through a lot of transition as a company. We’re mindful of the fact that this is about how fast you grow, and there’s an opportunity to dominate application security as a service that’s a large, expanding market. I don’t have to tell you that the difference between first and second place is huge.
X: So ultimately, what’s the big picture here? How will Veracode change the world?
BB: We believe that by pushing very hard, we can produce a tipping point. So—if we have the major financial services companies, the major logistics providers, the major healthcare companies, going out with near-simultaneity to their vendors saying, “You’ve got to do this”—that those software vendors will see the usefulness in doing it. And then they quickly see the benefits of having done it because they have more saleable software, and we become a standard like United Laboratories, like Carfax.
That’s really big stuff. That’s making everybody better, more responsible. There’s a way to provide a secure application infrastructure where you’re expecting more from your vendors—it’s truly a “no regrets” move. We’re very excited about our ability to do this for internal applications, Web applications, and now for mobile applications.
X: What’s the biggest trend to watch?
BB: It’s going to be an increasingly mobile world. This issue of control will become one of anybody using any device, at any time, from anywhere. And where nobody would provision an application without understanding its security profile. The application counts inside these large corporations don’t shrink, they expand. I think it becomes as accepted a practice as QA [quality assurance] is today.
X: What books on leadership and psychology are you reading these days?
BB [pulls out his tablet]: The book I’ve appreciated a lot over the last few months is The Advantage by Patrick Lencioni, on organizational health. I’ve been doing a lot on Presentation Zen. Also You Are Not So Smart [by David McRaney] about biases. And Confessions of an Economic Hit Man [by John Perkins].
Also The Checklist Manifesto [by Atul Gawande]. Jack Dorsey hands this out to everybody at Square and Twitter. It makes the case for where you need different checklists in your business as it becomes more complicated. As you develop a Veracode way, just because I can do some “Presentation Zen” and take a complex idea and present it more simply, doesn’t make the business more simple.