Matt Moynahan isn’t your average infosec CEO. He is younger than the average CEO (he was recognized as one of the ‘40 Under 40’ top leaders in Greater Boston) and he studied History at University. Neither of these differences appear to put him at a disadvantage though. In fact, his integrity, passion and intelligence are abundant.
Moynahan has been with Veracode for five years, becoming CEO in 2006, just a month after the company was officially founded.
Evidently full to the brim with talking points, Moynahan ploughs straight in, describing a sea-change currently happening in the industry. “There is a new pressure on Google and Apple to behave in a certain way, because people will [start to notice] their App stores for being more or less secure.”
One year ago (when I met with Veracode’s founder and CTO, Chris Wysopal), mobile application security was not one of Veracode’s offerings. “Now it is”, Moynahan declares. “Next month we’ll be announcing support for Android, iPhone and iPad applications – one of our most important initiatives.”
This evolution into the mobile market was a natural progression since consumerisation of IT is now at its peak, says Moynahan. “iPhones and iPads are consumer devices, built for the consumer market, but they are coming into the enterprise where CIOs and CSOs can’t control them.” This he explains, is why mobility is so hard. “Enterprises are scrambling to put the same controls in place around something they have no control over. That’s why our business is so important.”
Banning these consumer devices is not an option, the Veracode CEO insists. “They have no choice. Their employees would not be happy. There is not a true blending between the consumer and enterprise - it’s a beautiful mess.”
Cloudsourcing
During the interview, Moynahan declares his desire to copyright the term ‘cloudsourcing’. “This refers to apps that are built in the cloud”, he explains. “Cloud apps and cloud services are more insecure than open-source or enterprise applications, with 83% that we scan failing on the first submission.”
The mobile threat landscape is not quite as simple as looking for traditional cross-site scripting and buffer overflows, he says. “They do exist, but there’s going to be a new threat you have to look for - malicious code embedded in the application, doing things it shouldn’t be”.
“Looking for things like malicious data export is going to be as important as [looking for] code that is written cleanly, but with a hole”, he insists.
Moynahan anticipates that Google and Apple are going to “raise their eyebrows” when Veracode start reporting on which developers are writing good code, and who is “sticking things” in applications. “They will be forced to increase their security because we’re going to be reporting on the [code and apps] after they’ve accepted them. It’ll be embarrassing [for them]”, he says.
The scary reality, he says, is that sometimes downloading an app results in “some company somewhere making money off of your behaviour. It might be malicious, or it could just be a breach of your personal information.”
What Consumers Want
The secret to Apple’s success, believes Moynahan, is that consumers are the last to care about security. “Consumers care more about functionality than they do about security. It’s enterprises that have always driven the security market”.
Moynahan shares an interesting statistic which he took from his tenure at Symantec, prior to joining Veracode. “The number one purchase driver for [consumers purchasing] Norton anti-virus is the fear of embarrassment and infecting other people.” To the contrary, he explains that the driver for enterprises adopting information security is liability and compliance. “If it wasn’t for compliance, they wouldn’t care. That’s why enterprises are driving so hard right now, because China is literally attacking every single company in the Fortune 500.”
Despite his tenure at Symantec, Moynahan certainly can’t be considered loyal to the company. “Microsoft is doing better at security than Symantec”, he declares, explaining that the Trustworthy Computing initiative at Microsoft was born due to demand from the enterprise market.
What started it all, he explains, is that “CIOs called up Microsoft and said, ‘if you don’t fix this [security problem], I’m switching to Linux, as it’s free and more secure. So what did Bill Gates do? He said ‘we have a problem and we’re going to fix it’. Not because of consumer demand, consumers were powerless. Enterprises were voting with their wallets and Microsoft would no longer be here today if they hadn’t done as good a job as they had to secure their infrastructure.”
Application Security Needs to Go Mainstream
Moynahan interestingly describes application testing as the “natural progression of a security audit; from asking questions to actually checking the code”. Why? “Because the code is insecure, nothing has gotten better. When you build an app, you should Veracode it. We want ‘Veracode it’ to become a verb.”
Application security, unlike hacking, has not yet gone mainstream, says Moynahan. “Why? Well, hacking has gone mainstream because I could probably teach you in about an hour how to hack into a bank – no joke.” Securing software, is however, slightly more challenging, “you have to go buy tools, and install them on developers’ desktops. There is a huge gap between what the hackers can do and what banks can do, and that’s where Veracode comes in. We are in the cloud so there’s no hardware or software”.
To help get application security on the map, Veracode launched a free cross-site scripting service at the end of January this year. “According to any industry report, cross-site scripting is the number one vulnerability over the past ten years, yet it’s the easiest thing to fix”, he explains. “Anyone in the world can upload to our facility and get a free audit for cross-site scripting flaws. We’re trying to get all the developers just to see how easy it is to check their code for cross-site scripting.”
The good news, says Moynahan, is that the fix for most security vulnerabilities is “super simple”. On average, he explains, “it takes less than two re-submissions to go from an average security quality score to a really high security quality score”.
The core of the problem, explains Moynahan, is that university students are not being taught how to write secure code. “There’s a huge supply shortage of really smart people writing code who know about security.” Veracode founders Chris Wysopal and Christien Rioux are the exception to the rule, Moynahan announces proudly. “What we are trying to do is take everything from their brains and put it into a machine. We’re trying to create a really easy service that has rocket science built in”.
Not a Textbook CEO
Veracode was technically formed in March 2006, and Moynahan joined one month later. What attracted him to Veracode? “It really is rocket science”, he marvels.
Perhaps surprisingly, Moynahan has a Bachelor of Arts degree in history from Williams College in Williamstown, Massachusetts, and holds a Masters in business administration from Harvard University Graduate School of Business Administration in Boston.
“My history major helps me more than anything”, explains Moynahan, whose degree taught him to connect the dots, and read data.
His varied education and past roles at Symatec and leading technology and finance companies allows him to wear “different hats. I never tell anyone I have an MBA unless I’m speaking to investors. If I’m talking to a CSO or chief information officer, I put on my Goldman Sachs hat. If I’m going to talk to a big software company, I put on my Symantec hat.”
One Scan at a Time
Moynahan compares Veracode’s work to Google’s objective. “Google is trying to organise the world of information one search at a time. They’re scanning and indexing everything they can. [Veracode] is trying to do the same thing from a software perspective”.
“There’s also a Facebook element to what we’re doing too. Facebook aggregates user behaviour and preferences, and we’re aggregating coding behaviour at the developer level”, he explains. “I want to get every university in the world a free Veracode account, so that every computer science class in the world will bake into their curriculum how to write secure code. We’ll condition every student to understand the mistakes they’re making, and then we’ll also understand how the future hackers are coding.”
On the topic of bounty programmes, Moynahan expresses his disapproval. “There’s a market out there for it, which is really bad. In the black market, some Adobe vulnerabilities are selling for very high prices.This is why you have to have the anti-bounty”. Veracode, he explains, is the antidote – “a machine to help Adobe stop that. Adobe is doing everything they possibly can, but they can’t hire enough people to go look through all the code.”
“Our machine has to beat the human. There needs be a next-generation machine for the good, because hackers are already using machines for the bad. That’s why our mission is making it easy, but also really cheap, because we should be doing this for pennies. If your iPhone app is only selling for 99 cents, you’re not going to pay ten grand for a security audit of it. We should be doing it for a buck.”
Wrapping up, Maynahan re-visits what he considers “a structural problem in the market”. The fact that no-one is teaching students how to write secure code is the fundamental problem, he says. “We can be a huge friend to any developer out there. So while Google says, do no evil, we want to do no harm.”