The youthful president and CEO of Veracode tells Paul Fisher why SaaS is the only way forward for vulnerability scanning.
Matt Moynahan is one of those young tech overachievers the west coast of America seems to turn out from some production line. He is the 37-year-old president and CEO of Veracode, a company that's just two years old but already making waves, thanks to its software as a service (Saas)-based application vulnerability assessment model.
Moynahan has managed to change his career quite a few times in the years since graduating Harvard business school, weaving successfully between the interdependent worlds of investment banking and tech start-ups. He originally found himself at Goldman Sachs in various positions, including leveraged finance, corporate finance and equity capital market groups. However, he says it was his time at Symantec, where he was responsible for directing the $2 billion consumer products divisions, that really fired his enthusiasm for security.
"The reason I left Goldman and got into security about 15 years ago was that I moved to the hi-tech group inside Goldman, and I took a lot of security companies public as part of that," Moynahan recalls. "And I ran into a lot of entrepreneurs who were technically brilliant but didn't know how to manage a business."
After enjoying big success at Symantec, in 2006 he finally took the plunge and left to oversee the birth of Veracode, uprooting himself from the west to the east coast in the process.
He says he owes Goldman Sachs a lot for his early training but, when asked if he sees himself as a business leader or technologist first, he hedges his answer. "I'm an aspiring technologist. I have got increasingly technical over the course of my career, but I don't even try to go head to head with the chief scientists and the founders of my company," he admits.
He also reveals that a main driver for leaving Symantec was to get away from big company politics. "When I joined Symantec, I was spending 80 per cent of my time on products and 20 per cent on politics, but when I left it was the other way round."
If that sounds like a subtle put-down of Symantec and a reason why he wanted out, then it probably is. However, Moynahan is not about to stick the knife into John Thompson, Symantec's long-serving CEO, someone he considers a mentor.
"John's got a great legacy. I think he was a visionary in that he made the bet early on that the space was going to consolidate. I don't know how long he's going to stand by Symantec, but he is certainly responsible for taking it from a small anti-virus company to the security gorilla it is today. So I give him a lot of respect for that," he says, at the same time likening Symantec's acquisition of Veritas to an anaconda digesting an antelope.
In the two years since Veracode was born, both Moynahan and the company have garnered industry praise and awards - not least two SC Awards Europe 2008: Best Vulnerability Assessment and the Innovation Award. It seems the company is doing something right. Moynahan believes much of the success comes from adopting the SaaS model right from the start - but, crucially, not just for cost reasons, he insists.
He says corporate environments are awash with applications that can't be traced back to known sources or patched easily when vulnerabilities become known. So what he is offering is a subscription-based remote service that scans everything currently running on a business's systems.
"In the old days with Microsoft, in the late 1980s and early '90s, code used to be built by a single team, with a single code base. That doesn't happen any more," he explains. "No one has any idea where code has come from. The US government has a term for it: SOUP, software of unknown pedigree, and that really is the state of current applications. It's a mixed code base coming from global locations. That's not going to change," he adds.
"What we do is look at the executable of the software - the same software that's sitting on the shelves at the computer store or running on the internet. It's almost as if we can tell you what's wrong with a sentence in a book by looking at the cover," he claims. "Doing a security analysis on binary is superior to source code - hackers don't attack source code. The truth lives in the binary. So, when we look at the binary, we can tell you for sure what's been shipped."
I have to ask, is this another admission that attacking malware is a dead option? His approach seems to suggest as much.
"My spam is actually getting worse than it was ten years ago, despite the proliferation of core technologies. Right now, the traditional security companies are overwhelmed. It's an arms race. And I think it's a losing battle," he replies. "But if you can protect the core asset and make some of the larger players focus on a smaller portion of that malware, they can direct their resources better, and the code base will actually help them in the long run," he says.
Moynahan is also critical of what goes on inside companies in the name of information security and the misaligned use of seemingly catch-all panaceas. Like encryption, for example.
"You see a world of extremes, where a vast majority of security spend goes on implementing encryption across the board, where it's not really necessary. I think you need to take a look at the applications, their importance or assurance level, and divide your security spend appropriately across them. That's not happening today," he laments. "The market is very reactionary. People see someone get hacked or a PCI breach occur, and everyone rushes to go get encryption or focuses on daily leakage."
Moynahan does at least have some more positive things to say about the UK and Europe where, he says, we tend to be a bit more methodical in our approach. He says he gets requests to look at entire application inventories and then identify only those that are most important to the business function.
He also claims that the Veracode scanning engines are able to learn by looking at different applications "It's almost like an equivalent of Google getting smarter the more clicks you see on a web page; they can diagnose that information and go in and create services around it," he says.
Despite his earlier praise for John Thompson, it's clear Moynahan believes his time has come, and that the hostile threats are putting the traditional security payers at risk of being outmanoeuvred. He suspects the hackers are moving at ten times the speed of what he calls "the legacy enterprise software companies".
The SaaS model allows flexibility for his customers, but means that they too have to keep on their toes and engage in constant development to stay ahead. And with recession looming, clients, he believes, will be looking more and more for value and consistency from their security providers.
"Here's a trend that's going to take off over the next two to three years: every large organisation will have baked the security quality criteria into the procurement process. They're not going to pay for insecure software, deploy it and then pay for the patches. That is a paradigm shift that's out there that Veracode is trying to enable," he says.
Part of this shift is a world where, he says, the CSO is fighting a lonely battle against well-paid hackers mocking the legal system because it's just not worth putting resources into tracking and prosecuting them. "Even more troubling, there's a trend to make the hackers' job easier. A lot of criminal organisations will pay hackers to break into an application or an enterprise. What they're now talking about doing is helping a very low wage employee over in India or China embed a backdoor into the code, and pay them three times or four times their annual salary. So once that code is actually shipped, it's broadly deployed, they can hack in anywhere," he warns.
While that sinks in, Moynahan is content to let the world try and catch up with what he truly believes is an industry-changing business for a sector that needs to change. But he's not about to go shouting from the rooftops or rest on those awards - not yet anyway.
"The moment you read the press clippings a little too much, that's the day you're going to be outdone. At Veracode we believe we have a very, very big security company on our hands, and the more humble we can stay, the better we'll be in achieving that lofty objective."