Sunday, February 14, 2016

Continuum Security: "50% of vulnerabilities could be avoided"

Cristina Bentué and Stephen de Vries. Founders of Continuum Security Solutions.

Continuum Security won the first prize for startups organized by the National Cybersecurity Institute (INCIBE).  There are two persons behind this little but ambitious company, Cristina Bentué and Stephen de Vries, who live and work in Barbastro.One day they decided to give a different twist to their cybersecurity consulting with the developing of their own products, focused on the analysis of software security.

Stephen is the hacker of the family. From his head has emerged BDD-Security, free and with free code, his most famous creation. And also the big shot of Continuum: IriusRisk. The objective isn't only to analyze the security but also getting a safe development from scratch. Important actors bet on this startup, which has been finalist on the BBVA Open Talent and on the European Cyber Security and Privacy Innovation Awards.

- Isn't usual seeing women in this world, Cristina.

- Curiously, when the computing science started to popularize in the 80's, almost 40% of the graduated were women. Today this number is less than half. In the United States it has started an initiative called "Girls who Code" which I think is very interesting and it should be exported. The women in this sector are still being reified; I am still getting sick when I remember the tiny skirts wore by the hostess in the Mundo Hacker congress, the antivirus company Sophos: in the back it read "Protected by Sophos".

- Why the name?

- Continuum addresses the latest practices in development, where software is built in a continuous way with minor increments and continuous deployment.  Continuous Integration and Continuous Delivery have already been set as standards for good practices, and naturally we need Continuous Security too! The company’s name aims to underline our strategic vision: security must be embedded in the development of software, without blocking it or delaying the process… It has to be a Continuum :)

- How and when did you create Continuum Security?

-After 17 years giving consulting cybersecurity services, we saw that we were stuck, that this situation wasn't scalable, because if we would accept more volume of business, we also would have to hire employees to handle it. We started to see that the key for a bigger profitability was to develop a product, and Stephen had a good idea, innovative in the field of cybersecurity. When the crisis went down, we decided to invest our time and money on I+D and 18 months later IriusRisk was in the market. To strengthen our compromise with the new activity, we changed the name of the company to Continuum and we made that all our work was focused in software products which we licentiate.

- Is it a company of 2?

- We are still the 2 founders only, but we usually use 'freelances'. In this moments we have a programmer in Brazil, another in Romania and other one in Madrid. Luckily, Internet doesn't knows about frontiers or flags.

- If I understood well, you create tools for programmers, to test their programs and apps security. Why this kind of products?

- When we were consultants, we had finished app to test, and 50% of the vulnerabilities we founded could have being avoided if the developer would have had a conversation of half an hour with a security analyst in the moment when he designed the app. Correcting this kind of architectcture failures takes long and is expensive. We think the programmers should be responsible of the code they made, but we understand they had enough work learning the new languages. IriusRisk made that for them, advising them about the security of the software they are developing and showing them the risks which can happen and how can they deal with them, even before it exists a written code line, from the app architecture.

- Are you the first who create this kind of tools?

-There aren't many. The majority of cybersecurity products acts at the end of the development, when the app is finished or almost finished. We only have a couple of direct competitors in automatize risk models in the app design, and none of them offer a manage platform of this risk during all the development too.

- But... with automation you don't erase all the bugs.

- Correct, we always need a security analyst: we won't work against us, Mercè ;-)

- I suppose that your tools don't find 0-day vulnerabilities which could be used for bug bounties?

- No (not yet, who knows…!), our vision is to provide a solution to the problem of software security scalability, not at the code level but at the design level. If I am the CISO of a company that deploys 1000 applications every year thanks to a team of hundreds of developers, but my security team consists of just 4 software security analysts, then my first challenge is to make sure my applications are designed securely and cover at least the basics of security, forget about the more sophisticated attacks! The Talk Talk case in the UK is a good example, they lost hundreds of thousands of clients because of an SQL Injection attack - a type of vulnerability we've known about for 18 years!  It’s sad and surprising at the same time, but the problem of scaling software security is only going to get worse with more and more companies building and deploying custom software.

- Your great success has been the free code BDD-Security. Which companies use it?

- It's hard to know, being open code we can't follow who download this testing ground for "continuous integration". We went to install it on the New York Times offices and we know that a large Southafrican bank and another on the Arab Emirates have it in their systems too. A colleague of us started to work on one of the biggest banks of the United States and he told us for our surprise that they are using the program since a while. The biggest joy that BDD-Security gave us is being referenced by Adobe as a standard and that they define it as a innovate tool in the cybersecurity sector.

- You're in a good run: finalist in the BBVA OpenTalent and in the European Cyber Security and Innovation Awards, winners on the Cyber Security Accelerator Program of INCIBE... What do you think they've seen on you?

- It must bee my sweeping green eyes ;-) The key is making something new and necessary. You have to see the gap, perceive the opportunity: I think Stephen, the creative genius, is a visionary in this aspect, he is full of ideas and enthusiasm for the innovation, someone called him a "thought leader". If he could isolate himself from the company routines demanded by rulling a business, if you left him 8 hours at day in his office without disturbing him, each three months we could launch a new product to the market, and all of them would be equally innovative as BDD or IriusRisk.

- Do you know that it has being created a regulation to ensure that everybody who work on cybersecurity in Spain should have an accreditation, like a "hacker certification"? What do you think?

- The activities of an "ethical hacker" are very sensible legally speaking. You can do a lot of damage to the company you work for, to its reputation, to its final clients, to its systems, and that's why it's susceptible to undesired criminal cases. Intentional or unintentional cases. A credential shouldn't be seen like a annoying burocractic process, but a type of civil defense against misfortunes.

- From Barbastro, would you say that you're more in touch with the Spanish cybercommunity or the worldwide cybercommunity?

- From the beginning we wanted to be worldwide; we are like Internet, uprooted, metalinguistic, decentralized. But the Spanish cyebercommunity has supported, accompanied and spoiled us, form INCIBE and the Junta of Castilla y León to the Instituto de Fomento of Zaragoza and a few private companies from Aragón. Even more, our first client, the first who saw the potential in us and bet with decision was a Spanish bank, we are successful because of it. So we realize the sector is more solid than it looks. What happens, I think, is the Spanish people are very discreet and humble. Working hard in Spain it's an end in itself, not the mean.

- To conclude, we would like you to give us a quote for our audience.

- Ethical Hacking is not an oxymoron, it's a necessity for a healthy society.

Text: Mercè Molist


Post a Comment