Applications are ‘not secure by default’: Checkmarx CTO Maty Siman

Siman, in an exclusive chat with e27, talks about app security, challenges of sophisticated malware and why Israel is called ‘Silicon Wadi’…

Cyber Security

There has been an increased interest in privacy and security topics, particularly after former CIA contractor Edward Snowden’s disclosures that the US government is actively monitoring both citizens and foreigners through a mix of networks and applications, particularly mobile. With the ubiquity of mobile devices and much of our data being on the cloud, anyone can be a target.

The Internet of Things (IoT) is the next big thing in mobile, and this goes beyond cellular phones, tablets and such. With connected cars, context-aware home heating (or cooling) systems, and location-aware objects, there could be no limit to the ways that governments and even private corporations are monitoring us users. It’s happening even right now: when you use your social networking app on your mobile device, your location and context are tracked, along with your interests and sentiments — all for effective and profitable use of targeted advertising.

In its 2014 Love, Relationships & Technology Survey, McAffee found that nearly 50 percent of adults surveyed share some intimate information with their partners through the open networks. This means users can be at risk of exposure in terms of personal affairs. Perhaps it would be good to keep in mind that data stored on the cloud can be hacked into, especially if these go through unsecured networks and services.

e27 had the opportunity to interview Maty Siman, Co-founder and Chief Technology Officer of Israel-based security firm Checkmarx. The startup, which provides security tools, particularly for checking Java code for potential security holes, advocates protecting users at the source — this means minimising exploits delivered through insecure code.

Siman was a keynote speaker at the recently-concluded AppSec conference in Santa Monica, California, and will also be the keynote at an upcoming RSA Conference in San Francisco. At AppSec, Siman warned attendees that the increasing ubiquity of JavaScript in our lives (which includes playing online games and navigating a map) makes users vulnerable to “security storms” that are brewing in code. His experience actually goes beyond the private sector, as Siman was also involved with the Israel Defense Force (IDF) as a security analyst and advisor.

In an exclusive chat, Siman shares thoughts on security, platforms, military service, and Israel being one of the startup hubs in Asia.

Excerpts:

What is your take on the startup action in Israel? What are the key advantages of the country, compared to other places in the region like Singapore, South Korea and Hong Kong? Do you think there is a marked difference between these Asia Pacific countries and Israel, given the geographic divide within Asia?

Maty Siman, co-founder and CTO, Checkmarx

Maty Siman, co-founder and CTO, Checkmarx

Israel has indeed blossomed into a startup hub over the last few decades. The country’s leading universities nurture budding talent and the practical experience they acquire in their army service brings them to a whole new level. The Israelis are also blessed with unique problem-solving abilities that enable them to excel in the IT sector.

The Israeli government is also a big reason behind Israel’s technological boom. Thanks to the subsidies and boosters, almost 4,000 tech startups have been established so far in Israel, second only to the USA. Due to our location in the Middle East, we are now nicknamed ‘Silicon Wadi’ (Wadi being valley in Arabic). The future is looking bright.

What are the biggest security concerns we should be worried about today — as consumers, developers, and platform owners?

As consumers. The internet boom has compromised customer privacy. Poor password implementation and unsafe computing practices have opened the door to dangerous malware, especially via social media websites and emails. Mobile security is also a largely overlooked field, with WiFi hotspot manipulations and rogue apps causing extensive damage.

As developers. We are seeing a growing number of large scale breaches that start at the application layer. As a result, organisations are looking to introduce application security testing as an integral part of their Software Development Lifecycle (SDLC) and identify those vulnerabilities as early as possible. Static Application Security Testing (SAST) and Static Code Analyser (SCA) are great ways to secure products.

As platform owners. With millions of users uploading their private data as cloud users or registering their personal credit cards for purchasing items, platform owners have to ensure their safety. Unfortunately unsafe SDLC’s and usage of unsafe plugins in CMS platforms leave millions of users vulnerable.

Also Read: WordPress Top 50 Plugins Checkmarx Research 

What is your take on the privacy situation today, given the concerns about NSA spying, companies collecting user information, and the ubiquity of mobile devices like smartphones, along with wearable tech like Google Glass?

The basic assumption that applications are “secure by default” has been proved wrong. We read about exploitations and high-profile hacks on a daily basis. Encryption standards within applications are problematic, enabling snoopers to fish out user’s private information and sensitive data. Application security is not top priority right now.

NSA and other secret agencies, along with leading commercial organisations collect user data with sophisticated malware and stealth hacking techniques. More and more gadgets and appliances are becoming “smart” and are working with internet connections. This obviously is going to be a huge security challenge going ahead.

Your background highlights your involvement in the Israel Defense Force. Do you think experiences like yours are an advantage, compared with other countries, cultures and jurisdictions that do not require military service? Or would you have been involved in digital security even without your IDF experience? 

Army service after high school graduation is mandatory in Israel, with men doing three years and the women two years. I was fortunate enough to serve my country and gather first-hand experience in the Information Security field during my service. I came across real-life scenarios that I had to solve instantly and those helped me hone my skills.

The social aspect can’t be neglected. The IDF is basically the biggest melting pot in our country, consisting of people from different backgrounds and cultures, with varied lines of thought. I met many key figures whose ideas and philosophies continue to inspire me to this day. I definitely gained a lot from my involvement in the IDF.

What are key plans for Checkmarx in the short and long term?

Checkmarx was recently named the second fastest growing security company in the 2013 Deloitte EMEA Tech Fast 500, posting over 2,200 per cent revenue growth in the last five years. Four of the world’s 10 largest software companies and three of the world’s four largest IT consulting firms are now protected by Checkmarx.

Checkmarx’s successful 2013 was punctuated by an equity funding round of US$8 million. This will enable Checkmarx to sustain its exponential growth and meet the growing demand for application security testing solutions. We are looking to venture into new markets in parallel to expanding current US operations.

Israel’s leading technology publication, TheMarker.com recently placed Checkmarx as one of the top 10 Israeli startups to watch out for in 2014. We are aiming to expand our technical abilities as well. This will include compatibility with more programming languages and the creation of advanced mobile security solutions. Stay tuned!

 

A technology and automotive journalist with an interest in emerging standards, J. Angelo Racoma has written extensively about mobile, social media, enterprise apps and startups. Angelo has been active in online media since the early blogging and social networking days, and is co-founder at WorkSmartr, a small outsourcing platform for freelancers.

Related posts

Top