Interview: John Jack, Former CEO at Fortify Software

For this interview, I have the pleasure of talking to John Jack. John is the former CEO at Fortify Software, now part of HP Enterprise Security, and he also is or has been a member of the board at several security companies including Cenzic, AlienVault, and CipherCloud. He was also recently named an advisory board member for Contrast Security.

Today, John and I discuss the evolution of application security, the idea of continuous within application security, and how the trend in faster development cycles plays into the security life cycle.

The following is a brief excerpt of our interview:

Jeff Williams: So you've been involved in security since 2004, maybe before, and you've seen many evolutions in the security space. I'm really interested in your perspective on how the security market has changed and what you see happening now?

John Jack: The security market changes and the security market doesn't change. And what I mean by that is this. There continues to be a lot of innovation in security on both the positive side and I guess you would say the negative side. So those that would attack are core assets, whether it be intellectual property or financial information or transactional information.

They continue to innovate. So they continue to think of new ways to attack these assets either because of new technologies or because they just have enough time and enough resources that they can figure out ways to get to these assets that we have not thought of before. And therefore, make continued improvements in their approaches and frankly, have continued success and access to those assets.

At the same time, entrepreneurs like yourself and like others continue to come up with ideas on how to thwart these attacks. And so, you have this kind of ongoing evolution, this ongoing threat cycle, if you will. Where the attackers innovate, figure out how to get in.

We innovate and figure out how to stop them. It does vary a little bit; sometimes, we innovate and we figure out ways to prevent them from getting in that... or even before they have figured out that we're protecting against certain attack vectors. Mostly, it's this continuous threat cycle of innovation by the attacker, innovation by entrepreneurs and by enterprises. And then, a new vector emerges.

So in that regard, security has been pretty consistent for the last ten years. Now, these vectors that they attack...ten years ago there was a pretty well-defined solid perimeter.

Jeff Williams: John, let met jump in there real quick. I want to ask you a question about the evolution process. Because it's fascinating to me how security actually evolves. And I think what you said was really interesting... I think in most cases, attackers' innovations are actually kind of driving the process. And we've been kind of reactive in security. I'd like to get your thoughts on how we get in front of that. How do we become the drivers where we're protecting in advance of the attackers?

John Jack: Good question, Jeff. So my view on that goes like this. Over this period of time, there's been a lot of lessons learned. And as we evolve our technologies, as we evolve from things like just a solid network that can be well-identified by IP addresses and everything to mobile, to Cloud. There are lessons learned that as we thing about these new architectures and these new devices, we can get ahead of this by thinking about the threat vectors, thinking about how threats could attack these new technologies and build into these technologies, security and safeguards. Whether they're part of the core technology or whether they're bolted on.

But they are thinking ahead via the lessons we've learned from these previous attacks on protecting these new environments, so let me give you an example. If you look at the movement that enterprises have to Cloud. Whether it be Cloud-based applications or whether it just be their own data centers being morphed into hybrid public and private Clouds.

You know, with the Cloud, there is no hard to find perimeter, for example. The perimeter is soft, if you will. The perimeter doesn't exist in a set of known IP addresses.

So why don't we think about the fact that despite the fact that we don't have a known perimeter, we're still going to come under attack. So let's think about what those attacks might look like and therefore, create technologies that thwart these attacks, even though these attacks may not exist yet.

Jeff Williams: Yeah, I couldn't agree with you more on that. In fact, I've been doing this for a long time. And I've seen all these iterations of new technologies. So I started programming a mainframe and then those PC-era and Web and mobile and Cloud.

And it seems to me that every one of those generations, we've always forgotten the security lessons of the previous generation. It sort of started over from scratch and had to re-evolve security through this painful process of getting attacked and learning about the vulnerability and fixing it and building another platform and slowly building back up.

Where I think what you're proposing is the right way to do things. Is to remember the lessons of the Web when you're building Cloud. And build threat models and build the defenses in that you know are going to be there. We just haven't been that smart yet going forward.

John Jack: Right. And you and I come from a world where we learned this lesson around applications, kind of Layer 7 in applications, right? Where the original set of application developers that built all of these beautiful interactive applications were never trained, even at the collegiate level. That the applications not only had to be functional in performance, but they needed to be secure as well.

And there's no greater example around security than building it into an application from the moment you start building that application. Build the threat model, think about what technologies you're using that application. And then how can I build this application such that it's hardened? That it's hacker-proof, almost, if you will.

And so, that's an example of how that lesson has been learned. And now, if you look at enterprises and ISVs as they build applications, it's all about thinking about security as well as thinking about functionality and performance.

Jeff Williams: I'm glad to see that that's finally becoming part of it. It is a really hard problem because you really have to learn to write code before you can learn to write secure code. And it's difficult to get that involved in the process.

But actually, that really brings us to the whole topic of this interview. Talking about continuous. I think the only way forward is to get developers' immediate feedback on the code that they're writing. Good security feedback.

Because in my experience, that's how developers learn. Is while they're coding, they do something, they get instant feedback on a problem. Then they can learn never to do that again.

John Jack: Exactly. And from the world I started in, we tried to do that with static analysis security testing. And there were two worlds that evolved, right? Static analysis and dynamic analysis.

And they both were kind of approaching the same problem with different technologies. And they both worked well. They were the best solution at the time. And now there's an opportunity and I know Contrast is pursuing this. There's an opportunity to take the lessons learned from kind of the first forays into this DAST and SAST and create something more integrated.

And that allows us to really give developers real-time feedback. And in a way where developers can really both learn and also make good use of the information and the feedback they're getting at the time they're creating the applications.

Jeff Williams: Interesting. I think you're being nice. You were a very early innovator in what we're calling IAST today, or interactive application security testing. Tell me what you think about the emergence of IAST as compared to the more traditional SAST and DAST?

John Jack: Well, I think it's a natural evolution. I think if you look at technology, in general and security as well, there are often kind of pioneers that come up with a good problem identification. They've identified the fact that applications in this example need to be secure and they pioneer a few technologies to do it.

The reality is, those technologies needed to evolve. And I think the result of that is IAST, integrated application security testing. I think this now gives application developers better feedback sooner in a more concise format.

It gives you a more efficient way of accomplishing this goal of secure applications. So I'm excited by the evolution to IAST. And I think it makes total sense for enterprises. And for a company like Contrast, it's a great opportunity. Because we're at the point now where people are going to be saying... where enterprises and ISVs and others are going to be saying, "Okay, is there a better way to do this?"

Jeff Williams: Yeah. One of the factors that we've seen that's really been driving interest is sort of the move to agile and even dev ops development life cycles with much faster iterations, much more frequent delivery, continuous integration and so on. How do you see the trend towards faster development cycles play into the security life cycle?

John Jack: One of the things that you see in security, and we talked about this at the beginning, is that as the technologies evolve, so must security evolve. And now, you get these faster development cycles. You get more pressure and enterprises on delivering these applications.

I think a lot of people don't know that the top 100 enterprises in the U.S. have thousands of developers. And it's because they create their competitive advantage in the form of software and applications.

So there's a lot of pressure to deliver these to get the time to market as close to zero as possible. But at the same time, there's a tremendously growing recognition of the importance of these applications being secure. And without the right balance between the new technologies and security, these things don't get to market as fast.

So by having technologies that match up with the speed and the requirement of time to market, then you can find the balance that gets you these applications that create your competitive advantage, but at the same time, do it in a secure fashion.