Show 139: Matias Madou discusses secure development training and software security testing research

October 31, 2017

Matias Madou is a co-founder and the CTO of Secure Code Warrior, where he provides the company’s technology vision and oversees the engineering team. He has over 15 years of hands-on software security experience. Matias was a researcher at HP Fortify and a founder of Sensei Security. He also holds 10 patents and has been very active in technology transfer from the lab to commercial products. He’s a sought-after speaker as well, and we’re proud of his presence at the 2017 BSIMM Community Conference. Matias holds a Ph.D. in computer engineering from Ghent University and currently lives in Belgium with his family.

Listen as Gary and Matias talk about effective software security testing methods, security research, secure development training, and more.

Matias Madou

Listen to Podcast

Transcript

Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security and Privacy Magazine. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 139th in a series of interviews with security gurus, and I’m super pleased to have today with me Matias Madou. Hi, Matias.

 

Matias Madou: Thanks for having me, Gary.

 

Gary: Matias Madou is a co-founder and CTO of Secure Code Warrior, where he provides the company’s technology vision and oversees the engineering team. Dr. Madou has over 15 years of hands-on software security experience. He was a researcher at HP Fortify and a founder of Sensei Security. Matias holds 10 patents and has been very active in technology transfer from the lab to commercial products. He’s also a sought-after speaker and, in fact, just gave a talk at the recent BSIMM Community Conference in Scottsdale, Arizona.

 

Matias holds a Ph.D. in computer engineering from Ghent University. He lives with his family, including two boys and a goat named Eenie Meenie, in Lichtervelde, Belgium. So we had to have an Eenie Meenie in there for sure.

 

So you made an important career move early on when you jumped from Ph.D. research to commercial research. I did the same thing in 1995. So tell us what that was like.

 

Matias: I started my career at Ghent University, where I was studying code obfuscation. Essentially, we were using static analysis to transform a piece of code and mangle that so that the inner workings were kind of hidden. And then we actually tried to do the inverse thing. We tried to go back from completely mangled-up code to its original format. When doing so, I was looking in the field to do an internship, and I found a very interesting company called Cloakware, which is now Irdeto, and they were doing that for real.

 

So I went to Canada, I spent 3 months over there, and it was very, very interesting. It was very eye-opening. I thought I was doing the latest and greatest in technology, but when I went there, I started to realize that these companies keep the good stuff for themselves.

 

Gary: Oh, that’s really interesting, huh?

 

Matias: Yeah. And so you would think that you were, at the edge of a thing, that you were really doing rocket science stuff, but the really good stuff they keep for themselves. They do not publicize that. That was very eye-opening to me, and I really decided at that moment that I wanted to move to industry. I really wanted to be at the edge of things and making sure that you can put research into hands-on things that scale in the market, that you solve a real problem which is current today.

 

Gary: Right. So how did you get from Cloakware to Fortify?

 

Matias: At the time, I had two options for doing an internship. I was in touch with Brian Chess and Jacob West, and I was also in touch with the people at Cloakware. My advisor guided me towards Cloakware because that was very close to what I was doing on a day-to-day basis.

 

But still, when I graduated, I was like, “Well, there’s this company called Fortify. Maybe I should check it out.” It sounded very interesting. They were doing static analysis but for different purposes. So it was an easy way into the U.S., visawise. It was the last moment, you know, the last time that I could do something like that.

 

So I went to Fortify. It was very, very interesting, and I stayed on. I stayed at Fortify because I thought it was more interesting than what Cloakware was doing at the time.

 

Gary: So do you miss academic research at all, or is that just a chapter that’s gone?

 

Matias: That’s kind of a chapter that’s gone, to be honest.

 

Gary: And are you still interacting with academia? Like, you know, I agree with you—I also closed the book on academic research—but I still do lots of work with academia. Like I’m going to give a talk at Johns Hopkins this afternoon. Do you do stuff like that too?

 

Matias: Well, a very interesting question. Right now, actually, I do, but in a different way. I do not give lectures or something like that at the university. But we had an intern from Ghent University, and his name is Peter, and he asked me, like, “Hey, what should I do after I graduate? Should I pursue a Ph.D.?” And I was like, “Well, what I’ve learned over there is I would really do it, but I would do it in combination with an organization, a company, so that you’re really doing interesting stuff, and that has to work for real in the field.”

 

So the way we set it up right now is Peter is doing a Ph.D., and it’s shared between Ghent University and Secure Code Warrior.

 

Gary: Oh, that’s cool.

 

Matias: So he’s going to work on IoT for us.

 

Gary: Yep. That’s really cool. So at Fortify, you worked in the Advanced Research Group, doing, among other things, rules development for the Fortify code scanner. What’s the coolest thing you worked on in those days?

 

Matias: I was working on run time, and I know you’re not a big fan of run time, but we did quite some neat stuff in that area. And it was, I think, before Gartner came out with all the acronyms like RASP and IAST. I think that’s 10 years ago, must be around 10 years ago. So the very interesting part, I think one of the most interesting things that we worked on, was there was WebInspect penetration testing solution. And through some run-time component, we were able to open up the black box and do it essentially as gray box testing, where the penetration testing solution will not only attack the end system, but some component will live in that end system and will give some feedback on how to attack that system.

 

Gary: Of course. I mean, it’s just what is known in the testing literature as “observability.”

 

Matias: I’m sorry?

 

Gary: As “observability.” It’s in the testing literature. You’ve got to do the test, of course, but you’ve got to see the test happen. And if you don’t see what’s happening, you have a real black box, like in physics. You just can look at whatever squirts outside the box, right?

 

Matias: Yes. And it was interesting to make sure, but that system was quite intelligent. It could actually steer the test, you know, where if the penetration testing solution was attacking with a SQL attack vector, the component in the background could see the attack coming in, see how the attack was placed into a query, for example, and could give some feedback, where it said, “Hey, you know what? I’ve seen you are attacking with a particular attack vector. Maybe you have to modify it this and that way so it gets through, so you can really exploit the system.”

 

That means it was really a back-and-forth between the penetration testing solution and that back-end system with that component in there to really break into the system.

 

Gary: OK. So how did your background in code protection play a role? That’s a trick question.

 

Matias: Well, fairly minimal in the sense that when I was working on my Ph.D., it was really for low-level stuff. We were working on x86, MIPS, PowerPC, so the static analysis that we were doing over there was really link-time analysis. We were able to build up this linker that had an overview of the entire application or entire piece of software but really on a very, very low level. We were actually more targeting embedded systems than higher-level software systems.

 

Gary: Mm-hmm. So in terms of what Gartner calls SAST and DAST—that’s static analysis and dynamic analysis—what’s more important, the technology to scan or otherwise probe software or the knowledge of what to scan for?

 

Matias: Actually, the way I look at SAST and DAST, I think you need both solutions. They find different stuff. Static analysis doesn’t do a good job when there are dynamic code execution components involved in the code, and dynamic solutions are not finding the breadth of what static analysis is finding.

 

I think it’s more important to fix what you find. Make sure that what static analysis and dynamic analysis come up with, that you also are going to ask your developers to fix these pieces of code. It doesn’t make sense to keep on scanning and keep on attacking your systems if what comes out of these systems is never looked at and is never fixed in code!

 

Gary: Well, I, of course, believe that, but the question is not really that. The question is, you know, you’ve got this technology for testing, but you need to know what to test for. What’s more important, the technology for testing, you know, the hardness, the ability to scan code, or the ability to emit packets a certain way, or knowledge of what to scan for or what packets to emit? It’s tricky. I mean, I’m interested in your opinion on that one.

 

Matias: I’m convinced that it’s both, but what’s most important?

 

Gary: Well, if somebody had a perfectly legitimate testing technology but they didn’t have any idea what to test for, that would be useless. But if someone had a big pile of stuff to test for, they knew what bugs to look for, but they had no technical way of looking for them, that’s also useless. So I guess a mix is the right answer. But in terms of development of technology, back in the early days, we found it way easier to build the scanning technology than to determine what the rules should be. And so it was a lot of hard work figuring out the rules, and I was wondering if you feel the same way that I do about that.

 

Matias: I don’t know. I think the way we’re approaching it right now is very practical where we…I think right now, we’re leaning more towards—and by the way, the way we approach it is more around coding guidelines and making sure developers know how to write secure code, so in that perspective, I would say we first start with the coding guideline. We think about the coding guideline, and then we look for the mechanism to transfer that to the developer.

 

In terms of vulnerability, I don’t know if you look for vulnerabilities, if you first have to build up the framework or the knowledge to look for stuff. And over there, I do not really know the answer. But if we’re talking about coding guidelines, for sure I would say we start with the coding guideline and then we start looking for the mechanism to transfer that to the developer.

 

Gary: OK. That’s a good answer.

 

So you mentioned RASP and IAST or whatever Gartner calls that stuff now. Do you think that technology is ready for prime time now? And do you think you can be the last tool to touch the potato before it ships?

 

Matias: Yeah, so I left that field. I can talk about, 3 years ago, when I moved on from HP. I saw a couple companies coming out with RASP technology. But to me, it doesn’t seem like it’s growing in the market. It doesn’t seem like everybody is now picking the RASP solution up.

 

From a technology perspective, I didn’t look further into the technology since I left HP, which is 3 years ago. From a market perspective, I do not see the huge pickup that Gartner was expecting.

 

Gary: It’s hard to know what Gartner expects. They just expect their check, I think. We’ll be right back after this message.

 

If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.

 

Do you think that we’ve made progress in the software security field as a whole in the last 15 years?

 

Matias: I think we have. I think we definitely have. I think if you look at organizations, before, it was only the financial institutions that realized that their bits are really the money in their organizations. Right now, we see more and more verticals picking up application security because they start to realize that what they’re building, it’s all software, and that software is built by developers, and we need to help the developers in making sure they produce secure code that is free of bugs and vulnerabilities.

 

So yes, I would say more people realize the need for application security and building secure applications.

 

Gary: Yeah, I think so too. So you helped me complete the fieldwork when we were doing BSIMM Europe. I think that was 2010. I couldn’t really remember the year. 2010 seems right though. How do you view software security as practiced in Europe today compared to the U.S.?

 

Matias: I think we’re still lagging. We’re still trailing. I think when we did BSIMM Europe, we already saw in the data that Europe was behind and we were trying to catch up. I don’t think that has changed. What we see right now is Europe being slow in adapting and moving forward with application security.

 

If you look at the U.S., they’re more willing to try out new technologies, to try out new things. I think we’re still seeing the same stuff where Europe is catching up with the U.S. They’re just getting their head around application security, around static analysis, and they have not taken the second step, where they start to realize that they have to do something more than static analysis. They have to fix their problems, for example. So I think that has not changed. We’re still trailing the U.S.

 

Gary: OK. How do you think the BSIMM Community has evolved since you became involved? You got involved, by the way, when we went from 9 companies to 18, because we did 9 in Europe for BSIMM2. So that was a long time ago. How do you think that community has evolved?

 

Matias: Actually, back to your first question, I think you can see the same trend if you talk about BSIMM. If you look at the U.S., it’s a huge community, and Europe, we’re not quite there yet. It’s not that huge community that you have in the U.S. So over there you can see the same kind of trends where we’re still trailing.

 

The BSIMM Community itself, it’s super interesting. It’s enormous. At the last BSIMM conference, which was a couple weeks ago, well, it was very interesting to see all people with the same jobs, application security managers from different organizations, in one place. They really do this stuff on a day-to-day basis, so having a conversation with these people is super interesting. They know what their problems are, their day-to-day pains, and hopefully we can help them with their day-to-day pains. When they speak to each other, they can actually gain some knowledge from their peers at other organizations trying to figure out how to solve some of these pains.

 

Gary: You gave a talk at the BSIMM conference. What was your talk about (briefly)?

 

Matias: My talk was about coding guidelines. We come from an application security industry, where everything is set up around finding problems, finding the vulnerabilities in the code. It’s very interesting to me that pretty much the entire application security market is around finding the problem—from SAST, to DAST, trying to fix it with RASP—and very, very little is around helping the developer write secure code…

 

Gary: In the first place, yeah.

 

Matias: …or helping the developer fix the code. So my talk was centered around coding guidelines, helping the developer on a day-to-day basis in writing secure code. I think today, there are not a whole lot of coding standards out there that are very language specific, and I think that’s a problem right now. That’s something that we’re trying to address. We’re trying to help developers write secure code and putting coding guidelines in front of them so that they can actually do their job.

 

Because quite frankly, not all developers are interested in security. Most developers hate to write features, and security is an afterthought. They don’t have to think about that on a day-to-day basis, and they think that somebody in a different department will take care of that. Well, the truth of the matter is that’s not true. Security is everybody’s job.

 

So we have to help them. We have to help the developer. We have to give them the tools and the means to be successful with their job.

 

Gary: So let’s change gears a little bit. You founded and sold a company in Belgium, so how did your time in Silicon Valley influence the way you approach business?

 

Matias: Interestingly enough, if you would have asked me during my time at Silicon Valley if I would ever found a company, I would have said no.

 

Gary: Of course, but you were in the middle of it.

 

Matias: It was never my ambition. I know, I know. But I liked it over there. I helped and I really enjoyed building solutions as a startup, but if you would have asked me, “Hey, do you want to do that yourself one day?” I would have said no. So I kind of rolled into that. I was interested in solving one particular problem in the market space, and other people that surrounded me thought it was a really good idea. They supported me, and they wrote me letters to get some funding from the Belgian government to actually do that.

 

So eventually I did. I wrote these letters, I defended a project for money at the Belgian government, and they gave me the money. So then I was like, “Well, now I really have to do it,” so I did it.

 

Gary: You accidentally succeeded yourself into the corner.

 

Matias: Yeah.

 

Gary: Do you consider yourself a leading entrepreneur in Europe or in any way anomalous, or do a lot of people do that sort of thing that you just did?

 

Matias: Too few people do that, I think. While I do think there are more and more of these kinds of grants that you can get from the Flemish or the Belgian government—or even in Europe, there are grants that you can get to start your own business—well, I do not see a lot of people picking these grants up. We’re very conservative, I think, in Europe. And yeah, I think I’m an anomaly in that way.

 

Gary: Do you think that’s a cultural thing and it has to do with entrepreneurial drive, or, you know…it sounds like the resources are there, I guess.

 

Matias: Yes.

 

Gary: So what’s the solution to that? Is it a problem, or is it not a problem?

 

Matias: I think one of the problems that I see is that failure is not an option. So if you fail, it can definitely hurt your career in the long run, you know. Especially in Europe. Once you fail…even if you only fail once, it’s definitely going to hurt you in the long run. So if you do this, you have to be successful. Failure is definitely not an option.

 

It’s also the way companies are structured in Belgium. The first couple of years, you’re personally responsible for everything if something goes south. Even if they say it’s a limited responsibility, that’s not exactly true. You’re responsible with everything that you have for the first couple years.

 

Gary: So you really have to take a much more, a bigger risk than an entrepreneur in the States might take.

 

Matias: Yes, I think that’s true, and at the same time, there’s not that much upside. It’s heavily taxed where we live.

 

Gary: Right. That’s really interesting. So maybe it’s just that structure that’s holding people back. There’re plenty of people with good ideas that would do this, but the amount of risk that you have to take on is just too high.

 

Matias: Yes, I think that’s true. I think they’re trying the best they can to change that a little bit, but up until now, yes, that’s still true.

 

Gary: So you did this successfully. You started a company, you took all the risk, you ran it for a while, a couple years, and then you sold it. Is that something that you think you could help others do now, around Belgium?

 

Matias: I think I can, yes. I would definitely be open to help people out. Actually I did already a couple times, where people asked me, like, say, how did I do it, how did I start, where can they apply for these funds, what’s the paperwork like, how does defending the proposal go? So I helped a couple people out with their proposal and defending it and aiming for these grants.

 

Gary: That’s cool. Well, I hope it continues over there.

 

So the last question’s a total flyer. In April 2016, we completed “The Great Belgian Rum Tasting of 2016,” and you have an impressive collection of rums, I’ve got to say. So in your studied opinion, what is the best rum in the world?

 

Matias: The best rum in the world for me right now is the Millonario, and it’s really sweet. I actually like tiki drinks, so with tiki drinks come these rums that are more mainland rums than island rums. And right now, for me, the Millonario is my favorite rum.

 

Gary: There you go. So everybody, rush out and get some. Thanks for your time today. It’s been fun.

 

Matias: Well, they cannot rush out and buy them, because as far as I know, they are limited. So if more people start to buy them, the prices will go up. So I don’t know.

 

Gary: Maybe you’ve got the rum market cornered in Belgium, and this is your new startup. I think we just came up with a new business plan.

 

Matias: Yes.

 

Gary: All right. Thanks for your time, Madou. It’s been good talking to you.

 

Matias: Thank you very much, McGraw.

 

Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The September/October issue of IEEE S&P Magazine is a special issue on genomic privacy. It also features our interview with Ksenia Dmitrieva-Peguero of Synopsys. Show links, notes, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.