Arun Chandrasekaran, Industry Manager and Cathy Huang, Research Analyst from Frost & Sullivan interviewed both Mr. Wayne Huang and Mr. Matt Huang for the "Movers & Shakers" series.
Mr. Wayne Huang
Wayne Huang has extensive experience in the security industry and is a frequent speaker at global conferences including RSA, OWASP, SyScan, WWW, PHP and DSN. He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005). Wayne is the driving force behind the spirit of technical innovation at Armorize. He is a PhD candidate at the National Taiwan University Department of Electrical Engineering, and has received his Masters Degree in Computer Science and Information Engineering from National Chiao-Tung University, Taiwan.
Mr. Matt Huang
As Co-Founder of Armorize Technologies, Mr. Matt Huang guides domestic and international business development. He previously served as a consultant for McKinsey & Company, advising technology customers on product roadmaps and globalization strategies. As Business Development Manager for Microelectronics Technology, Inc. (MTI), Matt invested in high growth telecom & networking companies while advising the Chairman on corporate strategies. He holds an M.B.A. degree from Stanford University and B.B.A. degree from National Taiwan University Department of International Business.
Cathy: Could you give us a brief overview of Armorize Technologies and how the company was formed?
Matt: Armorize Technologies is a Web application security company. We have a suite of products, called the Armorize Appsec SuiteTM that covers the entire Web application SDLC (software development lifecycle), starting from CodeSecureTM which is a source code analysis product, analyzing web application source code and securing the websites. As the website becomes active, the HackAlertTM service which is a 24X7 website monitoring service (in a SaaS model) monitors the website behavior. If the website is hacked or injected with malware, the website administrator will be immediately alerted via email or SMS. Finally, the web application firewall, called SmartWAFTM is a product that prevents data breaches from happening by blocking out web-based attacks such as SQL injection. These solutions integrate together. Once CodeSecureTM identifies vulnerabilities, it can send intelligence immediately to SmartWAFTM so that it can provide defense before the vulnerabilities are remediated in the source code. Also, if the web application is injected with malware, HackAlertTM will strip out malicious elements from outbound traffic from the websites to protect users browsing the site. . In addition, the company has a very strong research wing - the Armorize Special Forces (ASF). ASF researches the most advanced hacking techniques and new malware, and helps safeguard against such sophisticated attacks.
Wayne: The research team was founded in 2001. We had a group of very good friends who were all working on security research. We started by analyzing the malware first and then"drive-by-downloads " and then essentially moved on to analyzing web application vulnerabilities, black box & white box testing, and static analysis. We published a lot of award-winning papers. The company was established in January 2006 and the technology was then commercialized before launching in 2008.
Arun: Okay. So, the company was founded after a 5-year gestation period?
Matt: That is right. We had a truly global team in 2001. We did extensive research for five years before the company was formed in 2006. We started commercializing the technology and launched our first product in 2008.
Cathy: Okay. So, why did the company decide to focus on "Web application security" at that time?
Wayne: Starting from the year 2000, we saw the attacks shifting to web applications. We were seeing a lot of malicious software (or malware) injected into websites back in 2000. The hackers were using SQL injection to spread malware in some very popular websites, such as the "Fortune 500" websites. Threats were getting robust and challenging. We realized this early on and received requests from the Government to tackle this problem.
Matt: When we were doing research at that time, most of the industry was still focusing on perimeter defense. There was not much focus on application security at that time.
Cathy: How do you see the evolution of web application security? Why is that a critical issue for customers?
Wayne: In terms of vulnerability landscape, nothing new has emerged in the web application security space. Vulnerabilities like cross-site scripting and SQL injection are almost a decade old and still remain as the major web application vulnerabilities today.
The only evolution today is that the Web has become a new way, even a mainstream way for malware to spread compared to the days when it spread via memory devices and other removable media. Today we see malware spreading themselves by exporting vulnerabilities on to very popular web pages with high traffic. This is a new trend. Yet, the impact of these "old vulnerabilities" is becoming more and more critical everyday.
Cathy: What were some of the key factors that led you to believe that Armorize's solutions would be successful?
Matt: We do not believe that there is a single point solution that can address every single customer's web application security issues. Different organizations and different divisions within an organization have different needs. No point product or one single tool can address those needs. For that reason, Armorize, as a company strives to offer holistic solutions. First, Armorize Appsec SuiteTM, which is a suite of products, addresses different needs in web application security. It allows customers to develop web applications on a secure foundation, to protect their mission critical applications in production environments and to monitor the web applications, letting customers know if they have been hacked or not. At the same time, we have the ASF team, as I mentioned earlier, the Armorize Special Forces team, which is a group of security consultants responsible for meeting the customized needs of our Clients. Unlike some of our competitors, we are not simply targeting just the developers or just the IT security team, with a point solution. We have a whole lifecycle solution for all teams concerned with Web application security.
Cathy: How is the Web security landscape in Asia Pacific different from rest of the world?
Wayne: A lot of web application hacking methods and also methods of writing malicious web based scripts have been invented or created in Asia. There are two primary geographic locations: Greater China region and Russia. I think in the Greater China region, you would be able to spot the new attacks and new threats very early (5-7 years) before these attacks become mainstream and target the rest of the world. Russia is also similar. That is why we have Chinese and Russians in Armorize Special Forces R&D team. We can detect these attacks far more quickly than the mainstream due to this capability.
Cathy: Armorize has located its Global Research & Development center in Asia. What are the reasons for it?
Matt: We registered the company in the United States. We evaluated a lot of locations in Silicon Valley for our possible R&D center. Yet, many venture capitalists were urging us to locate R&D in China or India, as the software development industry was moving to those regions. We found Taiwan to be a perfect location due to the geographic advantage in terms of doing this kind of research and the tremendous amount of cross straits attacks. In addition, Taiwan is an open economy with free flow of capital and easy movement of people. So we decided to have most of our colleagues relocated to Taiwan. This has worked very well for us. We actually get a lot of malware samples way ahead of the United States because of our location in Asia.
Cathy: Over the next few years, what would be the focus areas for Armorize and how does the company intend to capitalize on those opportunities?
Matt: I think a very good opportunity for Armorize right now is SaaS (Security/software as a Service). In our case, both CodeSecureTM and also HackAlertTM can be delivered as SaaS over the Internet. In fact, we are licensing our technology to large global security vendors. They are essentially using the HackAlertTM technology on the backend to help detect malware or drive-by-downloads for customers. A good example would be Singapore or Taiwanese Governments, which can use the technology to monitor all the .gov.sg or gov.tw websites so that they can make sure that government sites that people access are free of "drive-by-downloads". We see a lot of opportunities there.
Another example would be HackAlertTM that is being introduced by a Japanese web hosting service provider and wrapped with its existing security services in order to protect more than 60 thousand customers.
Cathy: Over the next few years, what would be the key focus markets for Armorize and how would Armorize penetrate these markets?
Matt: Well, we have witnessed a great deal of success in the Asia Pacific region since we launched the product, particularly in Taiwan, Singapore and India. We are now actively looking at Europe. We have a business team focusing specifically on Europe. We have established a lot of channel partners, both in Middle East, starting from Turkey, and moving into Europe. In the United States, we are looking more at an OEM model. We are partnering with many established security vendors.
Cathy: Okay. As the information security industry is moving toward rapid consolidation. How does a pure-play start-up, such as Armorize, view this trend?
Matt: This is a very good question. Yes, you are absolutely right about the security industry being on a "fast lane" in terms of consolidation. Consolidation does make sense, because it allows companies to serve solutions as opposed to point products to enterprise customers. However, having said that, I think there are tremendous opportunities for start-up companies, because they are more agile, flexible and innovative. Consolidation will continue in the industry. This is a good thing for Armorize too. We will continue to build the company. In the end, whether Armorize will remain independent or merge with another company would depend on our customers and what makes sense to them.
Cathy: Alright, our last question is about entrepreneurship. As a business leader, what do you believe are the most important traits required to be an entrepreneur?
Wayne: Being a start-up company, we do not have as many resources as a large company. We certainly need to have a stronger vision and dedication. The executives have to be really hands-on. It takes a lot of strength to keep going forward, as start-ups go through lots of ups and downs. For me, I have really enjoyed watching the technology grow. We have been focusing on this segment for such a long time and have enjoyed this journey. It is a pleasure to see the technology being commercialized and developed into award winning products. I am lucky to be working with a team that believes in our vision. It is fulfilling to see customers being happy by what we do. This for me is what makes running a start-up company worth while.