Rajiv Menon (RM): Please share with us the history of Secure Code Warrior and how you first came up with the idea behind the company.
Pieter Danhieux (PD): When looking at the background of the team that founded Secure Code Warrior, we all started our cybersecurity careers around early 2000. This was a time when cybersecurity was heavily focused on offensive strategies. We broke into organizations, finding flaws, trying to exploit them, and gain access. We soon realized that the mistakes we saw in 2000 were no different than the mistakes that we were finding in 2013. For 13 years, we pointed out security flaws in organizations, and they either didn't fix them, or their core issues kept coming back. So, in thinking about the root cause, we pinpointed that developers were simply not armed with the awareness and the tools to write secure code.From there, we started exploring problems, first asking, "How are developers being trained on security at the university level?" And we found that nobody actually gets trained in security or in security development in school. We then looked at the tools that security typically hands off to developers, and we noticed that those tools often point out flaws, but rarely offer solutions on how to fix them. And these tools also slowed down the developers’ process, creating a poor user experience, which leads to low adoption rates.
There are 25 million developers around the world, and that number is growing quickly, so we decided to address the skills gap on a global level. We set out to create something developers love. Newer generations of developers are into gaming; they thrive on practical learning as opposed to theory. So, we built a gamified training platform.
Then, in 2017, we shifted our focus to building tools that developers would also enjoy using. We adopted a "developers first" mentality, creating solutions that offer guidance and support while removing friction and strengthening the relationship between developers and security teams.
RM: I grew up hearing the saying, "prevention is better than cure." And I think that's the path you've taken with Secure Code Warrior. You've gone upstream to developers, to solve these pressing issues that crop up again and again. And you've created a gamified training solution that's fun and truly helps with vulnerability remediation. Also, while other companies might take the stance of "If you can't write the code correctly, you can't write the code," you don't stop the developers from coding. You empower them and guide them. What inspired you to make that subtle but very powerful choice?
PD: Most of our founding team members have a security background. We had the mindset of "We need to stop developers from making mistakes." But there are also a few people on the founding team that have a development background. And that diversity led to some interesting conversations. I remember during our design phase, we asked, "We can identify flaws inside the IDE, but what should we do at that point?" And the people with a security background said, "Let's give them a warning sign and force them to fix the issue before moving on."
But it was one of our founding team members with a development background that said, "If you do that, I'm going to uninstall your tool immediately." I asked why, and he said, "Well, first of all, you're not giving me a choice. You are forcing me to do something because of security reasons. You’re not making me aware and leaving me the choice of whether I want to do it, with an understanding of the risk."
That conversation opened my eyes. I realized what the security industry had been doing very wrong over the last 5 to 10 years. We've always forced things upon developers without actually taking into account how it makes them feel. We needed to ask the questions, "Does it make them feel stifled? Does it make them feel that they're being slowed down while coding?" That's when we started looking at things from their perspective and began writing tools that benefited them instead of annoying them.
RM: And that turned out to be a brilliant choice, Pieter. The idea of developers being the first line of defense within application security is increasingly being recognized and was also backed up in your 2019 app security report. Can you share a few key findings from the study?
PD: Absolutely. We all know there is a major cybersecurity skills gap in the market. There aren’t enough security people, and we can't train them quickly enough, so we need to do it differently. It's no different in AppSec. In most organizations, there are 500 to 2,000 developers, and on average, there's only one AppSec person that needs to help those 2,000 developers write secure code. Which means, if you assume an average of 1000 developers, the Appsec person only has about two hours per year to help each one. That model isn't scalable. We're not going to solve the cybersecurity skills gap overnight. And developers are growing at a much faster rate than security people. So, the chasm is just going to become wider and wider.
But the good news is that most of the fundamentals around secure coding are not rocket science. You don't have to study for five years and complete a master's in cybersecurity to understand these things. We're teaching citizens about basic hygiene on password strength and password length and how to browse securely. The same thing should happen with developers. We need to make sure they walk away with the basics and they know that they shouldn't allow injection attacks, and they should enable storing passwords in hardcoded things. There are several hygiene tasks that every single developer can apply very easily, and in that way, they become our first line of defense against cyber-attacks.
RM: You've hit the nail on the head, there's an extreme discrepancy in the ratio between developers and AppSec experts that is only getting worse, and you're helping to solve that, which is fantastic. You just founded the company in 2015, and it's taken off like a rocket. You’re headquartered in Sydney, with almost 50 percent of your customers in the U.S., 30% across Asia-Pac, and 20% in Europe. What's next for Secure Code Warrior as you look to the next two to three years?
PD: The U.S. is still one of our core markets. We have about 100 customers in the U.S., but there's still growth potential. If we look at the Fortune 2000 and keep focusing on the enterprise market, there's a massive amount of growth we can do in the U.S. alone. A lot of companies would focus solely on the U.S. and forget about the rest of the world. But, I think because we weren't founded in the U.S., we have a much broader view. I think a lot of the future of development is happening in Asia, in countries like China, Vietnam, Thailand, and The Philippines. Soon, the number of developers in Southeast Asia will overtake the amount in North America. For us, it's also important to start helping those developers that are coming up, because they are often the engineering power behind a lot of U.S. companies. That's why having a global perspective is so important.
RM: Let's change gears a bit. There are many well-known investors that have wanted to be part of the Secure Code Warrior journey. You've been careful in choosing those investors. You have Goldman, AirTreeand other high-quality financial investors. Cisco is the only strategic that you've chosen to accept an investment from. Can you speak a little bit about your selection process?
PD: In the two funding rounds we've done, we've understood that once our metrics are on point and we're growing, we can essentially get money from everyone. So that's never been a decision criterion for us. What we focus on is the reputation of the investor and the personal culture, class, values fit of the director that will be joining or the person that we will be interacting with in the company. I have disregarded a lot of big names in the VC world because of the way they treated the staff in the coffee shop where we were meeting or things that were said during the conversation that I found really upsetting. I've said, "This is not an investor that backs founders, truly believes in the founder culture, and believes that a company grows because of a great people culture inside the organization." So, we definitely looked at how they deal with the people aspect, what their reputation is in the market for working with founders, etc.
We also consider the brand. For any startup, recruiting and hiring talent is one of the biggest challenges you face. Both Cisco and Goldman are well-known brands to almost everyone. That helps us to create credibility in the market.
I also see Cisco as a flagship customer in the technology sector, with anywhere from 30,000 to 50,000 developers worldwide. The type of infrastructure, technology, and services you provide to the market are critical. Cisco is the backbone of many of the networks and organizations around the world, which means any software you're writing also resides within those companies.
Lastly, we chose Cisco because of your partnership network. I think there's value there where you could help us grow through that network, and we could also help you establish a more well-known reputation with developers. With your move to buy AppDynamics a few years ago, there's obviously a willingness for the business to go in that direction, building on your relationships in the developer space, so it’s a mutually beneficial partnership. Those are the reasons why we saw significant value in having Cisco on board as a strategic investor.