0:04
Hi, folks, I am sitting here with my good friend John Viega,
the chief executive officer of Capsule8.
How you doing, John?
>> Good Ed, thanks for having me.
>> Hey, listen, tell us about yourself.
And kind of how you got into being CEO of a cool internet start up company.
Absolutely, I stumbled into security by accident, wrote the first book for
developers on how to build secure software with our good friend Gary McGraw.
Did the GCM encryption algorithm that's used everywhere.
And then took a turn onto the business track with McAfee,
where I was a tech exec for a long time.
And then landed at Capsule8 just because I'd done a good job
marrying deep technical background in security with the business side of things.
>> How does somebody with a super geek background as a developer hacker
get into starting a company?
Is that a big transition to go from, I'm assuming you still do tech work.
But is it hard to be the CEO of a cyber security company?
>> Yeah I spend a lot of time sitting on my hands.
>> [LAUGH] >> Meaning I want to roll up my sleeves
and do something that keep me from atrophying but
I try to stay disciplined about prioritization.
>> [LAUGH] Tell us about the company.
You guys work, Linux security is your area, so what do you guys do?
>> So Capsulat8 is doing security for production environments.
So those pretty universally run Linux,
more and more so 93% of instances in Amazon are running Linux.
And even a third in Microsoft's cloud are running Linux as well.
And so, what we're doing is providing visibility
into what's going on on your production systems without impacting production.
Then doing security on top of that, particularly threat protection,
looking for instances of attacks and preventing those.
Being able to respond seamlessly to that and then if there is an incident give
you the ability to go back and do forensic investigations.
>> This may sound like a dumb question, you can fix it if you say it wrong.
But in terms of the Linux software, do you guys have to add a bunch of stuff to it?
Or is most of it there and you're just making use of what's there?
Are you adding, or are you just sort of, or is it all of the above?
>> Now so in terms of adding,
that's something that big enterprises are really sensitive to.
They don't want a Linux kernel module, it risks stability of the system.
It means if they do have a problem, their Linux vendor's not going to support them.
So in a sense you can't build something that adds to the Linux,
and expect that people are going to use it.
So we have to make due with the technologies it provides for
getting data out and doing whatever we need to so.
So thankfully, Linux over the past few years made great progress.
So that's actually something where what we're doing today to provide real
protection to a Linux system, we couldn't have done five years ago,
not even three years ago.
>> What's kind of the business model are you selling to data managers to software
companies, to enterprise security teams, like who would be buying your product?
>> Right now we're focused to large enterprises and
many of them are making this transition right now.
Where they're designing platform as a service for internal use and
that might be based on a hybrid of going into a public cloud and
still some on their private cloud.
And they're stitching together open source and sometimes commercial components.
And they want to have their own kind of internal platform that they give to
developers.
And so that's really where we're starting is becoming the security fabric for
companies that are making that transition.
And so that is typically the Fortune 500 enterprise today.
And as we figure out what their needs are, we'll have a good sense of
how that's going to transition to other markets and move on from there.
>> Those number you said earlier staggering, you've told me that before.
The percentage of coverage that Linux has in a data center.
I bet a lot of people watching don't realize how pervasive that is.
>> Yeah, I was kind of surprised that Microsoft bragged about it.
>> [LAUGH] >> A third of our server running Linux.
>> [CROSSTALK] [LAUGH] >> Probably at some point be dealing with
Microsoft folks.
Hey, let me take you back to your earlier work.
You did a book with Gary McGraw.
>> Yeah. >> And it's about secure coding.
I want to ask, maybe this is a rhetorical question.
But is it possible to write secure code?
I bet you get asked that a billion times.
>> You know what, probably not actually.
I think everyone just assumes that it isn't.
And I'd say that's pretty much universally true.
There are even in the early days I can remember finding
security vulnerability in some code that one of the L0pht guys wrote.
Who knew everything that could go wrong that people had found out about and
still it was tough for him to kind of keep it out of his code.
>> L0pht being of one of the more prominent hacking groups kind of over
the last 10 or 15 years.
>> Right, right.
>> Little less active now it seems like.
>> Yeah, they got acquired by @stake what, 15 years ago and they kind
of disappeared as a thing but they were really the smartest of the smart.
They were still messing things up and I'd say that we've got a lot
of abstraction to that helps in some instances.
But it's really, I think there is, as long as there are stupid people,
there will be ways to game a system and everybody is at some point.
So I think that the software security problem might get better but
it's not ever going to go away.
6:31
Coding is just too complicated in itself to never have any security problems.
>> Are you more optimistic or pessimistic about cyber security in general?
>> Some days it feels easy to be like where a hamster's on a treadmill and
the faster we run, the more we realize we're not making any real progress.
I think there's still plenty of room to innovate our way out of it.
I think that some people would say, well it's a lost cause because
the bad guys can always reverse engineer and figure out any problem that's there.
But you always can set the bar higher so
it's a question of how much work they have to do.
And then in our modern world too when a lot of your code runs in the cloud and
there's no access to the source code.
Then security through obscurity can actually help provide more robot systems.
I feel like there are a lot of modern companies that do a good
job of locking down their production environment, reducing their tax surface.
And have relatively few incidents compared to
the titans of yesterday, the Yahoos of
the world who can lose billions of records and not notice it for a couple of years.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
