Interview

Former @stake researchers rekindle past, discuss Symantec spin-off

Dennis Fisher

@stake, the famed consulting and research boutique that was acquired by Symantec in 2005, occupies a unique place in the history of the security industry. Many of the top researchers in the world passed through its doors and the company served as a launching pad for a number other security companies, including Matasano Security and iSec Partners. Former @stakers also helped found the security teams at Microsoft and other large software vendors. As part of Information Security's recent 10th Anniversary issue, Executive Editor Dennis Fisher sat down with Chris Wysopal, Christien Rioux and Chris Eng--all early @stake employees--to talk about @stake's history, culture and the company's continued influence on the security industry.

Dennis Fisher: When you got to @stake, was it just the L0pht and a few consultants at that point?
Christian Rioux: Yeah, there was a core group from Cambridge Technology Partners. Dave Goldsmith, so he was one of the first employees. Ted Julian was the first employee.

Chris Wysopal: Window Snyder. She joined about the same time we did. I guess the core group at that time was from Cambridge Technology Paartners. Sort of CTP plus L0pht. We had about 13 or 14 people total. When we officially launched the company it was relatively big, had a pretty large founding team, if you will. They really wanted to have a strong research background so it wasn't just a bunch of consultants with no engine behind it.

Fisher:

    Requires Free Membership to View

One of the things I keep hearing is how loose and unstructured it was at the beginning and how much they let you work on whatever project you were interested in.
Chris Wysopal: We had just been starting to turn the L0pht into a real business sort of the year before we sold to @stake. So that had sort of jelled early in the year before @stake. Before @stake it had been just sort of work on any project and explore. And toward the end we said let's work on projects that will make us some money, so we can quit our day jobs. That was the goal. And we were just sort of getting to that point, just starting to talk to VC companies about what could a future L0pht look like and Battery Ventures said we have this great opportunity. We're starting a security company, why don't you just join as our research group.

Fisher: So that made it pretty easy.
Chris Wysopal: It made it easy, because the money was already there. It was already funded. We didn't have to go out and find a CEO, find a management team and all of that. That was already there.

Fisher: Was there any sort of internal discussion among the L0pht guys about getting into the corporate arena?
 

The security industry has moved and changed shape and it's hard to see that kind of talent showing up in one place again.

Chris Wysopal, former @stake member, CTO, Veracode

Chris Eng: We had agreed eventually that this was something we wanted to do. I don't remember any of the parameters around those discussions, since it was almost a full decade ago now. Well, eight years I guess. We all had to agree. There were quite a few meetings before we could figure out exactly what the terms would be and how we would go forward. I mean, what would we do as a research group that would be different from a bunch of guys sitting in a warehouse? How do we best apply what we do to a company that is trying to do consulting? I mean, really try to back up the consulting force with what we do. Otherwise we'd just be aiming off nowhere. How to best focus that. How to utilize both the fact that we had a lot of hardware analysis skills and software analysis skills and things like that. L0pht was a very wide, broad set of skills in one place. So finding a utility for all of that talent at @stake was a challenge. We used it as best we could. There were a lot of opportunities to analyze routers and hardware projects and things that really jibed well. We had a little bit of everything in the group.

Fisher: When did people start heading off on their own? When did the key people start leaving. The thing that sticks in my mind was when Dan Geer got fired in 2003. That was sort of the first big name guy I can remember leaving.
Christian Rioux: I was doing a lot of research for this place over the time that I was at @stake. I didn't really know that Veracode was what would come out of it. I was working on the technology engine. I was really focused on that and I probably wouldn't have really noticed particular people leaving. I would've noticed Dan. I really don't remember many others. [CEO Chris] Darby went to In-Q-Tel.

Here you had a group of people that weren't coming from an auditing background and weren't coming from a software company background.

Christian Rioux, former @stake researcher, co-founder, chief scientist, Veracode

Chris Wysopal: Window Snyder and Frank Swiderski went to Microsoft. I think we had what would be considered a pretty typical rate of attrition for consulting. Two to three years is pretty typical with consulting. I think some of the people who left, like Frank and Window, were there for about three years. Now they're either managing stuff or developing products or whatever, using different skill sets

Fisher: What was the mood like around the time of the acquisition? I'm sure you guys knew ahead of time that he VCs were looking to get their money out.
Christian Rioux: I think everybody's mindset was, let's break even. I don't think anyone had any hard feelings necessarily, and some people did better than others. But we did way better than some of the other companies that didn't make it as long. The timing was really tough. 9/11 hit, the economy just kind of seized up. You'd think they would spend more money during a time of increased security, but it turns out that people just stop spending money period. It was hard to convince people to fork out money for something that has a benefit down the road. I think everyone was pleased that @stake had a sustainable business model and we could keep going indefinitely, but the question was, was it ever going to expand or grow any bigger than what it had gotten to.

Chris Wysopal: We had already sort of hit the limit of attracting good talent. We had the biggest concentration of application security experts by far. We'd talk to other consulting companies that had like two and we'd have like 40. We had already amassed everybody. I don't think we were growing at that point. We were just pretty much steady-state. So when the Symantec deal came along I think a lot of people looked at it as a new opportunity, we didn't really know what was going to happen. You never know with an acquisition.

Fisher: Was there any sort of internal discussion among the L0pht guys about getting into the corporate arena?
Chris Wysopal: We had agreed eventually that this was something we wanted to do. I don't remember any of the parameters around those discussions, since it was almost a full decade ago now. Well, eight years I guess. We all had to agree. There were quite a few meetings before we could figure out exactly what the terms would be and how we would go forward. I mean, what would we do as a research group that would be different from a bunch of guys sitting in a warehouse? How do we best apply what we do to a company that is trying to do consulting? I mean, really try to back up the consulting force with what we do. Otherwise we'd just be aiming off nowhere. How to best focus that. How to utilize both the fact that we had a lot of hardware analysis skills and software analysis skills and things like that. L0pht was a very wide, broad set of skills in one place. So finding a utility for all of that talent at @stake was a challenge. We used it as best we could. There were a lot of opportunities to analyze routers and hardware projects and things that really jibed well. We had a little bit of everything in the group. 

Fisher: Did it take a while once you guys were at @stake to find a way to make those skills useful to the consultants or was it immediately clear how you could work with them?
Christian Rioux: No. Basically the fact that the L0pht was there, combined with the top talent that was coming, we were creating a new kind of security company. There were two types of security companies before. Companies like ISS that had products and which would consult and do security assessments as well. And there were the Big Four that would do assessments too. And the Big Four never built their own technology. They bought stuff off the shelf. Then you had the guys who were really software companies that just used their own technology. Here you had a group of people that weren't coming from an auditing background and weren't coming from a software company background. So it created this new culture of a lot of dialog and research going on internally, creating tools to do things. It took a while to figure out how to capitalize that. I'm not sure it ever jelled as well as it could, but it was kind of a learning evolving company. 

Fisher: Did it take a while once you guys were at @stake to find a way to make those skills useful to the consultants or was it immediately clear how you could work with them?
Christian Rioux: I don't think it was ever formalized how the consultants worked with the researchers. It was always kind of happening, there was always a back and forth knowledge sharing. In some sense the research team was always kind of an extension of the consultant group in a lot of cases. I can remember on projects we'd just want some input from people who had the expertise and you'd just walk over to a room and chat about it for an hour. It was a good interesting dynamic to have that kind of people at your disposal. And you had research coming out of consulting that would wind up in products, just like they kind of had the freedom to research what they felt was relevant and what was interesting in application security, or in security in general. Consultants did the same thing. There was just a lot of back and forth between the groups that made it an interesting place to work. 

Audio excerpt:

Security researchers Chris Wysopal, Christien Rioux and Chris Eng—all early @stake employees—talk about @stake's history, culture and the company's continued influence on the security industry.

Download MP3 | Subscribe to Security Wire Weekly

Fisher: When did you get there Chris?
Chris Eng: The summer of 2000. Pretty early on. But @stake was rapid growth, by that time we probably had six or seven physical offices.

Fisher: And what drew you there? Was it the idea of doing whatever you felt like was interesting?
Chris Eng: The work was interesting already, I think it was the draw of working with the people I saw gravitating to that place. I knew the guys from L0pht by reputation, primarily. But there were a handful of guys from NSA that all went over to @stake. And one guy was more on the product management side and he recruited a few of the technology folks up there. Just kind of seeing the opportunity to work on really interesting projects. Consulting is interesting in general because you get to work on very interesting problems for short spans of time and then move on. You get a real feel for what's going on in the industry. The government space is interesting work, but it's a totally different focus. I thought it was an interesting opportunity to get exposure to that. Dave Aitel came from NSA too. 

Fisher: Who else?
Chris Eng: Frank Swiderski. He was at NSA, but he was a consultant for a small shop, I don't remember the name of it. The three of us came over together. Later on, Adrian Ludwig, who's now at Adobe, came over. Probably after Dave. Definitely attracted a few people from there.

Fisher: What was the mood like around the time of the acquisition? I'm sure you guys knew ahead of time that he VCs were looking to get their money out.
Christian Rioux: I think everybody's mindset was, let's break even. I don't think anyone had any hard feelings necessarily, and some people did better than others. But we did way better than some of the other companies that didn't make it as long. The timing was really tough. 9/11 hit, the economy just kind of seized up. You'd think they would spend more money during a time of increased security, but it turns out that people just stop spending money period. It was hard to convince people to fork out money for something that has a benefit down the road. I think everyone was pleased that @stake had a sustainable business model and we could keep going indefinitely, but the question was, was it ever going to expand or grow any bigger than what it had gotten to.

Chris Wysopal: I think it was different for different people. Christien and I were in a product group so we were developing technology. We weren't consulting. It was very different from the consultants. So for us, the technology wasn't ready to go to market yet. And it didn't really fit into Symantec's product line, and that's where the decision was ultimately made by Symantec that we could spin it off. So we spun it off to become Veracode. So our experience was, we kind of kept developing, kept promoting away and eventually we got to the point where it makes sense to spin that off. So really the technology is a common thread from @stake to Symantec to Veracode.

Fisher: Where are the rest of the original L0pht guys?
Chris Wysopal: Paul Nash is still at Symantec, so he's a L0pht guy who's still consulting. [Space Rogue] is an IT guy somewhere in Boston. John Tan is at JP Morgan Chase. Brian Hasek works for a defense contractor doing wireless work. He was our wireless guy. It seems like when we're going out talking, Veracode wants to sell our services to ISVs and financial companies, I'm surprised at how frequently I bump into an ex-@staker. Like Adrian Ludwig was the head of security at Adobe and then he left that position to move to another position within Adobe and who took his place but another @stake guy. The financial services community in New York has a lot of the New York office. There's a guy at Moody's, Goldman Sachs, JP Morgan. It's rare to go into a prospect these days and not find someone you worked with or has like one degree of separation. I have this conversation all the time because it really is uncanny how all these people from one company have ended up in these influential positions all over the security world. It's just very interesting.

Christian Rioux: Bloomberg too. The CSO of Bloomberg is an ex-@stake guy. I'd be interested to know what was the total number of people who worked at @stake at some point. I know we peaked at like 140. So maybe 300?

Chris Wysopal: I would say even higher. It's hard to imagine something like that taking shape again. The security industry has moved and changed shape and it's hard to see that kind of talent showing up in one place again. We learned as a business that while it was really great to have all of those people in one place, the future of security has different needs than security when @stake was founded. Nowadays we're looking at automating things that were previously done by hand because the threat has become automated. That's the downside here is there's not enough people to have another @stake. You'd need a thousand of them to do it now, and we just couldn't do that. Five years from now, who knows how many people you would need to fulfill the needs of all those companies by hand. You just can't. And more to the point, people are shifting from mitigating problems or getting around them and network security products that sort of work around a problem to fixing the problems that you're responsible for. Actually going into the code and fixing the problems. And the bugs are what cause a lot of these problems. So that is a very fundamental different thing than what @stake was capable of doing. Sure they did code reviews but that's very expensive line by line, having a human do it. And if that's where a lot of the focus and the business of these companies is going to be, you wouldn't want an @stake model. You wouldn't want two guys for two weeks pounding on the code. You wouldn't be able to pay for a thousand applications. You've got a lot of code in these enterprises. How do you meet those needs?

Fisher: It's a totally different model. It's hard to imagine something like that taking shape again.
Chris Wysopal: The security industry has moved and changed shape and it's hard to see that kind of talent showing up in one place again. Regulatory compliance wasn't even on the radar back then. Now people are trying to cope with, how do I secure this entire application inventory. And that just doesn't work as well with manual consulting. It's difficult to establish not only the bandwidth of doing it but the consistency across the board. And that's why we're kind of thinking of doing it by taking a more automated approach and addressing those issues in a more effective way. It's hard to imagine something like that taking shape again. The security industry has moved and changed shape and it's hard to see that kind of talent showing up in one place again.


Chris Eng: Also, nowadays there's a security community. Previous to things like @stake, when there was a route to get your problem solved, people didn't talk about it. Now everyone talks about what it means to secure a perimeter. All of the big financial services companies share information on what it means to do that effectively. So we need nowadays to enable that dialog where people can compare two applications and say, these two apps, this one seems to be reviewed a lot more than this one here. So how do we quantify security so we can have conversations about how you quantify risk. Manage the problem. You need to have those kinds of technologies, that's where all the brain power is going right now is thinking about how to enable people to talk about security instead of nobody talking about it. It's a different world, different developments. But still a lot of work to do. We're not secure yet.

Fisher: It's hard to imagine something like that taking shape again.
Chris Eng: Now there are groups like OWASP that are open, it's more open and there are many more books on security and they're starting to actually teach it in college. Before, you had to learn on the job. You had to apprentice somewhere. We apprenticed at the L0pht, Chris apprenticed at NSA. You didn't get that from a computer science degree. So I think we've moved from that guild phase to becoming more of an open, academic pursuit. And the next phase is to go industrialize it, and that's what we're trying to do now at Veracode.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: