Security Experts:

Security Startups: In Focus With CheckMarx Founder Maty Siman

Security Startups Feature

Company: CheckMarx  |  Who: Maty Siman, Founder and CTO

CheckMarx is a source code analysis company. Maty Siman, the company’s CTO and founder, shared some of his industry experience in the slightly edited interview below.

SecurityWeek: How did you start out in the computer field and in particular, security?

Maty Siman, CheckMarx CTOMaty: At the age of 16, I started developing professionally. Later, upon enrollment in the Israeli Defense Forces (IDF), I was placed in “Mamram” – the military’s computer unit. The service there starts with a very intensive six months computer development training, at the end of which the graduates go to their respective units. Some of us graduates were selected to become instructors at the course. Following that position, I was stationed at “Matzov” – the ITSEC unit of the IDF. I stayed there for five years developing solutions for network and application security. Right before completing duty, I received a call from the Prime Minister’s (PM) office asking if I could be an advisor there for two years. I happily accepted the position and when that term ended, in February 2006, I left the PM’s office to found Checkmarx.

SecurityWeek: What brought you to found CheckMarx?

Maty: At both the IDF and at the PM office, I was wearing a customer hat and was looking for this particular solution. I couldn’t find anything that fit my requirements. There were a couple of solutions, but none were what I was looking for. First, they either didn’t support a particular platform, or did not reach the quality I was looking for in terms of accuracy of results. There was also an overhead to getting everything scanned. I really wanted something that would easily scan the code and provide a much higher quality of results. Second, as a consultant, I knew many times what I wanted to see in the source code- but there was no tool to express my knowledge. Up until that point, scanning was just a black box which I couldn’t configure. I decided to develop somethingwith three requirements: easy installation, high accuracy rates and customizable.

SecurityWeek: What does CheckMarx do?

Maty: CheckMarx provides tools for source code analysis. This field,as identified by Gartner, is called Static Application Security Testing (SAST) and covers the market of products that analyze applications’ source code to find security vulnerabilities. The benefit of using SAST over Dynamic Application Security Testing (DAST) is that it finds security flaws very early in the development cycle and points you to the exact location in the source code. Simply put, it does not only tell you that there’s a SQL Injection flaw but also pinpoints the exact location.

SecurityWeek: How do you define the difference between dynamic and static analysis?

Maty: There’s both a philosophical and a technical argument. On the philosophical side, and the reason why to choose source code analysis in the first place, is the realization that the fight between the attackers and defenders is not symmetric. Attackers choose how much effort they want to invest into penetrating the system and only need one point of entry. When defending, there are only constraints: money, HR, etc. It’s an unbalanced game. Hackers have all the time to hack the system. The only advantage the defender has is access to the source code. Penetrating testing (i.e., DAST) tries to simulate the hackers and by doing so, they ignore the only piece of information that they have and the hackers do not. And this keeps the equation unbalanced. However, with SAST you own the code.

The technical argument says that a SQL injection might accrue when there’s a process that happens only, for example, on Thursday evenings. With SAST, it doesn’t matter when the scan is launched – you’ll find all the possible scenarios and not just those that exist at the time of testing. With DAST, you get only what you look for. The second technical difference is that SAST points you to the exact location in the code. The problem might be a few layers below the user interface while in the dynamic scenario, you’ll see the problem only when it manifests itself – in the user interface.

SecurityWeek: Back to the business side of things… Who are CheckMarx’ competitors?

Maty: Back when we started there was Fortify- now part of HP, and OunceLabs – acquired by IBM. Currently, there are about eight vendors that Gartner identified. In their magic quadrant we were the only ones identified by visionaries.

SecurityWeek: Why did Gartner vote CheckMarx as visionaries?

Maty: Because of our customizability capability – putting knowledge into the product. This is still unique, even six years after founding CheckMarx. Gartner feels that this is the future of such tools and named it ESI: Enterprise Security Intelligence. The point is to completely separate the data from analysis. The data goes to a database and on top of that you can query the database. This is not a closed box that the system analyzes and closes the result. Rather, there are two stages: analyze and then look for interesting information in the source code. There is no need to rescan. It’s all interactive in the sense that once you’ve analyzed and indexed the results, you can issue new queries against the database. There’s no need to rescan. That’s ESI and we have this from day one.

SecurityWeek: Who are your investors?

Maty: Ofer hi-tech group, Chief Scientist of Israel and SalesForce.

SecurityWeek: What tips do you have on raising money?

Maty: You need something to show, so have a demo. This way, when the VCs bring their professional experts you can convince them that you can do what you promised.

SecurityWeek: Does this mean you actually participated in the code writing?

Maty: Yes. In order to raise the money, I developed the first version myself. Once we received funding, I hired more developers. To this day I’m involved in the development, but less often than I’d like.

SecurityWeek: What are your markets?

Maty: Every company that develops source code-- either ISVs or a corporation that has a development shop within, such as banks and insurance companies. We’re totally global and have customers in the US, Israel, and Asia-Pacific.

SecurityWeek: What are your growth rates?

Maty: We currently have 35 employees. In terms of employees, we have 100% year-over-year growth. Our growth rate for sales is 100% year-over-year.

SecurityWeek: Did you ever have any doubts along the way?

Maty: Never ever had any doubts!

SecurityWeek: What’s your greatest challenge as an entrepreneur?

Maty: Hiring good people. It’s the most important thing and it’s difficult to get talented people. When I hire I check the person’s ability to solve complex problems and think out of the box. I look for people where no task is too small or too large for them. By too small I mean that they are able to do even the most boring and smallest task - and do it well. Since at the end of the day the large tasks are comprised of several of small tasks and we have to pay attention to the fine details. Further, these employees have to be very inter-disciplinary. They must have knowledge in compilers, code structure, and security. They need to know applications. So, there are lots of disciplines here that come together.

SecurityWeek: Can you share any tips for other entrepreneurs starting their own business?

Maty: The very first employees are the most important asset you can get. The first five employees of CheckMarx are still with us – 6 years later. They’re the foundation of the company. Whenever new people come, these individuals set the level and the expectation of the company-- whether they are sales, development or managers. At the end of the day, everything is about the people. They’re the DNA of your company.

SecurityWeek: Other than yours, what’s your favorite start-up (whether in security or not)?

Maty: The startup that grabbed my attention recently is called Foresight. Foresight solves one of the biggest problems in web security – DDoS, in an innovative way. Foresight automatically replicates their customers' website and distributes it on the cloud, so it ensures web site availability and handling of heavy loads. Websites can use Foresight either as their secure and load resistant web site or as backup web site in case a DDOS takes place. The beauty of it is that Foresight technology's is plug & play and easy to use.

Proper disclaimer: I actually first met Maty in the fifth grade at the playground of the same elementary school we both attended. We ran into each other again a few years ago at an OWASP conference. This time around, our chat was conducted in his fancy offices on the 22nd floor overlooking the city of Tel-Aviv.

Do you have a suggestion for a security startup or entrepreneur that would make a great feature for this series? Contact us and let us know.

Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.