Below is our recent interview with Tae Jin Kang, CEO of Insignary, Inc:
Q: It’s great to speak with you again. How do you see security’s role in corporations as we see more businesses suffer data loss from hackers, and the potential of additional fines from the E.U.’s GDPR that was enacted in 2018?
A: Thank you, it’s great to speak with you again.
As we enter 2019, it is clear that the number and sophistication of hacker attacks is increasing. Data theft continues to plague businesses of all sizes. With the passage of the E.U.’s General Data Protection Regulation, or GDPR, the costs in addition to brand impairment, lost sales and lowered business valuations could become quite significant.
This is also taking place at a time when more than 90% of software is built using software that contains open source software (OSS) code. I am not advocating that we turn back. I do not believe it would be good or even possible to abandon OSS code use. The problem is that for the last three years, we have seen record levels of vulnerabilities being reported. And the jump has been anything but incremental.
Finding and dealing with OSS vulnerabilities are an important, first line of defense in stopping hackers from compromising the system, affecting the quality of service, and stealing important data.
Q: What are security and DevOps teams missing about the hazards of known open source vulnerabilities?
A: A number of recent, high-profile data thefts have been due to unpatched, but already addressed open source software vulnerabilities. The Equifax hack is probably the poster child for this kind of incident.
The issue is not that the security and DevOps teams don’t recognize the threat. I believe that in the last two years, they have become aware that leaving unpatched security vulnerabilities is essentially an invitation for hackers to access their systems and steal their data.
The problem is that the software-sourcing model makes it increasingly challenging for security and DevOps teams to really understand what code is in their software. If you don’t know what your code consists of – then it’s impossible to patch known software vulnerabilities.
Q: How is Insignary positioned as we enter 2019?
A: We believe that 2019, will be a very good year for our company. The growing need for DevOps and security teams to be able to accurately comprehend what is in the software they are procuring, deploying and managing is a strong positive for us.
Our flagship product Clarity is in trials with a number of well-respected technology and business leaders. They are testing our product because it is a fingerprint-based binary code scanner with higher degree of accuracy and coverage than the competing products. In other words, Clarity can quickly examine a binary file and tell you what open source software components comprise it and which vulnerabilities affect it, but do it in a way that can detect OSS components that other products simply cannot detect and with far less false positives.
We see DevOps and security teams recognizing Insignary’s Clarity as a cost-effective solution for finding all of the little hidden points of weakness that exist in the code they are purchasing, integrating and deploying.
Q: You recently started a non-profit foundation called Secure Planet, how does that relate to Insignary?
A: Secure Planet Foundation is building the Secure Planet Database (SPDB), an independent, crowdsourced security vulnerability knowledge platform. The blockchain-based platform will provide new levels of efficiency and transparency for tracking and reporting security vulnerability information. Additionally, Secure Planet will launch the revenue sharing program with DB contributors to proactively address incentivization of finding and reporting of security vulnerabilities in open source software, which form the foundation of today’s software.
Our current plan is to have Insignary fund and guide the initial stage of the project until Secure Planet can be viable on its own. Details of the partnership will be revealed later.
Q: How do you envision Secure Planet’s value in relation to public and private vulnerability databases?
A: Current public vulnerability databases are lacking in many aspects, especially in terms of the number of total reported open source software (OSS) vulnerability, update timeliness, and data quality & completeness. Private vulnerability databases do a much better job of capturing OSS vulnerabilities reported throughout different security mailing lists much quicker than the public counterparts, but do a poor job of discovering new vulnerabilities in the less active but most frequently utilized OSS projects. Secure Planet’s aim is to incentivize the finding of new vulnerabilities, and be complementary to existing databases.
That’s all I can tell you for now. We haven’t formally announced Secure Planet. We will have more information to share later once the project become formalized.