In the near future, application security will be visible to customers and it will transform the market, says Jeff Williams, co-founder and CTO of Contrast Security. He explains that there is a push to publish more details about software development and security to increase transparency. While the information may not be widely read by consumers at first, Williams says that companies will have to live up to what they say and aim higher. He believes that the companies that make this information available first will have a competitive advantage and that having great software will be key for any company in any sector. We rely on software for almost everything, and we blindly trust it, Williams says. He points out all this software is very insecure, though we could build it securely. That really bothers him, so he has dedicated his career to solving this massive problem.
You’ve been in the cybersecurity domain for more than 20 years. How do you explain that?
I kind of got into it by accident. In the ’80s, I liked cracking the copy protection schemes on software. Then I just stayed with software. My first job was at a classified Navy project where I learned about real security. I just decided I was going to learn everything I could about computer security, which back in those days was almost possible. You could learn almost the whole field.
What was going through your mind as you decided to continue in this domain?
I just think it’s such a huge, critical problem. If you think about all the things that you care about—your money, health, government, elections, pandemic response—it’s managed by software. That software is ridiculously insecure. People get outraged when a new vulnerability comes out. But every company has those kinds of vulnerabilities. It’s not that we couldn’t build secure software; it’s just that we don’t. That irritates me. I’ve dedicated my life to trying to fix that.
Take me back seven, eight years, the inception of Contrast Security. What was your positioning as an entrepreneur creating a new company?
We saw a lot of changes in software around that time. We did work with very large enterprises with thousands of applications. The legacy tools in AppSec—static analysis, dynamic analysis, and WAFs—were all designed for the early 2000s. Software changed a lot. It became more agile, more API-driven, more libraries and frameworks; it moved to the cloud. The speed of software delivery changed a lot.
We said, “We need a different tool for a modern kind of software.” So we created a different way of doing application security from the inside out. Our product works more like a profiler or an APM tool, but for security, not performance.
Was it engineering-led, cyber-led, or more go-to-market-led in the beginning?
I’d say it’s more engineering-led. We invented Contrast inside my consulting company, so we had great relationships with lots of large enterprises. The go-to market was pretty obvious for us: we were going to sell to the people we know. That’s probably a good first step for almost any entrepreneur.
Take me 30,000 feet in the air to understand the landscape of what’s happening today in cybersecurity. Where does Contrast fit in?
I like to think about the cyber security market according to a framework. You can think about the phase of security: early on, it’s about detection, requirements, and defenses, and later on it’s about detecting incidents and response. And companies array themselves across that landscape. Then on the vertical dimension, I think about the software stack. At the bottom, there’s host and network security, then there’s containers and cloud. Then at the top, there’s application security.
The application security layer, that’s what we do. We cover a pretty broad range across the software life cycle and into production. Our goal is to be a platform to support almost whatever you want to do in the application security space.
You had to start somewhere. What was the strategy as you were mapping out the different offerings?
The first thing that we built was called “Contrast Assess.” It’s this new way of identifying vulnerabilities from inside the running application. Doing it from inside, you have all the context you need, which lets it be much more accurate.
Ultimately, accuracy is the key here to scale. Because if you’re not accurate, you have to have security experts in the critical path. By being super accurate, we can empower developers to do it themselves. That’s where we started.
That’s not trivial, getting access to the internals of the company. What are the trade-offs as you’re balancing your ability to integrate into those areas versus your wanting to be able to read everything and to make some decisions on your own?
We started with a technology that would give us that full access to their running applications. Once we have great data about vulnerabilities and exactly where they are, then there are a lot of integrations because a lot of people need that data. That’s been an ongoing process.
But getting access to the internals of the company as a new company. Back then, why did they let you in? Why were they opening the door for you?
Some companies won’t do business with small startups. But a lot of companies are willing to investigate new approaches. And we had a really good reputation coming out of my consulting company. We were established in the space.
Was there a turning point when you realized that your company now actually has the credibility to go and sell into companies that may not know you?
It takes some work. That’s why it takes four or five years to get a cybersecurity company going; you have to make some early sales, provide great value and measure it, and then get references that will talk about you.
Where do you think is the holy grail today in terms of cybersecurity? What is really the most pressing thing that young entrepreneurs should be thinking about when it comes to securing the cloud, software, or hardware?
I think application security is in the stone age. There’s still a lot of great opportunities in AppSec. For the most part, companies have been doing the minimum in AppSec. I think we’re on the cusp of a transformation in the market where application security becomes visible and transparent to consumers. There’s a lot of push from the government. You’ll have to produce a software bill of materials to tell people what libraries your application is using. I think you’re going to have to publish more details about how you build that software.
I’d be willing to bet that you bank online. What do you know about the software that you’re using? You’re blindly trusting that software. We blindly trust all the software in our lives. That’s crazy. So the market is broken.
Do you really think consumers will ever want to read the software bill of materials and have these independent thoughts on who’s secure and who’s not? Or is it mainly going to be a marketing play?
That’s a lot of people’s initial reaction about things like software labels. But nobody read food labels for like 20 years, but they dramatically changed the food market because the effect early on is on producers. Their lawyers won’t let them produce a product that has a hundred percent toxic chemicals in it because they know they’ll get sued.
The same thing will happen with softwares. The effect will be on the producers first to live up to the labels. They won’t bring a product to market that has an F on it. Like in New York City, you only go to restaurants that have As and Bs.
What shift do companies need to make now?
Many companies are already doing a lot of the right things: training developers, testing their codes, putting security automation into their pipelines. I think what they need to do is get themselves comfortable with the idea of disclosing that information. I do think it will be a market advantage for the first companies that are brave enough to publish this kind of information.
It will create competition in the market, and there’ll be a race to be the most secure software producers. The companies that do that well will win their sectors because being great at software is the key to unlocking your entire sector. It doesn’t matter what you’re in.
Michael Matias, Forbes 30 Under 30, is the author of Age is Only an Int: Lessons I Learned as a Young Entrepreneur. He studies Artificial Intelligence at Stanford University, is a Venture Partner at J-Ventures and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing editors: Michael Matias, Megan Ryan