Featuring Neal Michie of Verimatrix
Listen to the episode in full below - or subscribe on Apple Podcasts, Spotify, or Google Play to never miss the newest episodes from all of our Founder Insights podcasts.
In this episode of our Coach Mike series, Mike Suprovici (Founder Institute EIR) is joined by special guest Neal Michie of Verimatrix and Founder Insights editor Dustin Betz. Together, they discuss the different facets of data and cybersecurity that founders should be giving consideration from day 1 building their businesses.
Coach Mike and guests answer questions like:
- How do startups define their security?
- What kinds of data are hackers after?
- What things can I do from day 1 to protect my startup?
- What is encryption, where is it used, and why is it important?
- Differences between Android and iOS security considerations?
- and more!
Exclusive for the Founder Institute community, Neal has graciously offered to extend Verimatrix free trial period for their turnkey mobile app security service ProtectMyApp.com, from 14 to 30 days using our special offer code - enter “FOUNDER20”
The following includes a transcript from this Founder Insights podcast episode – these transcripts are produced by a third-party natural language processing algorithm, and are not checked word-for-word by humans for complete accuracy—so, there may be some errors or typos!
Dustin Betz 0:03
Welcome everybody to another episode of The founder insights podcast. My name is Dustin Betz. I'm the head of content at the founder Institute. And I'm joined today in our studio by Mike Suprovici.
Mike Suprovici 0:16
Hello, everyone. As Dustin mentioned, my name is Mike. And for those of you who don't know me, I lead the alumni success group at the founder Institute. And our role is to help the 4000 founders to alumni scale and we try to do that in any way that we can, whether it's through one on one, office hours and advice through structure programs, such as our funding lab program, and so on. So we basically, we're kind of roll up our sleeves and help everyone as much as we can. So that's, that's me.
Dustin Betz 0:47
And we're also joined today by our special guest, Neal Michie of Verimatrix. Neal, do you want to say a little on yourself?
Neal Michie 0:55
Hi, everyone. I'm Neal Michie. I'm one of the product managers at Verimatrix, I look after our products that focus on code protection and a code protection, what we're doing is security applications running in insecure environments like mobile, mobile phones, mobile devices, to make sure that the software and the IP within the software is secure and safe.
Dustin Betz 1:17
So our topic for today is, as you know, startup data and cyber security as it relates to startups. So, Neal, yeah, your background, very well suited to be our special guest for today. And I think we kind of want to kick it off by just defining for those who haven't thought about it much, you know, how do you define security in the cyber security?
Neal Michie 1:43
Very good question. So, I think when defining security what we're defining is it to keep your business safe. How do you keep your your customers safe and your business safe? What's the reason for implementing security? The reason for looking after security is fundamentally about keeping what you care about safe. And when we're, when we're talking startups. We were talking businesses, what we what we care about is our business.
Dustin Betz 2:23
Yeah and so, I mean, the data, for that businesses, is increasingly one of their most important assets. You know, what, what is it basically that we're defending against, you know, what do hackers really want to go after?
Neal Michie 2:42
Your data is something we need to care about, it's something we need, we really need to focus on. It's, there's lots of interesting things and our and our businesses and our, what we're doing that as kind of hackers care about hackers go after but kind of fundamentally what we see is in Increasingly hackers are looking after data. And if your if your business is b2c, if you're working in that space, then you're dealing with a lot of customer data and customer data, which is personal data. And that personal data increasingly is governed by things like GDPR. and European Union. And equivalent legislation is appealing around the world. It looks like California is enacting some of the toughest privacy legislation in the world at the moment. And when you're in this space, you're you're dealing with, with customers with kind of real people, kind of what what you see in this legislation, is that it says that while we, as a business, you can separate your data and reality as the customers data and they're just loaning it to you. So you have a responsibility to keep it safe. And if you you feel in that responsibility, then this legislation is here to protect the consumer to protect our customers as a service. So we need to make sure we're doing that Yeah, the hackers, the bad guys want this data, they see a lot of value in it. It's there's figures that that show that credit card data sells an average for 30 US dollars in the dark, where health records are the most valuable data at the moment, hackers are taking hundreds if not thousands of dollars for for medical records on the dark web. So the motivations as clear as monetary, it's, there's a financial incentive to get hold of the sensitive data and then sell it on. So that's what hackers go after. And that's why when we're building businesses, when we're building products, we need to make sure that we're securing that data and keeping it safe.
Mike Suprovici 4:42
Yeah, hundred percent and even even let's say you're a founder and maybe maybe you agree or even if you disagree with the moral argument beside about data and things like that. insecurity you have to take a look at this. Take this serious because one breach could put you out of business more or less, you know, if you don't if you're not taking the right precautions, and you don't have a lot of resources to defend yourself against those. It's very, very critical. They they tried, as they say. So definitely something worth thinking about as you build your business.
Dustin Betz 5:21
Yeah, and like kind of the way that you divided up at least the two sectors that you talked about for customer data, right. So one is sort of credit card information, which I think is the form of fraud probably on the internet that most consumers are most familiar with. But then there's also Yeah, the emerging kind of in more and more health records basically coming online and different kinds of devices that might be gathering information on your health or, you know, other vital signs that could be, yeah, that could be sold or compromised by hackers. And that's worthwhile for founders to be thinking about in the early stages of developing those products. They're going to be collecting that kind of data. So I think we want to kind of ask about, you know, how can we de risk it you know, what are some ways focusing maybe on customer data, you know that donors can be thinking about keeping this this data safe.
Neal Michie 6:20
De risking at six exactly the right words, you never, you're never going to get 100% security because it doesn't exist. And if anyone tells you, they're providing 100% security, I would recommend running a mile because it's either naive or they're lying. And, but we do need to take steps we do need to take precautions, and it's I believe very strongly, it's about taking practical steps practical precautions as not being trying to get the very best security you possibly can and kind of making sure everything is locked down because that's just doesn't make good business sense. You can spend a lot of time a lot of money building ready Good security, but ultimately, we need to make business decisions. And just as, as the hackers are looking for a return of investment, so are we, we need to make sure that our businesses grow and our businesses kind of make sensible suggestions. And correctly Do you risk the market, but kind of is about de risking it. So I think in terms of what, what our startups what are our founder should be looking at as what are sensible practical measures they can take today, doing the right things, doing them correctly. And that really means understanding the assets that you're processing, understanding what data you have, kind of we're talking a lot of a data but assets are often other things as well. So there's maybe IP that we're putting out into the world if that's valuable, then that needs to be protected. And that the example I use quite often is in the in the games industry. And if you look at revenue for games, They can make a lot of money on a daily basis. But soon as players work at home to cheat in those games, the worker how to to give themselves an unfair advantage, then suddenly the game stops being fun, and players go elsewhere. So it's important to protect the concept of fair play within within video gaming titles, and you see that similar mindset, similar ideas spreading kind of across different entities across different products that what's an asset, what's a security critical asset is not always a piece of data or something from you can put your fingers on, but it becomes a concept something more fundamental to what you're doing, but also needs to be protected. So we need to make sure when we're looking at the assets, looking at what we're protecting, that we're we're really thinking about the whole product and where the value isn't within that product. It's often not just as I say one bit of data, but there's something about what you're doing as a product like a game is the concept Fear play, actually is where the value is, and we need to protect it. So that's the best thing to do, when you want to look risking is look at where, where the value is look at what the assets are, that you have within your products. And then think of it what the sensible steps are, to take a look at where the assets are going where they are. Suppose someone might get hold of those assets, and then can work a hole to build and protect around them. But do it in a sensible, practical way. There's lots of other things to do when you're building a building a business so we don't want to spend all our time on security. But we do need to keep the sensible practical steps that that enable us to really protect these assets within our products.
Mike Suprovici 9:45
Yeah, I'd love to double click on this point that you just made here. So essentially, you know we can we can go to infinity to try to, to work to get the best absolute security and even though we may not get to 100% with my guests 99.999% or something like that, but it might not be ever so when a cult one of founder thinks about this or even an employee at a at a startup that's scaling, how do they balance what can be done and the amount of work that's necessary with, with what's necessary to be done with the business, what the net what's necessary for the business, you know, from your experiences, is there kind of like a framework for how to think about this or some sort of a mental model that you may have that, you know, we could we can share with our community about this.
Neal Michie 10:42
There's, there's lots of frameworks out there, if you if you work with security labs or you, you kind of understand the security methodology and dive into that there's, there's lots of frameworks people people put together to understand risk to understand how you protect it kind of how you build build systems around them. Generally, fundamentally where work on the theory of identity, identify your assets, identify the attack vectors of how someone would get to those assets, and then look at what parameters you build on those assets, what protection you need to keep those assets safe. But I think that I would almost argue that the most important thing when you're when you're starting up, is don't get in the mindset of, I'm small. I'm not knowing the attackers aren't interested in me, because that's fundamentally not true. You see it and lots of different mindsets of where where criminals will pick on kind of their kind of maybe the vulnerable maybe those aren't quite as aware or more naive, or you may maybe see the kind of criminals who go after where they see the best return. That's not always looking for that the billion dollar return, but if the can fairly quickly get a small return, but you like easily then lots of small returns quickly multiplies up so you can do the thing just because it's small and what happened to me. But I think once even even more important is kind of, if you're, if you're starting out, you're finding the company, you're getting going. You want your product to explode, you want it to kind of hit the mass market suddenly go from being kind of startup mode to being International. Kind of unicorn, billion dollar company. And when that that point comes when you hit this hockey stick, and it really starts to grow. You become known as that thing. Do you want to spend your your efforts spend your cycles on retrofitting security because now you're knowing and know, kind of every attacker and his dog is interested in what you're doing? Or do you want to spend your cycles focusing capitalizing on your nearly failed success now I want to see your team building your business and focusing on increasing the success you've just found. So it's much easier to have security built in as business as usual, when you're starting, starting the company starting to build out the products, and get that mindset within your organization. Because it's easier, it's not that much effort to do it at the start. And if you have to retrofit it later, it's it's very damaging and very destructive. It's just like any other process, you build into your engineering team. If you get the processes right at the start, then you're in a good position to grow. Whether that's you're getting an agile methodology through your development team having the right tools for that. It's exactly the same with security. If you can build it into the main set, start then it's just something that happens as something as business as usual, and then you don't have to worry about it later because you're doing the right things from day one.
Dustin Betz 13:56
Yeah, I think concentrating on Yeah, we definitely want to identify these things. Things that founders can think early on that will pay dividends for not having to think about them later. And one kind of question, I guess related would be sort of so consumer data, again, the trend is for more and more things to be moving towards the cloud. I guess if my customer data is stored in the cloud, which I think is something that you know, startups are thinking about early on, this is probably like a consideration if they're looking at, they get some Amazon Web Service credits or something like that. And they're building kind of their back end. Are there special considerations that founders need to think about early on in cloud storage, specifically?
Neal Michie 14:43
Right. I think we cloud storage gets a cloud generally gets a bad rap in terms of security. Those cloud services like Amazon like a zoo, are very powerful. They're very useful. The latest scale your business in a way that works for the businesses rather than having to invest and invest amount of IT equipment very early. And even both big businesses are increasingly moving towards cloud because it's just a nice way of doing things. It works well. And definitely people were nervous about it to start with around security and didn't understand where the data was going didn't understand how to really manage that model, or what the new risks were that came out of that model. And, in reality, it's the same as any other IT infrastructure, you've got to make sure it's configured correctly, you've got to make sure that you've built the right processes, the right monitoring and everything else. And once you've done that, it can be as secure as any other IT infrastructure in your building. And that's why you see kind of some of the more forward thinking banks are now moving towards that kind of infrastructure, whether they're moving Previously have been on here though, for just unthinkable systems and to close because people have started or people don't understand the security models, they understand how to put that together, and provided you, you configure it properly. You think it through, you understand kind of how it's got to be set up, then that's no different from any other infrastructure. So I think the advice I would give is, don't feel it. And on the contrary, embrace it, but just do the research and make sure you, you have people within the organization either kind of permanently within the organization, or just that you can call on and use the understand how to configure and set up these environments.
Mike Suprovici 16:42
In addition to that, just to piggyback on Neal's comments there, if you're even earlier stage, and you're just trying to hack together an MVP. Okay, another way to look at this as let's say you're going to use some sort of a no code tool to basically bring this together a set Have no code tools, a good way to look at this as to understand how the tool manages security. Right and and making, putting that into, like the consideration for what you're doing with regards to, to security, even if all it's doing is, you know, collecting the forum online and putting it into a Google Doc. Well, that's that's a good place for you to start to think about this, perhaps you put two factor authentication on the Google doc or something like that, or you put that on to the forum if it's necessary. And and then you can start to think that so this is how it becomes kind of part of part of your culture. These are like basic things. And as you deal with more data and you have to manage more data, you can implement farther and farther security to deal with that.
Neal Michie 17:51
Yeah, and I think I think the point of a two factor authentication is quite a quite a nice one. And a nice the illustrates that the need for Security has to be applied in layers as a cliche, but it's a very true cliche. And something like two factor authentication. It's great at managing the users kind of logging on to service making sure that you know who the users themselves as. But it's only good for that if there's a security framework around it. And if the the authentication can be worked to roans, whether it's two factor one factor or infinite factor, then and it does still open up risks, but you need to build these things in layers, you need to kind of make sure you're not just picking up buzzwords picking up kind of some good ideas, but leaving leaving gaps and what you're doing. You need to look at the ecosystem, you need to look at it holistically and understand kind of how these different components fit together to make sure you're, you're building things in a secure way. So very well having users login with two factor authentication, but if you forget to lock then the Google Doc is logging is sending the data to Then what's the point?
Mike Suprovici 19:03
Exactly. Also just other parts of the business, if you start to kind of make this as part of your, you know, just just a core principle for how you do your company, then you start to think about this like this with all other important assets of your business. So for example, if you're using MailChimp to go out and email your first subscribers or first users probably want to put two factor authentication on the MailChimp right? And so that's how it becomes part of the culture or part of the DNA of the company at the very early stages. And then therefore, as you know, as Neal alluded to earlier, that can grow with with with your company and everything that you do and the culture of your business.
Dustin Betz 19:45
So I want to see, you know, we've talked a lot I feel like concentrated most on customer data, but there's other kind of data vulnerabilities, I think so just at least want to touch on kind of some of them and I mean, I mean, so one is, you know, your employee data prism, Once you're hiring employees, you have personal information about them being stored somewhere. I think like, you know, another thing that's sort of maybe a little cliche, but when you hear about, it's like people are the weakest link in, in cyber security or insecurity defenses. And so, I mean, another kind of vulnerability point might just like your email that you're using, are there sort of other things that are other, you know, security vulnerabilities that come to mind that, that founders might just not be thinking about, but they should be with regards to protecting all of their data? Yeah.
Neal Michie 20:36
I love that phrase that people are the weakest link, because in the same breath, people also see that their employees are their strongest asset to this, this lovely contradiction there. And, yeah, people are the weak link in terms of security, people will do things you wish they wouldn't do. But when you actually step back and analyze why they're doing these things, Generally, all comes down to convenience, people will take whatever course of action is the most convenient to get to the the end system the the end goal that they want to get to. So maybe if you're using a door, you've locked in your meal system, so that meal can only be used and secure company approved from your clients. But someone needs to get a piece of data out of out of the mail system because someone's asked for someone's phone number, for example, when they need to send them a phone number. And what happens if they just scribble on a piece of paper because that's the easiest way to get out and hand it to them. Suddenly, all the security we have built field because someone's found a convenient way of circumventing the system because I happened to walk to your desk and see, do you have John's phone number and I just scribbled on a piece of paper and they would leak that that piece of data over the over the IT system. So people will always find ways around security measures if it gives them A more convenient way to do it. So when we're building our internal systems, when we're building our kind of employee management systems and everything else that we want to give our employees to do, we need to understand that they will work in the most convenient way. And then we need to give them the tools to, to work in the way that they want to work. Once you do that, they will then follow the processes they will follow the the security measures, the systems that we've built in place and they don't become the weakest link because we're allowing them to work the way that makes sense to them. So it's, it's a tough balance to get right can have. We instinctively want to lock things down instinctively want to keep things tight away in terms of security, but actually, within a company, we need to allow people to work we need to allow them to flow data and we need to float we need to allow them to do their job. And when we're building our security model, when we're building our processes that we want to follow, we need to keep that in And if we do that, people will still make mistakes and still do things that we wish they wouldn't. But from for the most of the time, they will then work the way we're enabling them to work. And if we know if that happens, things stay secure.
Mike Suprovici 23:16
What are the things that you know, you and bear matrix and specialize in is mobile. And I'd love to switch subjects a little bit more on mobile now, because these mobile devices have a lot of sensors, and they're like listening, they're doing a lot of different things. And these are things that that, you know, founders should be aware of, as they're building their, their application. Now, you know, certain certain ecosystems are better than others at it, or I shouldn't say better. They're just, they give people more control versus less control, and that plays a role in how this works. And, you know, maybe from your perspective, you know, kind of working What are some of the things that you've seen with regards to security? What are some like at risk areas, in particular with regards to mobile, that are the most prominent from from your experience, as well as from some of the companies that you've worked with?
Neal Michie 24:17
I think when it comes to mobile, what most people fail to recognize and kind of when you when you fail to recognize that's where risk comes in. But what most people fail to recognize is when they start extending their products and sending their services on to mobile devices. Then they forget that they extend their their ecosystem and they extend their security perimeter, perimeter, rather, on to these devices as well. And when you do, you then need to start thinking about how do we secure our extended perimeter? How do we protect what we've put onto, onto our customers mobile devices, and maybe it's our employees mobile devices, and we're just giving them giving them access to facilities to work from We're on the move. But the mobile device or in particular, the software running on the mobile device, becomes part of our ecosystem, it becomes part of our security perimeter. And we need to make sure that we can't attack the way the company or the way the data system through this new extended perimeter. So kind of kind of an example, which we often use. And we, we've got examples of attacks being done this way. Where the mobile application is the era gathers data allows customers to access services. And from accessing services in the mobile device. The application then connects and to our cloud infrastructure, which we're talking about a minute ago. It connects into the cloud infrastructure, but because we consider the mobile application part of the infrastructure, we give it trusted access into the into the back end because me and Cloud services. And then trusted access, it can do things that maybe you wouldn't want it to do and you went to expect it to do. And what the attackers will do is take control of the mobile application or use a mobile application to learn how to give themselves trusted access into the backend systems. And then they'll pretend to be a mobile application connecting in. And from there, you will conduct yourself to vulnerability. So it's very important when building applications putting services into mobile devices, that you consider it part of your ecosystem, you consider it part of your security model. And you then look, how do you how do you harden the application? How do you protect that application so attackers can take control of it to use it for the room of malicious needs. Attackers can't take all the sensitive data we've been talking about state of the application, if it's running, applications running on the phone is processing data just just attached The process and Tico the data, or attackers will use the application as a learning to learn how it's talking to the backend infrastructure talking to the cloud services, and then use that learning to spoof an attack to pretend to be a mobile application. But actually, they're using it for ulterior motives. So these applications, fundamentally, they're quite soft, they're quite easy to go into to reverse engineer to understand what they're doing under soft, because their software and software This is generally soft in whatever form it takes just normally, we put it behind firewalls, we put it on servers. We don't have that luxury on a mobile device. And to some extent, it doesn't matter which of the two big big ecosystems we're playing in. There's still this this one ability that's there in the application. So we don't want attackers to understand how they're working. We use that against us.
Mike Suprovici 27:58
Can you talk about that? Some of the differences between Android and the iOS ecosystem with regards to how to handle security with what developers have to think about as well, in regards to one day, potentially launch on on one or the other, or both.
Neal Michie 28:16
Yeah, and I think we'll see, if you're launching a mobile, mobile service and mobile application, you're more than likely to launch to launch and both Android and iOS, it's increasingly hard to pick just 111 of the players in the ecosystem, you've got to, you've got to work on both devices to reach your full potential to reach your customer base. There's similarities and differences that an attacker needs or developer needs to consider when looking at them. And the the big thing that you see from the outside when you look at as iOS is there's a lockdown ecosystem. Apple tries to keep it as a walled garden. The only source of apps is the official Apple App Store. The devices are, are fairly lockdown, you can becomes harder and harder to jailbreak the devices. But they're still kind of this lockdown device, which is much more clue as much more restricted in what you can do on the Android side, as a more open ecosystem means there's less restrictions and what you can do. You can install applications from other sources. And we we tend to get kind of our North American or European view, we view we see Google Play as being the source of truth when it comes to applications. But when you go wager a field and you go around the rest of the world, actually, you see other app stores third party app stores being quite popular. So you can assume that Google is the source of truth when it comes to apps that is people installing apps from from other app stores as well. Well, so you see this open ecosystem with with Android versus the lockdown ecosystem. And I think as a as a developer that the open ecosystem brings a lot of advantages because you've got more freedom to develop products to, to build out your solution. But it also brings more, more fear and more scare stories because you see, stories of third party app stores, people installing malware and things like that. So that becomes at least a high level, it looks more more stadiums and whatever I can share. We, we actually believe when you delve a bit deeper and you delve, look at the real risks. Selling security, it's nice to be able to kind of faith, real stories, real examples of things that are happening in the wild. And when you look at what's really happening in the world, what you see as Similar risks across across Android and iOS. And you see similar risks because of the way the attacks work attacks at scale work against these applications. And most attacks at scale won't attack your version of an application installed on my version of an application store because there's a point to attack that's great for attacking you. It's great for attacking me. But as a criminal, I want to return on my investment. And I'm not going to get that just going after you're just going after me. I want to go after the install base. So the way to go after install base is to find abilities within the court to find something that I can use remotely attack lots and lots of installs of the application of hosting seriously. So that means finding vulnerabilities. vulnerabilities are fundamentally bugs within the software bugs that are security risks that can then expose us. So there's kind of find that on average, and move up. occations is 50,000 lines of code. And that translates to an application about 2000 bugs in the software. Most are benign, those that aren't Mr. functional. But there will always be a few that are security impacting up there a buffer that I should offer floor from a remote message I sent or something like that becomes security impacting the application. And when an attacker identifies the security impacting folks, they can then launch a mass attack against install base. And that's what you see happening with some of the stories around WhatsApp recently. And there's many other examples against other applications. So if we go back to practical steps, practical measures that
our developers are our fighters can can look at the Try and squash every bug within that application. The reality is, that's not gonna happen. The reality is that's just an awful lot of effort. And we're, we're again trying to stretch to infinity, then we're practical measure is to make the chord itself difficult to understand difficult to, to analyze, so the attackers can't find the few security impacting bugs that are hidden within your code. So technologies like orchestration, can, can really give a strong advantage to our companies to make sure that the apps are secure because we're obscuring the bugs for making it hard for the attackers to find the vulnerabilities. If they can't find the vulnerabilities they can't exploit.
Mike Suprovici 33:46
Interesting now, there's also a trend where developers are using tools like say React Native and things like that to kind of try to go cross platform right off the bat. You know, versus just building natively, which means that you essentially have to two code bases that you have to maintain. I would assume that that's a bigger security risk, maybe not. But I'd love to hear your thoughts on that. Is there something that they should the founder that's basically wanting to wants to put together like a React Native app or something like that they have to think about versus a native. I'm saying this lightly, because, you know, all the React Native people are going to be getting after me for saying this. But you know, just were versus building directly in the ecosystem, for example, for using Apple's products or something like that. Is there something that they should be thinking about, or is there any extra security risk or less security risk? What are your thoughts about that?
Neal Michie 34:43
Yeah, there's a there's a definite trend to using technologies like React Native, you see it emerging over the last year or so. And these famous have existed for a while just go back far enough. There's things like foreign gaps that people were using. I think when we get to Some of the more modern technologies like React Native beatsie start to create good applications, good user experiences, which is why they're starting to become popular. It's not a trend I particularly like, partly because I saw some of the earlier cross platform development tools and wasn't overly impressed by them. So I don't like it for my development how I also don't particularly as my security how on and that the reason I don't like it with a security how on is to React Native, for example, like the executable quarters is JavaScript, and that JavaScript is bundled within the Android application or the the iOS application. And then when your application starts up, the JavaScript gets loaded into a web view, and is then interpreted and run on the application. It's just fine for building an application and gives you benefits of cross platform and all the rest of it. The trouble is with an interpreted language like JavaScript, is much, much harder to get security. When you're thinking about security, thinking about how to keep your code as safe as possible, then you want to get as close to the hardware it's executing on as possible. And the reason for that is we want to make sure people aren't changing the art tampering your code, your code is running as you intended to run is good building security measures into code, but someone can remove them. And that's a that's a weakness that's upon ability that we that we don't want. So if we can build in good anti tamper good integrity, checking technology into the code, then we start to build trust into that code, we start to believe it's going to execute the way it's intended to execute. As you move away from the hardware and into interpreted languages or languages that are running on on virtual machines, then these less code goes through a translation stage and interprets the stage before it executes. That interpreted stage as basic as changing your chords, it's changing the chords from how it was delivered to her executes as such as the tampoco, just changing the chord. So if we want to guarantee the quitters running as delivered, anything was changes at whether maliciously or deliberately, it's a problem. So integrity language like JavaScript or kind of even Java itself, which are running on a virtual machine. They do pro poor security issues and security questions because they go through this tamper. And you can't tell if the Quinn's been deliberately tampered or accidentally temperature was just a temperature.
Mike Suprovici 37:41
Super. Never thought about it that way. You know, can we can we talk a little bit since we have such an expert on on this, can we talk a little bit about encryption versus an encryption and you know your data? How How, how should people think about encryption With regards to their data
Neal Michie 38:02
on a high level decryption is important, kind of fundamentally, the internet would work, ecommerce wouldn't work if it doesn't have encryption. So it's a very, very clever, very, very smart technology, which I don't claim to understand all the details of how it goes together, the Masters incredible, some of the stuff that cryptographers can do is, is truly, truly impressive. But on a fundamental architecture level, there's really three things you need to consider when looking at encryption. And that's kind of always looking at how you're keeping the data safe. So how do you keep the data safe and transit so when you're when you're moving it from one place to another as an over the internet, you need to look at how you keep the data safe. at rest, that's when you're starting it. So kind of whether it's on the file system of a mobile phone Whether it's in your database in the cloud, how do you keep that data safe at rest? And the one that often gets forgotten as I try to keep it safe I use when you're processing that data when you're using that data. How do you keep it safe? It's fine. When you're behind a perimeter, you're in your servers, you're on your cloud and you've got your firewalls down, you build that. You build your protection on your on your arranger, how you run the security so someone can get in and see the algorithms running see the cryptographic keys. You don't have that luxury when you're out in the world. You're on a mobile phone. The encryption you're running, the algorithms you're running can be observed. And generally, the algorithms aren't to secretly. We use well known algorithms all the time, like yes. But what is secret and what is important when you is to keep your cryptographic keys safe? These are the secret to unlocking any cryptography And when you're building your architecture, you need to think where are those keys? Where are they stored? are they safe? And if they're just sitting within your mobile application, or they're sitting on a file system somewhere with no protection on them, then an attacker can take those keys and use them. So can we talk about black box and white box cryptography, and a black box environment, your cryptography happens behind a secure boundary. So it could be on a server. Or it could be on the chip in your in your credit cards. But there's a boundary of this belt keeps a cryptographic keys safe and make sure the processing at use is done in a secure environment. If you're doing the processing on a mobile phone or a small IoT device with no hardware security in it, then that's what we call a white box environment because it's open. It's easy for someone to see what's happening if someone can see what's happening. They can find the cryptographic keys that you're using. So then you need to use special forms of crypto cryptography that we call white box cryptography, to keep those keys safe and keep them from being exposed to the attacker. Fundamentally, the keys are what locks down the whole crypto architecture that you're building.
Mike Suprovici 41:22
Amazing. You know, before we before we wrap up here, and we're reaching here to the top of the hour, Kim, can you talk a little bit about you know about their matrix, my protect my app, and how you work with startups and a little bit about what you do? So that our community can potentially engage with you down the line?
Neal Michie 41:42
Yeah, of course. So finit fenomena says it's quite a large company. We work in many different areas that the focus for for me and what I do security really underpins everything we do as a company. So whether it's the different vertical markets that we have That we feed into such as the media space or, or the payments, finance space then. But we always underpin it with good, practical security. And when we're providing that security, on to other companies on to startups and people that want to use it, we believe very strongly that the security should be friendly. And when we, when we see friendly, what we really mean is easy to use, easy to deploy, because back to the practical security, that we could build the best security in the world. But if our customers can't deploy it, there's no point. So we're always looking at how we make our security friendly, easy to deploy, easy to use, and really, and empower our customers to use the security of that that's there, but also enable them to get on and do what they really want to do, which is build exciting products, compelling user experiences and grow their businesses. So when it comes to protect my app, That was the driver behind what we were doing. We were looking at how do we take a mobile application? And we've got proven security that we've been providing to customers for 10 years, how do we take that proven security or bundle it in a way, which is super easy to apply, super easy to deploy. And that was really the birth of the idea where we provide a cloud service. You sign up online, you upload your application to the service, so an Android APK and exi archive and the iOS world. And five minutes later you get back a protected application, one that's secured from reverse engineering secured from an attacker understanding what that apps doing and using it against the companies that the whole business model everything else is equally designed to be friendly. That's you can try it for free. So protect my app.com log on sign up, have a go. So you can try it for free. You can use us to share And then once you want to continue using it, you kind of see the benefits of the security. There's really no commitment, it works on a monthly subscription. So for a start up, let's just just beginning they can, you can start to access security, they can use that in a very, very simple, very easy way of doesn't impact and what they're doing. And also kind of there's no real commitment to using it going forward. So they have flexibility and everything else she needs when you're when you're building a business and you're not quite sure what tomorrow is going to bring.
Dustin Betz 44:34
Awesome. Yeah, so that website one more time for our founders so they can check it if you're listening live is ProtectMyApp.com
Mike Suprovici 44:44
And definitely, definitely have a go at it. Take a look at it. It's really important that you start thinking about security early. Even if you're not building a mobile app, and you're not going to do that for a while. It's not going to give you a roadmap. It's really important to think about taking Some of these principles that you've learned from this, this this podcast and start to apply them to your business early on, so that it becomes part of the fabric of your culture for your company. Because moving forward, even if for whatever reason you morally disagree with some of this stuff that we're talking about, you're going to have to deal with a lot of the consequences, whether it's from the federal government, United States, California, or whether it's, you know, GDPR in Europe and other places. So this is going to become more and more of a challenge. And the last thing that you want to have to deal with when you are running on a shoestring budget, or, you know, when you have raised a small amount of money in your pre seed round, is to have to basically have to deal with managing through this in order to be able to save your company. So it's good to start taking some precautions and then that can save you a lot of money moving forward, as well. So just something to think about and more importantly, your own your own mindset and your the amount of like stress and pain that something like this could deal with It's just not it's not worth kind of dealing with, right. So just just think about that as you build your company. Neal, I really want to thank you so much for taking the time out of your busy schedule to come on this podcast. This was terrific. Well, you've dropped a lot of knowledge on our, on our community. And we're very, very, very thankful that you were able to do this and thank you so much for doing this.
Neal Michie 46:22
Thank you for letting me talk. And hopefully it's been insightful, and hopefully it's been useful to your founders.
Mike Suprovici 46:28
Amazing.
Dustin Betz 46:30
Awesome. Alright. Thanks so much. Take care, Neal. All right. Bye. Goodbye.
Neal Michie 46:34
Thank you. Goodbye.
Graduates of the Founder Institute are creating some of the world's fastest growing startups, having raised over $1.75BN in funding, and building products people love across over 200 cities worldwide.
See the most recent news from our Grads at FI.co/news, or learn more about their stories at FI.co/journey.
