14 Minutes of SaaS

14 Minutes of SaaS

E39: Chris Wysopal – Co-founder & CTO of Veracode – 1 of 2 – a Push from Symantec

Chris Wysopal - CTO Co-founder of Veracode

E39: Chris Wysopal – Co-founder & CTO of Veracode – 1 of 2 – a Push from Symantec

Chris Wysopal is Co-founder & CTO of Veracode, a data security SaaS company which sold for $950 million USD. He talks about his hacker mindset and the push Symantec gave him to leave and cofound his company. Veracode is an applications security company founded in 2006 and based out of Burlington Massachusetts with offices all over the world including London, Singapore San Francisco and New York. It raised over $114M dollars before the flurry of acquisitions activity. It has 713 employees, that’s a 25% increase over the last 2 years. Employees stay an average of almost 3 years. “Starting a company sometime you need like a push somehow …..but this was like I had worked on all this stuff and I was going down a particular path and they were like ‘We’re not going to do that anymore. This really forced me an my co-founder Christian Riu to say ‘Let’s leave Symantec and let’s start a company Doing the things we wanna do”

Transcript

Chris Wysopal

We don’t do the kinds of security tools that you’re talking about …  which ended up being the best thing that ever happened to my career because it forced me … because I believe than what we were doing, we were automating the things that I thought software developers needed. It forced me to say, ‘hey, I’m gonna leave semantic, I’m going to go start a company to do this. So, you know, starting a company, sometimes you need like a push somehow, yeah, like … you need like if you have that, you know, Sweet situation where everything’s great … you know, but this is like … I had worked on all this stuff … and I was going down a particular path and they were like we’re not gonna do that anymore.

Stephen Cummins

And your timing was good too

Chris Wysopal

And the timing was good. So this really forced me … and my co-founder Christian Riu to say ‘Let’s leave symantec and let’s start a company doing the things we wanted to.

Stephen Cummins

Welcome to 14 minutes of SaaS, the show where you can listen to the stories and opinions of founders of the world’s most remarkable SaaS ScaleUps.

In the first of two episodes with Chris Wysopal, the CTO and cofounder of Veracode, a provider of cloud based app intelligence and security services, he’s at a pretty momentous moment in his professional career. He sounds relaxed, but Veracode in the middle of a whirlwind of acquisitions and changes.
Prior to that in March 2017 the first of 3 successive ownership changes for the company occurred. CA technologies bought Vera code for $640M USD in cash. But then CA, in turned 18 months later – just two days after this interview, was bought by Broadcom … and then, a few months later, Broadcom sold Veracode to private equity based Thoma Bravo for $950M USD – almost a unicorn. Probably a difficult time with lots of change. But the value of the company increased by $336M dollars or 55 percent in under 2 years. Pretty amazing. Through smart leadership it seems like Veracode continually operated pretty much as an independent entity through all of this change. And listening to Chris … It’s amazing! You can’t detect any stress at all.

Chris, it’s great to have you here with this on 14 Minutes of SaaS.

Chris Wysopal

Oh, it’s great to be here talking to you.

Stephen Cummins

Are you  enjoying RISE?

Chris Wysopal

Absolutely! It’s always fun to meet all the people that are speaking. Meet the people coming. It’s a great time.

Stephen Cummins

That’s very cool. Tell us a little bit about your life history before you got into the working world.

Chris Wysopal

Yeah, sure. So when I was a kid … I was always pretty curious about science and technology. So I would, you know, do my own, you know, chemistry experiments … take my parents phone apart. I was always interested in figuring out, you know, how things work and, I think that served me well because I was just curious when computers came on the scene. I was really curious about like, how do they work? How do they connect to each other? How does the inside work? What does the software thing? So I was very curious about computers when I… when I first introduced to them in high school. I’m showing my age there.

Stephen Cummins

Yeah, that’s okay. I’m no spring chicken myself Chris. So you had a lot of technology focused roles over your lifetime. There’s a tremendous amount of focus in there. Security seems to be the connecting thread between all of that. Could you tell us about some of those roles and how they helped form, the entrepreneur you became today.

Chris Wysopal

Yeah, sure. So my first job out of college was as a software engineer. I went to school for computer systems engineering. I wasn’t sure whether I want to do hardware or software and that’s kind of a degree where you learn both. So I don’t have a deep, you know, computer science background – but I fell in love with the software side. And that was my first job and, I was just regular developer developing code. And, I did that for a few years. And then in 1993, in the US anyway, the public internet became a thing. And I started to say ‘how do I get access to this?’ ‘How do I explore it?’ And pretty quickly I realized that security was going to be a big deal … because trying to run software … This is something we were thinking about at company at the time .. at Lotus Development … we were thinking about …’Can we get our software to run on the internet?’ .. and I just saw that there was going to be all kinds of security issues to letting anyone in the world, you know, connect up to your computer,

So that got me excited about security.

Stephen Cummins

Yeah. And then post Lotus … what other roles did you have?

Chris Wysopal

So post Lotus  … I worked at Lotus for 7 years and I kinda regret I stayed that long …. and one day I woke up and I said ‘Wow! If I don’t leave my first job, I’ll just work here the rest of my life. So what am I doing so? I left to kind of explore the dotcom scene which was starting to happen in the mid nineties … and I worked with a company called Radnet … and I think I was employee number five …. and that was my first startup experience. We grew to probably about 70 to 100 people. I can’t… I can’t remember. But, yeah, we had a couple of rounds of funding, but ultimately was a failure. But I learned about working at a small company – sort of doing everything yourself and all that.

So I kinda got this startup bug back then. And then I said to myself, ‘I really want to become a security professional’ … and that’s a little bit of a career change, right? You have to leave a software development job and take on a security job – which at the time was really IT security – at like an enterprise. So I got a job at a company called BBNN. And they were one of the first companies that built the internet –  they were a networking company in Cambridge, Massachusetts. And they built the first, you know, network devices that connected the old early DARPA net. Before the internet. So they had been around for like 15 to 20 years before I came on the scene. But I learned security there from all these networking guys trying to do corporate security. I said this is something that I want to do.

And really, I came to the conclusion, I wanna combined the security aspect of my knowledge with the software aspect of my knowledge. And so, the next job I took was as a consultant at a company called At Stake. Another startup company. I think it’s probably like employee number 10 to 15.

Stephen Cummins

Wow! Again.

Chris Wysopal

So I went back to a small company. We kind of at At Stake pioneered the idea of an independent, you know, security consulting company. At the time it was big accounting firms … you know, they still do that today … but back in 2000 it was just big accounting firms or product companies like a Symantec … they would help you install their software. So we took the approach of we wanted to be like hackers. We wanted to do you know, penetration testing. We wanted to, you know, audit your code and look for the holes in the code.

So we took a hacker mindset to consulting and built a new kind of consulting company. And that’s I think …. my time at At Stake was only about four years … but there were a lot of talented people poured in from the hacker world … and from places like the NSA. And it was just a confluence of very smart people trying to figure out ‘How do you help big companies do security in the new world of the internet?

Stephen Cummins

So I interviewed a guy called Kolton Andrus from Gremlin … and he’s part of that new wave of chaos engineering and failure as a service. Yeah … so it’s actually been around a lot longer than I thought by the sounds of things … you were kind of doing that for you.

Chris Wysopal

Yeah, we call it sort of adversarial testing, right. Like… like so modeling what the attacker would do is a way to see how resilient your software is going to be. And if you don’t do it yourself, the attackers are going to do it for you.

Stephen Cummins

Okay… okay. Kolton was saying they do it in the production environment. Do you guys do it in the production environment?

Chris Wysopal

So, we would be we would do it  ideally during the software development process. So while they’re building the software, we would review what they were doing … like we would review their code. And then we would do manual testing on the software. And so I did that for about four or five years at At Stake. We got bought by Symantec

At the time we were building some really cool tools at At stake to do this. We are trying to automate as much as we could. And then after Symantec bought us. I said ‘Wow, this is a big well funded software company. They’re gonna wanna fund all these really cool tools we’re building and make them into products. We were a consulting company, right. They didn’t want to have anything to do with it. And they’re like ‘No, we’re really an anti-virus or a gateway company. We don’t do the kinds of security tools that you’re talking about … which ended up being the best thing that ever happened to my career because it forced me … because I believed in what we were doing, we were automating the things that I thought software developers needed. It forced me to say, ‘hey, I’m gonna leave Symantec. I’m going to go start a company to do this.’

So, you know, starting a company, sometimes you need like a push somehow. Like you need … like if you have that, you know, Ssweet situation where everything’s great … you know …  but this is like I had worked on all this stuff and I was going down a particular path and they were like we’re not gonna do that anymore.

Stephen Cummins

And your timing was good too a

Chris Wysopal

And the timing was good. So that’s really forced me and my co-founder Christian Riu to say ‘Let’s leave symantec and let’s start a company doing the things we want to do.

Stephen Cummins

Okay. Great stuff. And how did you go about getting product market fit or did you pretty much know what that was already.

Chris Wysopal

We kind of knew because we were … and this is one of those things which is like building technology at a consulting company is both good and bad … the good part is you can just try it on your customers right. Consultants can use the technology and try it on your customers to give you feedback … your consultants plus the customer makes that market … helps make that market fit. The problem is at a consulting company the financial business model is not set up to invest for a year or two on product – it’s constantly trying to get new two week to four week engagements in and doing those things. So we… we actually thought about productising at the consulting company … and we just couldn’t do it. We couldn’t get our heads around how could we get the funding and the business model was just wasn’t suited to so.

I feel the one thing we got out of it was the early product market fit. You know it still took us another year of talking to customers outside of the consulting realm saying like ‘You know … if we provided this for you, know capability, this service to you …how would you put it into your workflows?

Stephen Cummins

How has the big acquisition that’s happened. How has that changed life for Veracode?

Chris Wysopal

You know – it really hasn’t changed a lot.  CA has been going down this path … so CA acquired us about 16 months ago now, okay. They, the last four or five years, have adopted a strategy of growing through SaaS acquisitions and, trying to grow them as opposed to … you might be used to the old CA of 10 years ago which was buying you, know sort, of declining assets and making the long tail of license fees, right? That doesn’t really work anymore because of cloud computing, because of SaaS. The idea of buying on premise software and getting stuck with it isn’t something companies do anymore yeah. So. They’ve really shifted the last five years to focus on subscriptions and SaaS. And when you know – this is something we’ve been doing at Veracode for 12 years – so we are very early SaaS company –especially in the security world. And so, as opposed to CA coming and saying ‘We’ll make you better Veracode, we’re a big software company and we’ve been around for a long time. We’ll make you better.

It’s the opposite. They’re saying ‘Veracode … come help make us better! We, want to learn ‘How do you manage a SaaS business? How do you have a solution services team that works between the SaaS business and the customer? How do you do that? What’s your go-to-market funnel like for like a subscription business? …. So as opposed to them telling us what to do … it feels like we’re telling and them what to do .. and they’re listening. they’re making the company better by learning from the acquisitions they have … which is the exact opposite experience I had when Symantec acquitted At Stake.

Stephen Cummins

So it’s a real positive.

Chris wysopal

It’s been a real positive. And, I feel like we’re getting more and more investment now that we’re, you know, we’re able to invest more in our technology. And the other big differences is distribution. You know, that’s something that always startup companies struggle with. If you already have all that. Yeah, you know, if you have something good like that, just put it through that channel.

Stephen Cummins

Veracode is an applications security company founded in 2006 and based out of Burlington Massachusetts with offices all over the world including London, Singapore San Francisco and New York. It raised over $114M dollars before the flurry of acquisitions activity. It has 713 employees, that’s a 25% increase over the last 2 years. Employees stay an average of almost 3 years.

In the next and concluding episode with Chris Wysopal, we learn about a company he advises, that has created a field called People Analytics -founded by three PhDs from MIT. And it’s all about helping companies work better based on the physical space they work in. And we’ll learn about Chris’s activities in the Black Hat security community.

You’ve been listening to 14 minutes of SaaS. Thanks to Mike Quill for his creativity and problem solving skills and to Ketsu for the music. This episode was brought to you by me, Stephen Cummins. If you enjoy the podcast, please don’t forget to share it with your network, subscribe to the series and give the show a rating.

14 Minutes of SaaS