Interview: Veracode CEO Matt Moynahan

Matt Moynahan: All code is generally bad whether it's commercial or open source

V3.co.uk: What trends in application security do you predict for 2010?
Matt Moynahan: We obviously have hacking now being criminally motivated, so it has moved from script kiddie to follow-the-money behaviour. Then we've had an explosion in devices and content, a proliferation of activity making it easier for the hackers to follow the money. There is a proliferation of applications written by unknown developers out there, and no security hurdles are being put on these apps. To be honest it's a mess out there. In the past, hackers would go direct to create infection, whether by spam or going to a web site, but now the trend is more indirect, so we're also likely to see people compromising the supply chain for code.

Can you explain more about this new trend?
Third-party content is exploding, and the percentage of content in applications which you own is decreasing. People are often taking the 'integration glue' off the internet, for example. It happens all the time. So there is a concern that a low waged developer could be paid to put in place vulnerabilities into this code. No-one knows about it and no-one seems to be checking it.

Is this likely to change in the next 12 months?
Yes, in 2010 we'll see big enterprises require third-party security audits of all the code in their organisation. Very large customers are already doing them. Now that technologies like ours exist there is no reason not to do it. If I look across the internet - at social networks, iPhone applications and so on - there is no trust, and we could see the models of Facebook and others breaking down because no-one knows the code.

Are we likely to see the hackers target different types of information in the future?
We certainly haven't seen a major hack of a healthcare provider yet. Most of the black market is driven by credit card data or social security data, but we'll see that change with a major hack of a healthcare provider. All data has a currency attached to it. The concerns right now are around the security of marketing and earnings information. People could exploit vulnerabilities in e-trade applications and short sell based on financial information. We'll see the brokering of information increasingly as a currency. How much would you pay for Coca-cola's secret recipe, for example? A lot if you're Pepsi.

Should legislators mandate the writing and publication of only secure code, or is that unworkable?
You must remember it doesn't need to be perfect in this case, just to meet acceptable and pre-defined standards. I think we are reaching a tipping point where eventually every piece of code will have to be scanned. Government outsources development of code so it's taking this one very seriously indeed. We'll start to see things creep into the Common Criteria.

Is open-source code inherently any more or less secure than proprietary code?
All code is generally bad whether it's commercial or open source. According to our latest figures, around 75 per cent of applications fail on first submission. Open-source projects had a larger proportion of higher severity flaws compared to commercial software, but fixes were done more quickly and efficiently because there were more eyeballs on the code, and you could say that there was more pride taken.