‘Hack yourself before others do’: Bikash Barai, iViZ

NEW DELHI, INDIA: iViZ Security,  a leading provider of cloud-based application security testing recently launched ‘3D Unlimited Application Security Testing’  in India, which is a flexible testing model where customers can test any number of applications serially, any number of times they want to any depth they want giving them three way flexibility at a fixed fee mode.  The Bangalore-based iViz was acquired by a US-based software security services and products company Cigital Inc. last year.

In an interview with CIOL, Bikash Barai, Co-Founder & CEO of iViZ, spoke about cyber crime, ethical hacking along with opportunity and challenges in Indian market, and company’s approach to address the same.

Edited Excerpts

What are the implications of cyber crimes on the enterprises? Who are the targets?

Depending on the organizations the implications could be manifold. It might lead to direct loss in revenue, loss in reputation due to a compromise, legal challenges due to loss of private user information. There can be breach of regulatory compliance requirement which could lead to hefty fines or loss of license to operate.

We have got some hackers who hack with financial motive.  The primary target sector for them would be any Banking, Financial sector, Internet portals who store credit card information etc. They may also target individuals with ransom ware. There are other set of hackers who hack as a part of cyber warfare. They target organizations which are part of national critical infrastructure like Telco, Oil and Gas companies etc. They also target individuals in ministries, media persons who have access to critical information etc. There are also hackers who are part of corporate espionage who may hack organizations with Intellectual property or any competing company for intelligence gathering. We also have hackers who hack for fun.

Can you tell us about ethical hacking in the cloud?  How is the popularity of ethical hacking?

Long time back ethical hacking was done by highly skilled security professionals. Gradually automated tools came into being. Though the tools make things easier and faster, they are not good enough for quality. You still need people to run them. In the next wave of change emerged the Software as a Service model, where you need not buy any tool or hire people. You can simply run it from the cloud and test any system or application. This made things more scalable.

Ethical hacking is popular and is also one of mandatory requirements for various compliances. Today we have more requirements for testing than the number of trained professionals. The industry is in dire need for well trained penetration testers.

What are the benefits of cloud based testing?

Conventionally one needs to buy security testing products, buy hardware, install them and run them. You need a lot of time, money and human effort. Cloud based testing eliminates all such hassle. You can simply create an account online and start testing. No software. No hardware. No expensive consultants.

How vulnerability assessment and penetration testing can help? Is it full-proof?

Vulnerability assessment of penetration testing can help organizations to find out the security flaws in their systems or applications before hackers find them.  The exercise also tells them how to fix such flaws. The idea is to hack yourself before others do.

Any form of testing including security testing cannot be 100% complete. There are several attack vectors or attack techniques which are not known today and will be discovered tomorrow. So in a way you will always have security flaws. The goal is to find and fix all the flaws that are known as of today. This will help you to prevent getting hacked by hackers with skills and knowledge relevant today. You can always get hacked by a Zero Day technique, i.e. a technique which was not known before. For such attacks you need to have a good detection and response mechanism.  I often say security is like the happiness problem. There is no single way to be happy. And you cannot always be happy.

What is the state of Cyber Security in India?

India had been fortunate in several areas by being late adopter. By being late adopter of technology a lot of our technology is more recent and more modern than the western world. However being a late adopter of security technology cannot provide the same advantage. As an industry we are late adopters. We are price sensitive. At iViZ we work with German companies. They are price sensitive too but they never compromise on quality. In India we compromise on quality. We are late adopters and we are not quality sensitive. That’s the problem.

What do you think about the government role in tackling cyber security in India? What is your take on the Government’s initiatives to tackle e-threats?

Government needs to pay a huge role in security. Today warfare is no longer bound to air, navy or army. People talk about cyber warfare. I do not believe in a single standalone entity of cyber warfare. When we came up with airplanes, people talked about air warfare. Today if there is a war, it is combination of everything. Navy don’t just have battle ships, they also have fighter jets.  War is an all integrate thing. Same will happen with so called cyber war. We will have war, where army, air, navy, cyber will play integrated role.

The government needs to play a bigger role in defining the cyber security charter. There should be a healthy mix of the industry, government and academia in such think tanks. We need specialist technology builders, hackers, policy makers, professors, practitioners etc. If we do not have such a good mix of right people we will not be able to address cyber security in a holistic manner. This is not a conventional problem. So if we are doing something conventional it won’t help.

What are the challenges in Indian market, what is your company’s approach to address the same?

Let me speak from both global and Indian context. There are more than 1 billion web and mobile application which need online security testing. However the challenge is that the automated testing tools produce a lot of false positive and cannot cover 40 to 50% of the threat classes including the Business Logic Vulnerabilities.  On the other hand manual testing is good in quality but it is very costly and is also not scalable. In fact, we do not have enough humans on earth to test all the billion applications on a regular basis.

Our vision is to provide high quality security testing scalable and affordable over the cloud and thus help in securing the online applications from the hacking attacks. iViZ is the first company in the world to take network penetration testing to the cloud. Eventually we started providing application security testing over the cloud and today, there are more than 500 global enterprises that use us.

iViZ is trying to solve the above industry problem by leveraging its patent pending "Hybrid Testing Approach" that combines automation, work flow automation, attack path simulation and manual testing.  We have built a new way of conducting application security testing similar to Ford Assembly line model of manufacturing.