If you’ve been following our social media updates, you’ll know that last week we came out of stealth mode to join our industry colleagues at AppSec California 2016 in beautiful Santa Monica, CA. While Virsec did not present at the conference, we were present in a big way. We got a chance to speak with many AppSec professionals that were attending and appreciated the opportunity to participate with the good work being done by the Open Web Application Security Project (OWASP).
This was our first public event where we spoke openly about what we are doing. We unveiled our big claim of ‘no false positives’ under the unified cyber-attack and data breach protection umbrella. The response was everything from healthy skepticism to unbridled enthusiasm. The healthy skepticism is understood, because most of us are engineers and by nature engineers are taught to dissect and analyze, but also because security industry vendors have tended to over-promote in the past and leave a lot to be desired. On Day 2, Jeremiah Grossman, founder and CTO of WhiteHat Security, keynoted and talked about holding vendors responsible for their claims and that the future should require vendors to offer guarantees. While a guarantee is not a possibility today given our stage in this journey, it’s something we’ll consider for the future given the proof points we’ve already amassed on our solution that substantiates our approach.
The unbridled enthusiasm came from several prospects (one of which has suffered a major public breach that has been in the news). These prospects quickly understood the differentiation around server-side cyber-attack protection and OWASP type app vulnerability exploits. They also understood that the threat vector comes from two places: through the application and below the application in its infrastructure. Candidly, they acknowledged the fact that they *knew* bad actors were on their network, and that they couldn’t pinpoint exactly where they were or stop them. To these people, the deep memory protection against underlying application binaries was relevant and necessary. This is the problem that Virsec was created to solve.
They knowingly grinned when we asked whether keeping patches up-to-date of the application binaries was keeping them safe. The fact is, a large percentage of companies do not keep up with patching regularly needed to stay safe. We also know that by the time a CVE comes out for zero-day vulnerability, it’s been out there in the wild for anywhere between 7 and 10 months, so even disciplined patching isn’t a save all.
It was these customers that really resonated with our Trusted Execution and AppMAP approach that gives us a chance to virtually patch even zero-day exploits. As prospects and our customers learn to grasp this approach, interest level soars. We are glad we got to share it with the AppSec Cali community.