Skip to main content

Q&A with Cloud-Based Application Penetration Testing Company iViZ Security

By March 5, 2013Article

Editor’s note: iViZ Security “takes ethical hacking to the cloud,” says Bikash Barai, its co-founder, CEO and director. Currently iViZ focuses on cloud-based penetration testing services for Web applications. He shares insights for other entrepreneurs about lessons learned in finding a market and growing a startup. This article is brought to SandHill readers in partnership with ProductNation.  Please describe your product and your market. 

Bikash Barai: We provide application security testing in the cloud. The idea is to hack yourself before others do. We figure out the flaws and also provide the recommendation to fix them. We conduct tests so that you can protect your website from hacking attacks like cross-site scripting, XSS, business logic flaws and many others.

Our solution is beneficial not just from the perspective of security/business continuity but also for compliance with PCI, SOX, HIPAA, etc. Today for any company doing serious business, it is mandatory to conduct such tests.

We primarily focus on verticals like banking/insurance, online/ecommerce and manufacturing. Basically anybody who has an online application that is critical for running their business finds us useful. Please describe your product’s differentiation and how it provides business value for your customers. 

Bikash Barai: Let me first talk about the customer problem before I get into the differentiation. If you have to conduct a penetration testing/security testing, there are a couple of conventional options. One is that you buy tools and the other to hire consultants. The tools throw a lot of false positives (vulnerabilities that are not true) and also cannot detect advanced business logic vulnerabilities. So you need to hire an expert who will have to augment these gaps manually. But the biggest problem is to hire enough good guys and retain them. On the other hand consultants are costly, non-scalable, time-consuming and also not flexible to work during non-business hours.

Our differentiation is that, unlike any other competing products, we provide advanced business logic testing by leveraging our patent-pending “hybrid approach” that integrates automation with manual testing by security experts. So you need not buy tools or hire people/consultants. Unlike consultants, you can test anytime, anywhere. For organizations that make frequent changes in their applications, we provide unlimited testing at a flat fee. How did your company originate — what inspired you to launch the company and what was the original vision/hope? 

Bikash Barai: While studying at IIT (Indian Institute of Technology), I approached Nilanjan De (the current CTO of iViZ) for collaborating on a possible venture on ethical hacking. We made the decision in our hostel room. And that’s how the company was born.

While conducting a conventional penetration testing exercise, it dawned on us that even as security experts we could not comprehensively detect all multi-stage attack-path possibilities. Especially, once a network is successfully broken into, people tend to become complacent and the incentive to find all ways to penetrate diminishes.

To overcome this barrier related to basic human instinct, we began in 2005 exploring the use of artificial intelligence to simulate all multi-stage attack possibilities. We built a prototype and refined it over nine months and then stabilized it after testing it in several environments. Thus, the automated penetration testing product was born. This technology is currently under “patent pending” with the US Patents & Trademark Office. We formally launched our company in 2007 in Kolkata, India. In what ways did you change your product development along the way from what you originally envisioned?

Bikash Barai: After successful installation of the product in a few client organizations, we realized that it is extremely difficult for an organization to hire good security persons and it is more difficult to retain them. Hence, they didn’t have enough people to run the tool. We felt that a penetration testing which can be done anytime, anywhere was the need of the day. So we decided to move to the cloud and host the tool in the Software-as-a-Service model. Thus the world’s first on-demand penetration testing was born!

Also, we started off in the field of network testing and from there moved to application testing. We noticed that network security testing was getting commoditized with very little growth and we understood that for an early stage company we need to be in an emerging area. So we transitioned to application testing. What does the name iViZ stand for? 

Bikash Barai: Innovative vision. Funnily, when we started we didn’t have a clear vision. So we added the word innovative, hoping innovation would lead to better clarity someday. How did you determine the right pricing for your product? 

Bikash Barai: Our pricing has been defined from the perspective of the competition and alternative solutions. We spent a lot of time for the pricing discovery. Finally we ended up with the model where we offer better ROI in terms of quality as well price compared to our primary competition. So our pitch is better quality results with a marginally lower price. In security, people do not want to buy a cheap lock. So we emphasize quality rather than price. If you could go back and do it all over again, from the time you first began your position with your company, what would you do differently the second time around? 

Bikash Barai: Not hire the sales guys early on. I made the mistake of spending more money before going through the sales learning curve. As a result by the time I completely figured out the game, I also ended up losing a lot of valuable money. I learned that you shouldn’t hire expensive sales guys until you have figured out the sales learning curve and can sell your solution in auto-pilot mode. Sometimes VCs push startup founders to spend more and grow fast. But it takes nine months to deliver a baby. It is better not to press the fast-forward button at the wrong time. If you could spend an afternoon this month with a top exec in a well-established software firm to learn some insights from the exec, who would you choose? 

Bikash Barai: Marc Benioff from Salesforce. He built the phenomenon of SaaS and iViZ is also in SaaS. One year back it would have been Steve Jobs. My passion for painting, magic and technology and Steve’s passion for art and technology would have made it exciting. The last interesting book I read was the biography of Steve Jobs. What non-software business or social leader has most influenced your approach to your personal life or your career? 

Bikash Barai: Vivekananda and Gandhi are two of them. Vivekananda is a great example of how open one can be even while being a religious leader. I took some time to understand Gandhi and his leadership. It is intricate and unique to unify such a diverse mass like that of India. It’s not just about what he did but also about how he did it. What have you as the company leader found it necessary to do in order to build a corporate environment that will enable your employees to move beyond the early stage of a startup? 

Bikash Barai: This is a very critical element and is a vast field. If there is only one thing that I have to mention, I would talk about “immediate and assured feedback.” It is important to give feedback (both appreciation and criticism) immediately. And you need to do it every time there is something good or bad, i.e., it has to be assured. It is not about how impactful or dramatic you can make the feedback; it is about the absolute surety of your feedback. Culture is not built in a day with a big-bang approach but with persistence and discipline. Besides the lessons learned you have already mentioned, what is your top advice for first-time entrepreneurs or startup CEOs? 

Bikash Barai: One of the most important things is not to “get married.” By that I mean not married to a single idea. Ideas need to evolve, and one has to remain open to change. Being open is the most important part of being an entrepreneur. The other important thing is not to get excited with “I’ve got a great idea.” In fact, what is exciting is “I figured out a big unsolved problem.” Who are the investors and advisors behind your company? 

Bikash Barai: Our company is funded by IDG Ventures. We have on our board our co-founder Nilanjan De; Sudhir Sethi and Karan Mohla from IDG Ventures; and Reuel Ghosh, who is a successful serial entrepreneur. What do the next 12 months hold for your company?

Bikash Barai: Our major focus right now is to build sales in the USA. On the technology front, we are working on some major integration with complementary technologies and continuous improvement. In the field of security it is a continuous race with hackers. We need to keep on running. What is something you’ve wanted to do for a long time but haven’t done yet? 

Bikash Barai: Start a magic show and have a painting exhibition. I like mentalism and mind-reading and not the usual “rabbit out of hat” magic. I used to do stage shows during my time at the Indian Institute of Technology. I have to do both of these sometime soon. 

Bikash Barai is the co-founder, CEO and director of iViZ Security. He specializes in network security and simulation of a hacker’s mind using artificial intelligence, cognitive hacking, social engineering and attack simulation. He is credited for several innovations in the domain of network security and anti-spam technologies and has patents filed under his name. Bikash is also an active speaker at various platforms such as Nasscom, University of California – Berkeley, NUS Singapore, Global Security Challenge and TiE.

Copy link
Powered by Social Snap