Sydney startup Secure Code Warrior has developed a vibrant business based on using game-playing techniques to teach developers how to code securely. This gamification technique is proving a great success – but the company is unable to reference its biggest customer sites.
“We have a major bank in Australian and a major telco in the US using our product, but unfortunately we can’t say who they are,” says CEO and co-founder Pieter Danhieux. “It’s unfortunate and it’s crazy, but that’s the way it is.”
InnovationAus.com talks to many startups, and this is a common problem in Australia. Few customers want to be reference sites for startup companies, or even to let their name be known.
It might be because they want to maintain a competitive advantage, or to cover themselves if something goes wrong, but it seems it mostly because that is just the ways things are done.
Mr Danhieux contrasts this with the most successful startup market in the world, Israel. “HP in Israel is looking at our product and has said it’s fine to mention them. Everybody in Israel does it! Lots of big companies work with startups, and they say that if they believe in you, you can use their name.”
Even though the name cannot be published, the contract Secure Code Warrior has signed with the large local bank has taken it to the next stage of its growth. It is a three year contract involving hundreds of developers, who are using Secure Code Warrior to ensure that the code they build does not need to be subsequently retrofitted to make it secure.
Secure Code Warrior does have two referenceable accounts in Australia – Tyro Payments, which does payment terminals for credit cards, and Sportsbet in Melbourne. It has also signed some small development companies in Europe.
The company was founded in January 2015 by Mr Danhieux, a 35 year old Belgian living in Sydney, and John Fitzgerald, a 55 year old Irishman living in London, who has provided the startup funding.
The two had met previously when working for aerospace company BAE in Europe, and had seen the security shortcomings in existing coding practices.
“Secure Code Warrior is a suite of interactive learning scenarios that enable developers to master secure coding techniques in different development languages and frameworks,” explains Mr Danhieux.
“It goes beyond the classic multiple choice techniques and offers games-like challenges where software design and code needs to be analysed for security weaknesses. Once identified, the developer needs to modify the code to remediate or mitigate the weaknesses.”
The ‘gamification’ techniques it uses are borrowed from the world of video games. “Secure Code Warrior is a gamey type name. The whole brand is all geeky and gamey. We’ve worked with so many designers for the platform, and they all failed. So we decided to follow our gut instinct. We’re geeks! And as a result people really love the platform.
“With standard waterfall development, you patched up the security at the end. But with agile development, you can’t do that. The developer needs to build security into the code, and test his own code. That is one of the reasons why the banks are jumping on the concept of teaching their developers, because they know the old model is not suitable anymore.”
As security become a bigger issue at all levels of the ICT industry, there is increasing emphasis on building security in – so-called ‘security by design’ – rather than adding it on later. Mr Danhieux says the current training for developers and coders is really not effective.
“It teaches then nothing about security. They graduate from university not having been taught about security. They don’t get trained at all. Nothing.
“If you look at other jobs, like an engineer, or a doctor, it’s almost unimaginable to think that they don’t get trained about patient safety. We are graduating thousands of developers every year, and nobody tells them about security. With security becoming so much more of an issue, it’s become one of the key skills they should have. Employers demand it.
“Developers don’t care enough about security, or more likely they think it isn’t their problem. They continuously get pushed to deliver functionality at all times, not to develop robust and secure code.”
Secure Code Warrior now has five full-time staff in the Sydney CBD. InnovationAus.com asked Mr Danhieux if the company was seeking funding for its next round of growth.
“I think we can survive without it, and I want to stretch that process as much as possible. You dilute your equity every time you get funding, and it puts an end-date on your company. The VCs have a different agenda than you, and they usually work on five years or so.
“But I do know that this product is going to sell way more overseas than in Australia. We have a good base covered in Australia, we have a lot of traction in the financial industry. It’s time that we focus more on our target market, which is the US, and to a lesser extent Europe.
“Getting the bank is a big deal for us, because it’s a guaranteed income for the next three years. That’s important because we need to stay ahead of our competition.
“Our concept has been picked up around the world by several big players. I know, because they have created accounts on our platform to test it out and see what we’re doing.
“We need to make sure there’s enough drive and funding in the organisation to stay ahead, because these other guys are going to start competing with us with something similar. That’s the only thing that could maybe force the decision to look at more funding – we might need to hire a lot more people quickly.”
How has the experience been, building a company like this in Australia? “At times I have felt kind of isolated, not knowing where to get help,” says Mr Danhieux. “We’re probably one of the only cyber-security startups in Sydney.
“The regulatory environment in Australia is pretty easy, except when dealing with government. We’ve intentionally stayed away from Canberra, and all the potential we have there, because it’s just too regulated. We can’t even get started.”
“In the commercial world, I have found that Australia is not actually relaxed, but is doable. I was expecting the banks to be really hard, and to put stringent rules on us, but they’ve been very flexible and very accommodating.”