Q&A with Cloud-Based Application Penetration Testing Company iViZ Security

iViZ Security “takes ethical hacking to the cloud,” says Bikash Barai, its co-founder, CEO and director. Currently iViZ focuses on cloud-based penetration testing services for Web applications. He shares insights for other entrepreneurs about lessons learned in finding a market and growing a startup. This article is brought to SandHill readers in partnership with ProductNation. 

SandHill.com:  Please describe your product and your market. 

Bikash Barai: We provide application security testing in the cloud. The idea is to hack yourself before others do. We figure out the flaws and also provide the recommendation to fix them. We conduct tests so that you can protect your website from hacking attacks like cross-site scripting, XSS, business logic flaws and many others.

Our solution is beneficial not just from the perspective of security/business continuity but also for compliance with PCI, SOX, HIPAA, etc. Today for any company doing serious business, it is mandatory to conduct such tests.

We primarily focus on verticals like banking/insurance, online/ecommerce and manufacturing. Basically anybody who has an online application that is critical for running their business finds us useful. 

SandHill.comPlease describe your product’s differentiation and how it provides business value for your customers. 

Bikash Barai: Let me first talk about the customer problem before I get into the differentiation. If you have to conduct a penetration testing/security testing, there are a couple of conventional options. One is that you buy tools and the other to hire consultants. The tools throw a lot of false positives (vulnerabilities that are not true) and also cannot detect advanced business logic vulnerabilities. So you need to hire an expert who will have to augment these gaps manually. But the biggest problem is to hire enough good guys and retain them. On the other hand consultants are costly, non-scalable, time-consuming and also not flexible to work during non-business hours.

Our differentiation is that, unlike any other competing products, we provide advanced business logic testing by leveraging our patent-pending “hybrid approach” that integrates automation with manual testing by security experts. So you need not buy tools or hire people/consultants. Unlike consultants, you can test anytime, anywhere. For organizations that make frequent changes in their applications, we provide unlimited testing at a flat fee.

SandHill.com: How did your company originate — what inspired you to launch the company and what was the original vision/hope? 

Bikash Barai: While studying at IIT (Indian Institute of Technology), I approached Nilanjan De (the current CTO of iViZ) for collaborating on a possible venture on ethical hacking. We made the decision in our hostel room. And that’s how the company was born.

While conducting a conventional penetration testing exercise, it dawned on us that even as security experts we could not comprehensively detect all multi-stage attack-path possibilities. Especially, once a network is successfully broken into, people tend to become complacent and the incentive to find all ways to penetrate diminishes.

To overcome this barrier related to basic human instinct, we began in 2005 exploring the use of artificial intelligence to simulate all multi-stage attack possibilities. We built a prototype and refined it over nine months and then stabilized it after testing it in several environments. Thus, the automated penetration testing product was born. This technology is currently under “patent pending” with the US Patents & Trademark Office. We formally launched our company in 2007 in Kolkata, India.

Read the complete story at Sandhill.com