Welcome to the Software Security Gurus webcast with Matias Madou.
In this episode, Matias interviews Dr. Chenxi Wang, cybersecurity expert and founder of Rain Capital, a venture capital firm with a focus on cyber-related startups. They discuss everything from their shared academic backgrounds, to future movements in the security industry, including investment trends, championing diversity, and whether reactive security still has a place in the industry.
Matias Madou (00:08):
Welcome to the Software Security Gurus webcast. I'm your host, Matias Madou, CTO and co-founder of Secure Code Warrior. This webcast is co-sponsored by Secure Code Warrior. For more information, see www.softwaresecuritygurus.com. This is the second in a series of interviews with security gurus and I'm super pleased to have with me today. Dr Chenxi Wang. Welcome, Chenxi.
Dr. Chenxi Wang (00:33):
Thank you Matias. Thank you for having me.
Matias Madou (00:35):
Absolutely. Hey Chenxi, do you mind saying a few words about yourself?
Dr. Chenxi Wang (00:40):
Sure. so my name is Chenxi Wang. I am a security investor these days. I run a cyber focused venture fund called Rain Capital and we've been doing investing in cybersecurity early stage companies since 2018. I'm also sitting on the technical advisory board for Secure Code Warrior which is another role I have in addition to a few other board responsibilities. Super pleased to be here today.
Matias Madou (01:15):
Fantastic. Chenxi, I'll try to pronounce your name correctly.
Dr. Chenxi Wang (01:21):
Chen-xi. So if you replace X with S, you have it.
Matias Madou (01:26):
Okay. So for today I actually have three topics in mind. If you don't mind. So I hope they are near and dear to your heart. And then for the first topic, I would like to take you 20 years back in time.
Dr. Chenxi Wang (01:41):
Has it been that long? Gosh, yes, 20 years.
Matias Madou (01:47):
20 years. So, so I actually have a PhD from Ghent University and I was working on static analysis and a field which is very related to what you are doing. And your dissertation was actually titled, oh, let me read it out. "Security architecture for survivability mechanisms", and that was from the University of Virginia. And I remembered that control flow flattening was a big thing in there. So when I started like a couple of years after you and I was doing my research, the name Chenxi Wang was some sort of a mythical character for me on the field and then I, I knew your work, but you know, maybe it was like, I was scared to, to reach out to you, and you were the untouchable one. So I think an email would have done it to get in touch with you, but, but I didn't do it. One of your most cited thesis that I looked up today was resisting obstructing static analysis of programs. So how do you feel for that paper making it hard for static analysis vendors to do an analysis in their program?
Dr. Chenxi Wang (02:55):
Well, it's a, gosh, I don't, it's been so long since I did that piece of research and, and back then it was, the threat models were very different than it is now. So I dealt in today's environment with all the simulators and everything that's going on. This piece of research will have deterred a lot of analysis cold analysis mechanisms, maybe static analysis still. Right. So what's interesting is first of all I had no idea anybody read my dissertation. And so it's really, really nice to know. But my one of my advisors in grad school is this gentleman called Bill Wolfe. Bill was one of the I would say grandfathers of computer science and he had done some fundamental operating system research in the early days. One of his systems called Hydra, which is pretty much cited in every operating system, textbook.
Dr. Chenxi Wang (04:07):
So, and when I was studying with him and he was actually the the president of a, of the National Academy of Engineering and doing professorship part-time and when we were looking at this problem, right? So he was guiding me on different things and I was experimenting with different things. But the flattening of the control graph was actually completely my what was my thinking under, under his guidance, right. We had done the law of different mechanisms. So, and what was interesting is several years later, he had given a keynote at a National Academy of Engineering event. And I had not known about this at that time. And later the keynote was made into a paper and I read about it where he actually mentioned my research in the way that he was saying that the approach that we ended up with flattening of the control graph was completely not something he had expected.
Dr. Chenxi Wang (05:20):
Because the directions we were going were very, very mathematical and very different than what we ended up doing. And he credited that to a different way of thinking that, that, that I brought into the discussion and a different background that I was trained with. And you know, it's due to another topic that we might discuss today, diversity of background diversity of thinking. But what was really interesting to me was he, what he said in the keynote was that a, a different view on the problem that can lead to a completely new approach that, that a traditional thinking would not allow you to have. So he was a big proponent of getting talent from different fields and defend even students from psychology, from music or studied with him for computer science and they all brought really different viewpoints to the table.
Dr. Chenxi Wang (06:28):
And, and this research that I did which over the years I got a few pieces of feedback aware was again, really interesting. Like I think two years ago someone reached out to me on LinkedIn, said, Hey, I'm, I'm from DOD, I've been doing work in DOD for a long time and we actually use your control flow flattening methods in some of our cold hardening, you know, efforts. And that was really, really nice to know. Really, really nice to see again. So I guess 20 years later I'm proud of that work.
Matias Madou (07:11):
So there are people that are reaching out and they're still using it. Then actually I was wondering how you came to that subject like, because starting analysis like 20 years ago, but it was not about finding SQL injection or cross-site scripting. It was program analysis and doing data flow analysis and control flow analysis, but for different purposes, right. They were doing code optimizations or, so I was wondering how you came to that subject of obfuscation.
Dr. Chenxi Wang (07:38):
I remember it. I so, Oh obvious because that's because the one of the questions we were discussing in the research meetings was can we run code in a secure and so ensuring its integrity, executing integrity in an environment that is not trustworthy. And, and that was sort of tossed around as a, as a topic that cannot be achieved. And we were like, Oh, you know, we can, we can make it harder. And, and honestly, the, the the research I did made it harder, didn't make it impossible, but that was a question that stuck in my mind. After a few research meetings and, and then I said, well, maybe we could do something and let's think about what we can do. And I also remember another conversation I had with professor Jack Davison you know, Jack's research, right?
Dr. Chenxi Wang (08:38):
And also at UVA. And so we were discussing this and I was already, you know, talking about various things to, to deter static analysis and, and he had an insight, which I would say eventually led to this approach was that he said everything we do in programming is sort of deterministic in some ways, but even though it's ultimately it's not a, not deterministic, like he said in terms of static analysis, a lot of things are deterministic and he said it would be great if you could inject more dynamic nature or inject non-determinism into the program. So that makes it harder. And that comment, you know, led to this approach. Yeah.
Matias Madou (09:23):
No, it was absolutely novel technique and, and I think in the, in the, in the four years that I was working on that subject, I didn't come across a lot of novel things in that area. And, and you know, I'm not sure why that was. It was actually hard to, to scramble things around in applications to, to hide the inner workings. Yeah. So let's, let's shift gears a little bit then. Let's, let's come back to today. 20 years later. So you're an investor as well as an advisor. And thank you for being on the technical advisory board for Secure Code Warrior. Before that you've spent six years doing you were a research VP at Forrester. So I think in the last decade you've seen a lot of pictures from, from organizations that either want it to have money or want it to be noticed by an analyst. Where do you think today there's an opportunity in the, in the software security market, where do you think we still have some untapped ground for new organizations?
Dr. Chenxi Wang (10:25):
So I think in general the security market has matured quite a bit in the last 20 years, right? So when I started in this market really is about anti-malware and network security firewalls and that's it, right? And you buy endpoint antivirus and you buy, you know, checkpoint or CISCO firewall and you get to go. The models have morphed from that considerably as well as our the complexity of our environment. And with those two factors you, our protection mechanism has to rise up. I would say from the infrastructure level to more the data level, to more of the application level. And, and most specifically, if you look at network security, right? So more and more end to end encryption is being deployed everywhere. So that means network security is just really just render to metadata analysis, right?
Dr. Chenxi Wang (11:27):
Analysis metadata. It's really hard to look into the payload anymore. And going forward will be even less so. So and any security technologists were looking at this and say, yeah, when you to push things more into application, we need to push things more into the at the data level. And what that means is your security mechanism, I relying on your applications a lot more and your protection will have to be at the application level as well. And we all understand that the application level flaws are really what makes a system vulnerable today. The, and, and with that realization, I'm seeing the last maybe two, three years that there's significant uptake in investment in organization's investment and attention being spent on the application security, protection of applications and understanding of vulnerabilities at the application level and, and remediate it.
Dr. Chenxi Wang (12:33):
So before that, I would say application security a lot of times take a, took a sort of the stepsister position to, to network security, but that's no longer the case. Right? So and, and because of that, we are on the so the venture investment side, we're also looking at application security a lot more seriously. And another factor that I didn't mention, which is also a very, very interesting for application security is the whole DevOps movement. Right? And when you have developers touching your production servers directly in deploying code right from his or her desktop to the server in the cloud, and you have the microservices infrastructure running you have no luxury to do large expensive colon analysis anymore. You have to do application security differently, which also in itself presents innovation opportunity. And, and whenever there's innovation, there's investment, right?
Matias Madou (13:46):
Do you also see a shift to more proactive with that DevSecOps movement? Do you see a shift to more proactive application security or is it still reactive where we're trying to find the problem to find the bug and then remediate instead of trying to embed and harden what we're, what we're putting into production.
Dr. Chenxi Wang (14:06):
So I see a little bit, I would say it's not enough. I do see more people looking at doing application security more proactively and certainly companies are on the sophisticated end of that is doing really well in terms of embedding application security measures into the entire stages, including the design and code review and development stages. However, it's not yet a mass market practice. I would say now the, the, we were just discussing DevOps. I think DevOps really is a driving force for you to do more in the, in the so the pipeline stage. Because if you then, if you don't try very hard to embed application security into the the pipelines, the tool chain, then you will, you're left with only possibility is to do penetration testing and, and reactive security measures, which means you always a step behind. Right? So that's the state of things.
Matias Madou (15:17):
I read a blog post about where you said, the eight slides that you need to win over an analyst so that DevOps needs to be in there, I guess.
Dr. Chenxi Wang (15:29):
Yeah. Yeah. So that was, I wrote that post when I left Forrester and I was thinking of my six years there. What I, what I have learned I, I've sat through many, many hundreds, maybe thousands of presentations and some of them really stay with you and the others you just completely forget. And the ones you, you remember are the ones that articulate the problem really well, doesn't sort of spend too much time on why the market needs this, blah, blah, blah. But, but states the problem and, and, and states why it is interesting and what we're going to do about that, why our team is uniquely qualified to do this. And then give the early market response if you will. Right. And all you have to do is hit these five points and you hit them succinctly, hit them well and provide good proof points, then you have a really good presentation in hand in your hands. But a lot of the people don't really don't understand that really well. And, and I've sat through lots of presentations where, you know, kind of roll your eyes and saying, when is this going to be over, get to the next stage. Right. so, and and when I wrote that poster, that was I think, still highly ranked on Google on how to talk to analysts.
Matias Madou (16:56):
Oh yeah. I can see why.
Dr. Chenxi Wang (16:58):
I think it's really a good framework to keep in mind to make presentations not only to analysts, but also to customers as well. Right.
Matias Madou (17:09):
But I also, I think to investors, if you add a couple of slides about the market size and how you, how you market and your pricing model and the opportunity, I think it can be used to investors too.
Dr. Chenxi Wang (17:21):
Yeah. I, I've been asked many times to, to update that post to eight slides to impress your investor. I should, I should.
Matias Madou (17:32):
So last topic I would like to touch on is so you're a big advocate for women in technology and diversity in general. I think you made it very clear what you thought about the RSA booth babes back in the day. Your consulting firm is called the gene bond project with a clear reference that women can save the world too. And I see that you're a co-chair on the security track of Grace Hopper. So I think it's clear that you're a big advocate in, in that area. At Secure Code Warrior we, we generally try to hire the best person for the job and, and ultimately we ended up with a very diverse group of people, race, gender, religion, age. However, when you were talking to cybersecurity investors, we didn't come across a lot of funds like yours where women are in charge. And, I'm trying to get my head around that one and I'm also trying to figure out, you know, is, is that an advantage for your firm? I guess so, or a disadvantage in certain areas. So, so how do you look at women leading an investment for men and, and stacking that up against the traditional firms?
Dr. Chenxi Wang (18:41):
So you're right in the venture space, I think things are changing, but still the case that it's, it's predominantly male dominated. And so I live in Silicon Valley, right? So if I go to Google and Facebook these days, I walk around and I see a ton of women engineers, even if they are still the minority in the, in the company, but you see them, right? When you go to a venture firm, a large firm, you have lunch around the table. It's not, I've done lots of those. And in many cases, I'm the only woman sitting at the table. And I'm even worse that they are women that go in and out of the room carrying coffee. So I spent a year actually thinking about what I would do next, and that image always came to my, to my mind. And I think I started this firm really not for the purpose of changing the venture industry per se, but I was interested in using my background, my expertise in the investment field, which is still a new field to me at the time.
Dr. Chenxi Wang (19:50):
And it was a new challenge and I was interested in tackling a new challenge. But if you take a step back and start thinking about bringing diversity into this world of venture investment, I think there are two ways, two things that that's of note. One is gender diversity perhaps, and the other one's background diversity, right? So if you look at many of of the investors in the field, they have finance background, but I don't have a finance background. I have a technology background and operator. So those people with those backgrounds are by far the minority in the investment field. Why? Because this field is still fairly traditional. They want people have that finance management background. And why are there a lot of good investors with that background? I think the viewpoints you bring can be enriched by someone who really understands the market and with the technology and operating sort of viewpoint. Right. And so, with those two diverse viewpoints, I think this industry needs to embrace and, and I'm hoping that I am bringing something different to the, to the discussion.
Matias Madou (21:15):
Yeah. So it's finding complimentary profiles I would say. But at the same time when you say, you know, with technology, when I interview for an engineering position and there are 10 candidates, I hope there's one woman in there, in that pool. So I think also on the technology front, I think we need to try and, and, and make sure there's an inflow of women in that technology space.
Dr. Chenxi Wang (21:42):
Yeah. I think you said that we always try to hire the best person and a lot of people say that. And in the end, if they don't end up with a diverse workforce, then you look at the flow and you say, where is, where within that, that process, things are little bit different. I would say you always want to hire the best people you can. That's one. Second is you want to try very, very hard to eliminate unconscious bias because that's a very it's a very widespread bias and, and all of us have it at some level, right? And so if you can do those two things, then you will end up with a diverse, or at least a fairly diverse workforce. And we, for our fund, we also don't have a mandate to fund women founders, even though I want to proactively find more women founders. But with that in mind, our fund has nearly 50% of companies that have women founders. So, yeah. So that I think is because we try very hard to eliminate unconscious bias in the selection process.
Matias Madou (22:59):
Good. So to finish off the conversation, if you don't mind, I would like to ask you one, one personal/fun question. So sometimes I see tweets about your lovely boy, and it seems that he cannot do anything wrong. So sometimes I want to trade with yours. So if you combine that with gardening and the Corona lockdown. So I was wondering are you still doing the gardening yourself because I know you like that or is he taking over that part?
Dr. Chenxi Wang (23:28):
Oh, he is not a gardener. He is not. He would if I want to pull him away from his Nintendo switch to go in the garden with me. Oh God, that is a hard it's a high order. So I am the gardener of the family. And I enjoy it. And I can tell you this morning and every morning I take my morning coffee in the garden, I look at my vegetables growing. It's, it's a great way of starting my day.
Matias Madou (23:57):
Fantastic. Chenxi, thank you very, very much for accepting to be the second guru on the Software Security Gurus webcast. Gary was the first one. Thank you very much.
Dr. Chenxi Wang (24:12):
Great. Thank you, Matias. Stay safe and healthy.
Matias Madou (24:14):