Updated on: August 5, 2024
In a recent interview with SafetyDetectives, Kevin Valk, the founder of Codean and Codean Labs, shared his journey from a curious 12-year-old hacker to a pioneering entrepreneur in the cybersecurity space. Valk’s unique approach to creating tools specifically for security analysts sets Codean apart in an industry often focused on developer-centric solutions. His dedication to improving code review and pentesting through innovative tooling and real-world application validation offers valuable insights into the future of cybersecurity. Read on to learn about the challenges, solutions, and emerging trends that Valk envisions for the industry.
Can you tell us a bit about your background and what motivated you to start Codean and Codean Labs?
When I was about 12, I started playing computer games. I either wasn’t particularly good at them or maybe I just got bored quickly, so I began thinking about how I could cheat in these games. This curiosity led me to dive deeper into the fundamentals of software engineering and computer science.
During university, my younger brothers asked for free stuff in games as they saw me as a “hacker”. For one of these games, I spent months analyzing and eventually figuring out how to manipulate the game. They say you become wiser as you grow older, and I asked myself what I should do with this knowledge. I reached out to the game studio and they liked my work, so I was lucky enough to be able to spend a year in the US to improve their security. After returning to the Netherlands, I worked as a cybersecurity consultant and later as a security analyst at a security lab.
At the lab, we provided detailed reports on various applications, but I often felt that the work wasn’t making a substantial impact. As most clients cared about getting certified more than being secure, only the bare minimum of issues were being mitigated. This realization drove me to start my own company, initially focusing on security services and then developing tools to improve the efficiency of security analysts.
In the security industry, many analysts use their own preferred tools with no standardization. Moreover, managers often lack the technical knowledge to guide them effectively. As most companies focus on developing tools for developers rather than security analysts, I saw an opportunity to create efficient tools specifically for security analysts, aiming to double their productivity. This idea is the foundation of Codean.
However, building such a specialized tool requires significant investment. So, it was clear we also needed to sell security services. By using internally developed tools, the goal is to offer high-value services at competitive prices. This strategy allows us to keep the engine running while developing and refining our tools. This dual approach differentiates Codean and Codean Labs, with Codean focusing on tool development and Codean Labs providing security services using those tools.
How does Codean differentiate itself from other companies in the code analysis and cybersecurity space?
Codean focuses specifically on creating tools for security analysts, which is relatively rare in the industry. While companies like Burp Suite and IDA Pro cater to security professionals, they primarily focus on dynamic testing and reverse engineering. There’s a lack of tools specifically designed for static testing and the “shift left” approach in Agile development.
Our main competition tends to be in the code quality space, such as Sourcegraph, which focuses on code quality for developers. That could be problematic as if a Sourcegraph decides to go into security, they have significantly more resources than we have.
How do Codean Labs’ offerings complement those of Codean?
Codean Labs complements Codean by using our tools internally to deliver security services. This dual approach provides a steady income stream and validates our tools in real-world scenarios. We can gather direct feedback from our team using the tools, which helps us refine and improve them.
Initially, we had an investment and focused solely on tool development, but we realized that without the validation from real-world application, our progress was hindered. Now, we balance both tool development and security services, which seems promising.
What are the biggest challenges in code review and pentesting that your clients face?
One of the biggest challenges is the lack of understanding of security. Many view security as an insurance policy, something you “just” have to do at some point. Sadly, I think this is completely the wrong approach and often leads to all kinds of problems down the line. I think security should be placed under the “quality” umbrella. You invest in code quality, in efficient development processes, feedback cycles, etc. On the flip side, you also allow yourself to take on technical debt when needed. Security should also be used for its role in maintaining a sustainable development process. Making security more tangible and emphasizing its long-term benefits is a challenge we constantly face.
What measures are in place to ensure the security and confidentiality of the code reviewed by your tools?
Ensuring the security and confidentiality of our clients’ code is paramount. Many potential clients have strong security controls that for example require source code they receive to never leave their premises. To support these clients, we offer on premise hosting. Not all potential clients and users have such strict requirements and would love to use Codean SaaS. Obviously, we have stringent security standards, including hosting all our services baremetal with encryption at rest and we are working towards ISO certification.
What trends do you see emerging in your industry over the next few years?
There’s a significant focus on developing tools for developers, especially with the rise of AI and large language models. These tools aim to enable developers to handle security without needing dedicated security professionals. While this approach offers some benefits, I think it often gives a false sense of security. Especially, as most developers might not have the expertise to fully understand or address all security issues. I believe that while AI will play a role, the need for specialized security professionals will remain crucial.