Lou Shipley is the CEO of Black Duck Software, a Burlington, Mass.-based cybersecurity firm specializing in open-source audits. Founded in 2003, it now has more than 240 employees across offices in Silicon Valley, Germany, the U.K., Japan, Canada and South Korea. Its customers include Intel, NEC, Nintendo, Olympus, SAP, and Samsung.
And the name, Black Duck? It’s a reference to founder Doug Levin’s childhood pet.
Q: You were founded in 2003 by Doug Levin, who recognized that software developers' growing use of open source code was leaving them vulnerable to hackers. What’s changed since then? Are we more or less vulnerable, generally speaking, than in 2003?
A: Doug was way ahead of his time and saw that open source would be the new architecture for software development. Fast forward to today and open source now is the primary architecture that companies use, both private and public. G.E., Black Duck, a pure software company like Avid Technology, everyone's using more and more open source. The percentage of code that is open source is now 30, 40, 50 percent—the leaders in the industry might be Google at 90 percent, but everyone else is catching up and using more open source. It's free, it's easy to use, and it helps you to assemble different components as opposed to having to write a program from scratch. But it's important now to manage your security vulnerabilities and the licenses under which you can publish.
If you're not using Black Duck you might have a guy with a spreadsheet who says, "we've got all these open source projects," but you can't keep track of them because there's between six and 10 new open source security vulnerabilities every day. So you might think you're safe because you scan your code and don't find any known vulnerabilities, but that code might be out of date.
You have to understand what is in your code and if you're a company that is developing software or buying software you need to understand the supply chain of the software that your vendors are bringing into your company.
You just got back from a trade trip to Israel that Gov. Charlie Baker was also on. What did you see? What does Israel’s cybersecurity sector have to offer Boston and vice versa?
We saw some really interesting cyber companies. More importantly, we saw how they incubate and combine what they learned from the Israeli Defense Forces and their cyber unit, which is called Unit 8200, how they combine that with private industry and strong educational institutions, and pool that with company formation.
The Israeli home market isn't big enough to build a really valuable company, so they need to find another home market. We spent a lot of time talking about the similarities between what happens in Massachusetts with our tech sector and why it's a good place to come. CyberArk is a good example of a company that selected Boston as their headquarters. It's an Israeli company that selected Boston over New York and Silicon Valley. There's a cultural affinity, I think.
Their cultures in the military are very similar to the cultures in their high-tech companies. They encourage risk taking, fast failure, realizing you're going to fail but not making that same mistake twice. I think we're very similar. We have a lot of companies just like that in Massachusetts.
Their cyber unit now has bumped up to be able to recruit the top one percent of college graduates—the Israeli Air Force used to be the number one recruiter. So the government is thinking this is the most important thing for their safety.
We saw a presentation from an American woman who went to Harvard Business School; some members of her family did not survive the Holocaust. She feels fiercely about it, she moved to Israel, got dual citizenship and joined the IDF. She was in uniform talking about her service. We also met a Muslim woman who started a high school that's doing really well in Israel teaching liberal arts. It was really uplifting to see that education can help any problem.
Boston is a major hub for cybersecurity. Why is that, and what do you think it’s missing?
It's like any cluster that forms. It usually starts with some great educational institutions. And then it takes a couple of really successful companies like an RSA or a Rapid7, and then they get big enough that they spin off other entrepreneurs that have security in their DNA, like Black Duck. And as they grow there's a diaspora of people that leave those companies and start again.
I think a lot of it is coordination between tech companies, higher education courses and internship programs. It's a collaboration between venture companies, recruiting and universities in the courses that they're offering.
Your experts have pointed out the vulnerability of the growing “internet of things,” that it’s very insecure. What does open source code have to do with that? How do you fix it on the software side?
If you look at some of the biggest open source projects out there right now, they are kind of the infrastructure under which a lot of other things run on top of, because no one company could build this extensive infrastructure themselves. That's why communities of developers build these things and then other developers leverage them. That's exactly how the “internet of things” will work—there will be a number of open source projects. You look at companies like Uber or Netflix or Airbnb, they're using open source as their primary architecture. We think it's going to continue to be really important.
With news that U.S. intelligence agencies believe hackers with links to the Russian government tried to influence the U.S. election, all eyes are on Russia and cybersecurity. Is Russia even the biggest cyberattack threat to the U.S.?
The cybersecurity threat breaks down into a couple of tiers. You have people that are in the industry of hacking and trying to steal information like Social Security numbers and sell that on the open market. There's a big business to it. Then there's people that to do it for fun and really they're just trying to prove that they can take a system down, but they're not necessarily trying to get anything but fame.
And you have state-sponsored hacking. We just had a customer use our product to scan code of a company they had acquired and they found a really bad library of things that was from Russia, and they didn't know it was in that code until they scanned it.
You need to manage this. You need to scan daily because code bases are changing so quickly. All software developers are under enormous pressure to get product out the door. Whether you're General Electric, General Motors or Black Duck, everyone's under increasing pressure. Because developers are under so much pressure you need to make sure they're not selecting something that's insecure. You want to find it before it gets into production.
How do you identify the source of a hack? I imagine when you’re checking that code you don’t see a little signature that says “love, Vladimir Putin.”
It's funny you say that because I asked the head of the cyber unit from Israel that exact question and there are definitely signatures. Americans and Israelis know techniques and signatures of China, Iran and Russia, and they have a pretty good idea of where these things come from.
I don't want to get into the details of what you're looking for, but there are techniques that certain types of hackers use.
But you have to be careful because they're often trying to throw you off the trail and they might use something that you think they're using. So it's a real psychological game.
You teach at MIT and Harvard. What’s your message to the next generation of cybersecurity experts?
The reason I do this is to keep connected with the next generation, and teach them to not make the same mistakes I made. You can spend a lot of time working on developing a product and I think there's this false notion that if you just invent the best mousetrap it's going to be built. The reality is, you've got to build a great product and you've got to build a great sales team that knows how to go to market, how to grow a company and scale it up, how to compensate people for selling a product—very different mindsets. Students at Harvard and MIT, they're going to start their own companies or they're going to manage a company, and you need to make sure you know how to sell it as well as build it.