CrowdStrike Partners with Coverity to Ensure Software Security

Hi, my name is George Kurtz, Chief ExecutiveOfficer at CrowdStrike and one of the co-founders.

Formerly, I spent about seven years at McAfee,most recently as their Chief Technology Officer and before that I was the Chief ExecutiveOfficer at a company called, Foundstone, which I founded and I am one of the co-authors ofHacking Exposed.

So the security landscape has dramaticallychanged of the last ten years.

Where system administrators and companies used to havea very easy to manage website, maybe a simple database those times have changed dramatically.

Now we have a lot more complexity with cloud environments, we have complexity with dataand understanding where that data is at and ultimately the bad guys have gotten smarter.

And because they have gotten smarter and because their techniques have evolved dramaticallyfrom exploiting simple buffer overflows to a range of new techniques that are very hardto defend against, it's really imperative for organizations to start at the foundationallevel and understand if their code is actually secure before they deploy it.

As you might imagine, security is absolutely critical because CrowdStrike is in the securitybusiness.

We know that our software is going to be attacked and for us it was absolutelycritical to build security in from the ground up.

We needed to insure that we were releasingthe highest quality code without any security vulnerabilities, to insure our customer safetyand that is really one of the primary reasons why we decided to partner with Coverity sincethe beginning of the formation of the company.

One of our goals at CrowdStrike is to helpour customers identify and prevent damage from targeted attacks.

What we have seen attackersdo over the years is really run the same plays.

They'll spearfish, they'll exploit a commonvulnerability, they'll get into a system and they'll exfiltrate data.

And that entry pointinto the system almost all the time is based upon the exploitation of a vulnerability.

That vulnerability could have been caught a lot earlier in the development process ifcompanies embraced a technology like Coverity.

What was critical for CrowdStrike is to makesure we didn't disrupt our development process which is one of the reasons we chose Coveritybecause we could build it into our CrowdStrike secure development lifecycle.

So our developersnow get actionable information.

Most importantly it's accurate.

They know exactly what to fixand how to fix it and for us, time is money and we can get our code out that much faster.

One of the challenges I have seen over my career is that security auditor are alwaystrying to force feed a security product into the development lifecycle.

And the thing thatI love about Coverity is it actually provides a way to bridge the gap between developmentand security and really focuses the effort on building a product from the ground up thatis secure rather than coming in after the fact, after the requirement s have been made,after the products have been built and doing a static audit.

And what I have seen is thatit is about ten times more expensive to actually fix a security defect after the fact as opposedto when it was actually being built.

At CrowdStrike, I believe we have some ofthe best security engineers and programmers in the world and the last thing they wantto be doing is dealing with is dealing with false positives.

And one of the things thatwas really attractive to us was is a really low false positive rate from Coverity.

Sowe know when we see defect, it's probably going to be real and it's something we needto address immediately.

Which has really been a win-win and one of the reasons our developersactually use the product as opposed to putting it on the shelf.

Over the coming years, the security landscape is going to continue change.

The adversariesare going to get smarter, they are going to become more destructive and really it is incumbentsecurity professionals and developers to solve this really hard problem.

And I often seedevelopers left out the solution.

The reality is, if the developers are empowered with theright technology, they can eliminate security vulnerabilities from the beginning duringthe development phase which ultimately keeps all of our customers more secure.

Source: Youtube