Hackers in White Hats
The security testing lab at Riscure is just across the hall, but Jasper van Woudenberg stops to carefully lock his office door anyway. Riscure handles a great deal of sensitive client information, and the company’s five employees in San Francisco can’t afford to take any risks. Indeed, our visit to the testing lab makes abundantly clear that security is serious business to Riscure: the lab is filled with lasers, scanners, and a device by the illustrious name of “Inspector” that can expose all the secrets of smart cards and embedded systems.
In this lab, Riscure challenges the security of computer chips, smart cards, telephones, set top boxes for pay TV, and more. Manufacturers who want to know whether their product’s hardware is sufficiently secure can turn to Riscure for the answer. Major companies such as MasterCard and Visa use Riscure to test their credit cards before they release them. Riscure does its best to crack the customer’s product. “We act like we’re hackers,” says Van Woudenberg. Riscure develops and sells the Inspector system and other testing tools itself.
The company got its start in the Netherlands in 2001. Some 45 people now work at the office in Delft. Riscure’s client pool has been highly international since the beginning – a fact that encouraged the company to open an office in San Francisco in 2010 to serve the North American region. Van Woudenberg has been Riscure’s North American CTO since late 2011. Before that, he worked in the Dutch office, hired on the strength of Master’s Degrees in computer science and artificial intelligence, significant programming experience, and a passionate hobby in “taking equipment apart and putting it back together again.”
More and more companies are growing concerned about their product’s security, Van Woudenberg says. Take telephones, for example. “We used to use them just to make phone calls, but today you can pay bills and do your banking on them. So there’s a chip inside, and that chip must be secure.” Van Woudenberg cites the “lively trade in personal data” as one issue that makes it increasingly important to secure data-rich products. Organized crime is extremely interested in acquiring that kind of information, which can generate significant income. But the source of the damage can just as easily be a 15-year-old showing off his hacking-skills skills to his friends.
A Dutch Mindset
Riscure works on a project basis. When a client drops off a product, the company subjects it to a barrage of testing challenges for three weeks to three months. After its analysis, the company reports back to the client. Van Woudenberg says his Dutch mindset is very useful in his contact with clients. “The Dutch are practical and critical. That’s a useful trait in risk management. You need to give the client a very detailed picture of both the good and the bad things about his product, and above all, you need to be honest and clear. And the Dutch don’t have much of a problem being honest,” he laughs.
Van Woudenberg hopes Riscure will thrive in America, but growth is not his primary objective. In practical terms, the company can’t rapidly expand, he says, because finding qualified people is a significant challenge, even in talent-filled Silicon Valley. “Universities don’t teach people how to hack the way we do, so it takes us quite some time to train a person,” he says. In any case, there’s plenty of work. “We generally make use of the latest technologies, and those come from here,” Van Woudenberg concludes. “In that sense, we couldn’t be in a better place.”