As more and more of our daily activities and interactions become web-based or -facilitated, we become more likely to fall victim to cyber crime. The biggest crimes of the last few years-- the iCloud leak, the Equifax breach, and countless bank and credit card companies have been but a few to impact direct consumers--all signal an overall rise in cyber insecurity.
While some call for tighter government controls or greater privacy measures from individual apps and services, others are calling out the entire industry for failing to come up with adequate protections at the same speed that new technologies are launched.
It was 2008 when two friends, Rui Ribeiro and Pedro Fortuna, were asking themselves why internet browsing was so vulnerable, with almost no real security despite the obvious dangers plaguing our online activities. At the time, they were focused on fighting click-fraud in advertising campaigns, and couldn’t help but notice just how easy it would be to change the code behind browsing. Improvising, they came up with their own solution that became so successful, they released it as JScrambler. Today their product helps thousands of applications defend themselves against cyber attacks.
I asked Rui Ribeiro, a former developer in banking and finance, and Pedro Fortuna, the author of several patents in application security, to share their insights into this growing sector and their own perspectives on starting up in Portugal.
Steve Mariotti: How was JScrambler born?
Pedro Fortuna & Rui Ribeiro: The business began in 2009 when we were developing a solution to fight click-fraud in advertising campaigns - a web traffic audit mechanism that was JavaScript dependent. We launched the first beta version of the solution in 2010 and it was an immediate success. The solution has evolved since its first version and made a giant leap forward in terms of resilience, potency and efficiency - attained through a lot of investment in R&D.
SM: What are some of the challenges of building a startup in Portugal?
PF & RR: Portugal used to be one of the best kept secrets for developing new businesses and startups. Geographically, and compared with other European countries, Portugal is very well positioned, being a short flight away from London and the closest country to the U.S. with several direct flights. The quality of life is tremendous with sunny days most of the year, wonderful (and cheap) food, superb wines, and a rich culture.
Well-equipped with universities, it has a steady supply of top-notch engineers graduating every year. The startup scene has been growing a lot, especially in the last two years, and both Lisbon and Porto are becoming part of the top European tech-hubs. Ironically, this is one of the challenges. A lot of international companies are establishing themselves in Lisbon and Porto, and our universities are not supplying enough engineers to satisfy the demand. It’s getting tougher every day to hire good local engineers.
Another challenge is having the experience of dealing with international businesses. Our country is relatively small, does not have a lot of large companies and most of them are more conservative and lack a focus in innovation. We have seen several cases of early stage startups that for some reason have to do their MVPs with the help of bigger local companies. For them, it is tough because these bigger companies are not as receptive to the engagement of local startups as they should be--and the startups don’t get the experience they need to successfully do business with international businesses.
Luckily we have several Fortune 500 companies as customers and we have customers all over the world.
SM: Why are businesses in the US still unaware of this risk to their security?
PF & RR: The same is true with every country. Application development--mobile or web apps--has been evolving at a much faster pace than our ability to solve the security risks that we are creating. Every day we are deciding that more and more sensitive data must be accessible from our devices. Companies are adopting the most recent technologies for developing and deploying these apps.
Web technologies, and JavaScript in particular, were developed 20 years ago, and were meant to do simple operations. But today’s JavaScript apps are much more complex. It's not enough to find security vulnerabilities and fixing them; you must also make sure that your application is as resilient as it can be against user-experience tampering, malware injection, data leakage, MiTB, intellectual property and code theft.
To date, organisations have relied heavily on endpoint security solutions to protect the client-side and have paid little attention to the hidden dangers of hacks through the server-side - even though solutions such as antivirus have a low success rate of around 40%. If we consider that an application encompasses both the server and the client side and that the client side solution doesn’t necessarily have to be endpoint security, then we understand the thinking behind Jscrambler - every client app has its own cloaking system and defence, every application has to be responsible for its own security.
SM: What are your future plans for Jscrambler?
PF & RR: Jscrambler will continue to be the disruptive player, revolutionizing the application security scene, and delivering the most resilient solutions for client-side security that companies and individuals can rely on. Applications are the weakest link in security and will remain a top priority for us. There are no excuses for ignoring the risks that are being taken when unprotected code is deployed or to underestimate the importance of monitoring what is happening on the client-side as we are witnessing the expansion of the battlefield every day.