Posted on by

How finding a software vulnerability in Adobe Reader led this NTU professor to start Scantist

Fresh out of ICE71’s latest cohort, Scantist captured our attention being the only Singaporean cybersecurity startup that made the cut.

Scantist’s story dated back to 2016 when Co-founder and CEO of Scantist and team found a critical vulnerability in the Adobe Reader software during the course of their research.

“This vulnerability allowed hackers to create a malicious PDF file which would trigger a denial of service attack when opened. We reported this vulnerability to Adobe, which promptly thanked us and even issued a bug bounty,” says Liu.

But his team got intrigued and even pursued the issued bounty. “Some of our researchers got excited and kept digging — and they found another two vulnerabilities with similar impact,” he explains.

They ended up applying this approach to other popular commercial software. “We found that these issues were everywhere which was extremely surprising. Every day our society uses this software with a belief that these are secure but turns out they are not,” he says.

Liu realised then that these vulnerabilities were present in applications built by multi-billion dollar software companies which presumably had the best engineering talents and all the resources they needed.

“If even they couldn’t be 100 per cent secure, what about the vast majority of software built and used every day by SMEs, government agencies, or even non-tech large enterprises?” he wonders.

Also Read: Meet the 9 cybersecurity startups graduated from ICE71’s 4th batch

So Liu and team set out on a mission to help secure software applications. “The idea was simple; translate what we had done in a research lab into a commercially viable product that everyone could use so that any piece of software (be it mobile, web, or IoT) can be free of security vulnerabilities. And that’s what vulnerability management is about,” he says.

Why vulnerabilities need management

Traditionally, firewalls and access control were seen as the key to securing systems. Software was used internally in an organisation – and as long as it can be used to keep malicious agents out, the theory is that it was secure.

But we have to take into account the present times, where everyone and everything is hyper-connected with software that is used increasingly to interface with customers, partners, and employees across the globe.

“Today’s situation made it no longer feasible to just ‘build a wall’. Accessibility is key, and you can’t control who accesses or tries to access your systems. If access cannot be limited and your applications are insecure, you will inevitably succumb to an attack,” the CEO explains.

Liu then drew an example from the Equifax breach in the US, which compromised credit ratings of over 140 million Americans. “That and the Panama Paper scandal, which began with a hack of the document management application at Mossack Fonseca. You see, the potential impact of vulnerable software is massive. An incident like that would be catastrophic for Singapore and it’s smart nation initiative,” he warns.

The challenge then is to ensure that the software the enterprise relies on is secure in and by itself.

“No matter who tries to access it, your applications need to be robust enough to ward off any malicious activity. But doing that in a manner that is cost-effective and does not add overheads or inconveniences the end-user is a massive challenge,” he admits.

Understanding cyber threats

When it comes to securing software applications, or any form of cybersecurity, there are two broad categories of threats.

“The first is the known threats — these are vulnerability issues that are well understood and have been seen in the past and are typically well-documented in the public domain. But despite that, they may still impact new software applications as there are just so many of them and keeping track of them is a humanly impossible task,” he adds.

Scantist steps in with its Software Composition Analysis — a lightweight, low cost scanner which looks at application (in source code or binary formats) and alerts the company if there are any known threats that exist.

Also Read: 5 cybersecurity strategies every startup must know

“And we don’t just stop there — we go one step further to give you the quickest way to fix these issues specific to your use-case so our customers can save time and money. This is a solution I believe every organisation needs to have in the digital age,” he says.

The second is the the unknown threats. These are vulnerabilities that are unique to your application and cannot be directly mapped against the existing known vulnerabilities. This however does not mean they can’t be found.

Liu claims that years of R&D has allowed Scantist to find these unknowns with its Smart Fuzzer. “This solution allows us to imitate a hacker by using intelligent brute-force to trigger application-level vulnerabilities at run time. We have gotten recognition internationally for it.”

What is Scantist

Software, in general, has all kinds of security weaknesses due to the design, implementations and even installation and misuse. “We call these problems software vulnerabilities, and what Scantist aims to provide is the automatic tools to help the developers and software end-users to identify these vulnerabilities so that these issues can be pacified before the attacks,” Liu summarises.

However, he notes that a one-time scan is not enough because vulnerabilities are found and disclosed every day, and secure software today can be vulnerable tomorrow.

Scantist serves even further by monitoring all the newly founded vulnerabilities in the world and informing their customers about these vulnerabilities so that they can take swift actions and manage the vulnerabilities.

NTU’s support and ICE71’s time

Scantist is heavily supported by Nanyang Technological University (NTU), so much that it’s dubbed the company as “cybersecurity spin-off from NTU”.

“There is no way we would have been where we are without the support of the local ecosystem, and NTU’s support is perhaps the largest,” Liu shares.

As a university faculty himself, Liu says that the ability to run a startup tackling the next generation of cybersecurity challenges would have been impossible without the university’s support.

“And so we take immense pride in letting the world know of our roots,” he says.

Liu himself graduated from NUS and joined NTU as a faculty member in SCSE in 2012. “Currently, I am a Chair Professor, Director of the cybersecurity lab at NTU, Deputy Director of National Satellite of Excellence of Singapore. My research is centred around cybersecurity, software engineering and AI,” he explains.

“We are aiming to bridge the gap between the theoretical contribution and practical software evaluation solutions for high quality and security,” adds he.

The other co-founder is Dr T Srikanthan (COO). He is the Director of NTU cybersecurity institute (Cysren) and a well-established researcher in hardware and a veteran in entrepreneurship.

As for their involvement in ICE71’s last cohort, Liu says: “As cybersecurity is even more crucial now, startups like us need more support to get our solutions to market more quickly to address the evolving cyber threats. Through ICE71, we’re glad to be connected to the vibrant cybersecurity ecosystems here and overseas. This will help us take off and expand internationally.”

Post-COVID-19 for cybersecurity industry

“Just like any other companies, we were forced to shift our operations to a 100 per cent remote workplace. As counter-intuitive as it may seem given the digital nature of our products, there were a lot of challenges as our customers still prefer on-premise deployments from a privacy standpoint. But our team was up to the challenge, and I am proud of how well we handled the situation,” Dr Liu recalls.

On the customer end, Scantist faced no significant adverse impact on the business. “We even found that organisations accelerating their digital transformation efforts and as a result really ramping up their security posture as well. We are working closely with our customers and partners to deliver our services in all sections,” he says.

What’s good about coming out of the other end of the pandemic is that there is greater awareness in the industry today that cybersecurity is critical and necessary.

“For me, what I see is that Southeast Asia is undergoing its next phase of accelerated economic growth off-the-back of the great digital revolution that is currently underway,” he says.

Liu then adds: “But still there is a lag — especially in cybersecurity — when it comes to best practices and latest trends. A big contributor for this lag is that we see cybersecurity as a hurdle, as an expense that adds limited value.”

What’s next for Scantist

Liu further explains that currently, the company is launching a new software architecture analysis tool to find critical software architecture issues and debts. “We hope this can help in a way that developers cannot ignore if they want to have better maintainability of the software.”

Next on the pipeline is that the company is ready to launch a new mobile app vulnerability assessment tool which aims to provide detailed security and privacy scanning for both known and unknown vulnerabilities for apps.

Also Read: Cybersecurity in the age of information warfare and IoT

An AI-powered vulnerability detection engines for source code and binary is also underway. “This could be more customised towards customer own code base with a low false-positive rate. The AI algorithms can make the tool smarter via self-learning,” he explains.

The long-term vision of Scantist is to provide a holistic intelligent software analysis framework for both qualities, security, maintainability, compatibility, and so on.

When it comes to application security in the vulnerability management domain, the world is moving to security by design principles and embedding security into every part of the software development cycle through the DevSecOps movement.

“Scantist wants to be the flagbearer for that change in the region. We are trying to play our part by providing comprehensive, accurate, and easy-to-use application security solutions.

Now what is critical is that the mindset around cybersecurity needs to change. Cybersecurity needs to be seen as an enabler. The true potential of technology – from self-driving to telecommuting and e-learning to contact tracing – can only be unlocked if cybersecurity is considered on every step of the digital transformation journey,” he concludes.

Photo by Jefferson Santos on Unsplash

The post How finding a software vulnerability in Adobe Reader led this NTU professor to start Scantist appeared first on e27.