Ruben has been working at Riscure for over 10 years. He originally joined as a security analyst, worked as a security trainer, and was a part of a customer support team before taking on the responsibilities of a Product Owner. We asked him a few questions about his journey at Riscure and his views on device security.
Why did you choose Riscure?
I was inspired by the presentation that Jasper van Woudenberg gave at my university, which led to me applying for an internship at Riscure and doing my thesis here. The reason why I stayed was that I was able to switch roles, which is very representative of how Riscure operates. You have a lot of freedom to come up with good ideas and explore yourself and your skills to the maximum. At the same time, you are surrounded by experts, which makes it easy to learn things here.
How do you keep track of the industry, changes, and attacks?
Although the industry is changing quickly, some things remain the same. At Riscure, we aim to understand how companies use our tools to ensure that the workflow remains smooth and usable, without drastic changes. To keep track of the industry changes and new attacks, we work together with our lab and domain experts, including academia. When the new attacks are found, we first evaluate them to determine whether they need to be included in Riscure Tools updates.
For example, one of such market demands is fuzzing. While it is not necessarily new, there is a demand for it, as many customers struggle to use the open-source tools, which can be not intuitive. We work together with the security lab to ensure that we are able to combine the power that the fuzzing can bring with the ease of use of our Tools.
Another topic that we are currently working on for our True Code suite is a simulation of Fault Injection (FI) attacks. Here, the process of making a chip, setting it up, and running the analysis is a long process that can cost a lot of money for production. Therefore, we aim to simulate the chip in the early stages before it is being made to stimulate FI attacks, saving time and costs for pre-silicon development.
What is the most important change in the security industry that applies directly to your work?
In the past 15 years, we’ve seen Side-Channel Analysis going from novelty to commodity in fields that actually have security as a center of interest. There are still new markets that are new to security. For example, automotive only entered the security market a few years ago. While these new security markets may lack knowledge, they are also able to catch up really quickly because the knowledge they require already exists in the other markets. This is something that we see from our customers, that even if they’re not complete experts in Side-Channel Analysis (SCA) or FI, they’re capable of running the basic attacks and testing their products. Therefore, they’re capable of protecting their products against a certain level of attacks, which then, of course, becomes the standard for the industry.
Another change that I already noticed when giving training was that in the beginning, even the mathematicians, who had proven security, and engineers, who proven implementations of it, were surprised with the power of SCA to break their devices within minutes. This doesn’t happen anymore. Security knowledge is very much spread out across the globe, so now it is the goal of keeping everyone up-to-date with the changes rather than discovering something completely new.
How has Riscure and its culture changed over the years?
The smaller the company, the more startup culture it has. Within the world of security, you go from cowboy hacking and showing off what you can to showing that you have quality procedures in place, that you have a sustainable way of doing development, that all processes become more and more structured and defined. However, Riscure has at some point decided that despite all these restructuring and formalizing procedures, we should define core values such as feeling at home, maximizing creativity, and being proactive. While at first people were skeptical of the new core values, it is visible now that these core values lead the company and the management board. Compared to all the other labs I have seen, we are much less formal and strict. At Riscure, while some things became formalized, there are still breakout rooms with PlayStation, games, and fun always has a room throughout all the years I have been here.
How does this internal culture influence Riscure’s role in the market?
On one side, this culture can make some work a bit chaotic. On the other side, it allows people to grow much better and have the freedom to ask questions without being bound by the role. This means that you can learn anything from finance to marketing, your colleagues will be open to sharing their knowledge. Furthermore, the room for creativity enables people at Riscure to explore themselves, their knowledge without limits, which leads to innovation, new products, and as a result, more profit. In this way, it helps us stay ahead of the competition when it comes to being knowledgeable and innovative.
What kind of evolution do you expect in the industry and for Riscure in the future?
I think there will be more need for structure. Some may treat this as a bad thing, but in fact, it can still allow freedom when implemented right. This was the clearest in my time for our customer support team. When more structure was introduced, there were suddenly much fewer fires to put out, which freed time for innovation and experiments. Similarly, properly structuring the development process results in better code quality, which means we have to fix less critical bugs. Riscure is a growing company, so I expect people to specialize more and more.
The changes in the market are always a bit difficult to predict. I’ve seen over the past years that the smartcard market became a lot smaller while a lot more things were done in software. Automotive has joined the security market, previously caring only about safety. IoT is still a market where security is not the highest priority, but we expect this to change. Although new analysis techniques and attacks are still relevant I feel we should focus on making the tools available in standard situations. Development teams on the customer side work in a certain way, and we need to ensure that our tools fit in their toolchain. That is a very different way of working than we used to. We used to sort of push in attacks whenever we had them. However, this can potentially make our tools hard to use in a process where not everybody is an expert. In other words, making the tools and security knowledge more accessible is something that development at Riscure is focusing on in the near future.
With both industry and Riscure changes coming up, are you likely to change roles again?
Yes, what I would like to do for the future is maybe become more technical again. In the beginning, I struggled with letting that go when doing both development and being a product owner. Now that the company is growing, I feel that the number of tasks I get is outgrowing me, so I can become more technical again. Maybe even become a developer again. We will see how the future unfolds.