Security for DevOps: Co-Founder Michael Borohovski on How Tinfoil Security is Making the Internet Safer, One Business at a Time

TL; DR: Tinfoil Security provides businesses frontline security defense through developer-friendly tools designed to fit seamlessly into the DevOps process. The service helps increase efficiency, keep customer data safe, and make the job of security professionals more rewarding. With a new scanner built from the ground up to detect vulnerabilities in any API, Tinfoil Security is helping shape the future of online security.

If you find yourself at a popular security convention, such as DEF CON or RSA, anytime soon, don’t be alarmed if you bump into a friendly group of people sporting shiny tin foil hats. Rather than paranoia-ridden conspiracy theorists, they’re likely staff members and fans of Tinfoil Security.

The company — which enables developers to scan sites for vulnerabilities and quickly find resolutions — is aptly named for its ability to shield users from online threats. And, just as the aluminum hats provide a touch of whimsy at conference events, Tinfoil Security tops off its online security mitigation solutions with an open and helpful service approach.

“We try to be as developer-friendly as possible, rather than the scary, hackers-are-about-to-attack-you company that sells through fear,” said Michael Borohovski, Co-Founder & CTO at Tinfoil Security. “Instead, we focus on creating simple, usable products and providing the best security on the market.”

Backed by a team of experts with extensive backgrounds in security across many organizations, the company provides developers with the first line of security defense through tools that integrate seamlessly into the DevOps and development processes. The idea is to increase efficiency to keep customer data safe and internal security talent focused on the issues that matter. With the recent release of a new tool built specifically to detect vulnerabilities in APIs, Tinfoil is helping developers and security professionals alike keep up with an ever-shifting risk landscape.

Michael told us he developed Tinfoil Security in tandem with Co-Founder and CEO Ainsley Braun. At the time, the duo, both recent MIT graduates, were working in the D.C. area. Michael was focused on software security for the intelligence community in the areas of vulnerability discovery, exploit development, and exploit weaponization; Ainsley worked for Booz Allen Hamilton, providing UI/UX design and security consulting for the U.S. Department of Defense and the Army.

“We were perhaps not the most regular users of websites or applications, and so we kept finding vulnerabilities constantly in the companies that we were working with every day,” Michael said. “And each time we would disclose them, there was an inevitable back and forth where the companies said ‘OK, we think we fixed it,’ and they actually hadn’t.”

Eventually, Michael said he and Ainsley’s skills resulted in multiple job offers. The duo founded Tinfoil Security in 2011 after that pattern kept continuing, indicating a clear market opportunity.

According to Michael, Tinfoil Security focused on SMBs for its first five years. Approximately three years ago, the company shifted its focus to enterprise customers, including many of the Fortune 100 and Fortune 500. However, it still servers about 30,000 SMB customers on a monthly basis, either for free or at relatively low price points.

Michael and Ainsley made the conscious choice not to jettison their SMBs business. Keeping them onboard means the company has a much broader application test base for detecting vulnerabilities — making everyone safer. It also helps the company maintain its community-oriented focus.

“Our motto is ‘Making the internet more secure, one business at a time,’ whether you’re a small business or a huge enterprise,” Michael said.

Tinfoil Security’s flagship Web App Scanner reviews web applications for more than 60 classifications of vulnerabilities, including the Open Web Application Security Project’s Top 10, a list of the most critical web application security risks (as agreed upon by a panel of worldwide security experts).

In addition to its Web App Scanner, Tinfoil Security recently introduced its new API Scanner, capable of detecting vulnerabilities in any API, from web-connected devices such as mobile backend servers and IoT devices to RESTful APIs.

Michael said the security concerns for an API vary wildly from those for web applications. “Our API scanner looks for vulnerabilities specifically in APIs, whether it’s an IoT device, web application, mobile application, or anything internet-facing that doesn’t have a web interface,” he said. “It was built from scratch to be focused on APIs and API-specific vulnerabilities — we didn’t jury-rig a web application scanner to handle APIs half-well, which is what a lot of our competition is doing,” Michael said.

To that end, Tinfoil Security is one of the only companies currently able to detect vulnerabilities focused on authorization and access control concerns. Another differentiator, Michael said, is the product’s seamless integration within developers’ existing processes. The process is swift — under a minute, on average — making for easy integration into the development pipeline.

“We consider ourselves ‘Security for DevOps,’” he said. “We ensure the developer can find and fix vulnerabilities without having to break out of their existing workflow. They already have unit tests, integration tests, and so forth — there’s no reason why, as a part of that continuous integration process, they shouldn’t also have security tests. That’s where Tinfoil Security comes in.”

In general, Michael said many enterprises employ massive teams of developers backed by considerably smaller security teams that struggle to cope with the increasing pace of technological development.

“Almost everybody’s moved to deploying once a day, sometimes multiple times a day — if you’re Netflix, it’s once every couple of minutes,” he said. “Security teams driven by manual processes simply can’t keep up. Our goal is to automate as much of the security process as possible, and put it in the hands of developers so security teams can focus on the big picture.”

Automation also helps businesses get products to market more quickly. For example, Michael told us that Tinfoil Security has helped one of their customers reduce their deployment timeline from nine months to three months. That’s a 66% reduction in the time between the application’s development and when it reaches customers.

“Normally, developers will build an application, shoot it over to the security team, and the security team will take a week or so to assess it,” he said. “Then they’ll come back with a bunch of vulnerabilities, by which point the developers have already built new features. They’ll fix some of those vulnerabilities, create others, and go back and forth.”

Tinfoil Security aims to shorten that feedback loop through automation. The intention is not to eliminate work done by humans, but to ensure that by the time an app reaches the security team, there are fewer vulnerabilities to find. “I’ll never claim that our automated system is going to be as perfect as a human,” Michael said. “If anybody does, you should run far, far away. Humans have ingenuity that computers don’t — yet.”

At the end of the day, the system may help improve employee retention rates. Instead of focusing on the most common threats repetitively, Tinfoil Security’s solutions free up vulnerability analysts to focus on more challenging, rewarding tasks.

Michael ultimately envisions a future where developers are empowered to identify and fix vulnerabilities just as they would any other security bug. “At the end of the day, a vulnerability is a bug with more dire consequences,” he said. “I see security-minded professionals embedded within every development team — as a part of the development process, as opposed to the stage after completion.”

He also predicts that 2019 will be the year API vulnerabilities take center stage. While there have been a number of high-impact web application breaches, major API breaches haven’t become commonplace. “I suspect this is the year,” Michael said, adding that the company’s API Scanner is poised to revolutionize how people think about security.

In 2005, a group of MIT researchers investigated the effectiveness of aluminum helmets in blocking invasive radio signals. As it turns out, the shiny hats do not protect wearers against the signals — in fact, they actually amplify certain frequencies. Fortunately, companies like Tinfoil Security exist to serve as practical and effective alternatives to makeshift headgear.