Why we built it: Inside the mind of application security innovator Christien Rioux

Welcome back to our Q&A series where we spotlight some of the innovative experts behind our code security solution. Today, we’re featuring Christien Rioux, an application security expert with more than 30 years of computer programming and software engineering experience. Christien co-founded and was previously Chief Scientist at Veracode, an on-demand application security services provider, where he was responsible for the technical vision and design of their advanced security technology. Before Veracode, Christien was on the founding team of @stake, a security consultancy, as well as L0pht Heavy Industries, a renowned security think tank. 

Q: What first sparked your interest in engineering?

A: When I was five years old my dad brought home an Apple ][+ computer and all I wanted was to learn how to make video games. Turns out that video games are good practice for a lot of programming disciplines, including computer security.

Q: What would you be doing if you weren’t an engineer?

A: Musician or artist. I love writing music and making things. A lot of art is a form of engineering though, except with more socially valuable purpose than your typical engineering work.

Q: What’s the most interesting thing you have ever built?

A: A framework for building distributed applications that might someday change how we write software for human beings.

Q: What is one interesting fact about yourself that most people don’t know?

A: I was born an epileptic and managed to grow out of it, though my brain still has seizures.

Q: What’s something you love to do when you’re not working?

A: Designing t-shirts and clothing for my webstore “hack.xxx” (holidays are coming up, c’mon folks). 

Q: What’s something you wish people knew about being an engineer?

A: You can’t just be an engineer. If you don’t learn how people work, you’ll build bad products and be taken advantage of by people with flexible morals.

Q: What is the most important advice that you have received as an engineer, and how has it impacted your career?

A: Back everything up. Save frequently. I lost some very important code once, and now I have a trauma-induced habit of typing ctrl-s every 20 seconds. I’m not sure this is healthy behavior, but code lost is regretted forever.

Q: Do you have a mentor or role model who you look up to in the industry?

A: I’ve never been fortunate enough to have a real mentor in this space. I do respect some other engineers, but they are, probably wisely, distant and hard to reach people with a lot of other people who respect their work as well. I hope to never be that unapproachable.

Q: What are some of the most common misconceptions that organizations have when it comes to cloud security?

A: That “cloud security” is somehow fundamentally different from “good application design.” Understanding that the cloud is an operating system and not just “someone else’s computer” is important to building a better cloud for everyone.

 

 

Q: If you could give yourself one piece of advice when you were first starting your career, what would it be?

A: Don’t discount great opportunities that were placed in front of you, simply because you didn’t come up with the idea yourself. Ego is a great motivator to build your dreams, but sometimes someone else’s dreams are worth putting your weight behind.

Q: Which technology leaders or innovators inspire you?

A: I get my inspiration from people, customers, users, everyday folks. I keep no idols and focus my effort on making the world a better place. Sometimes people build good technology and it helps people. Plenty of innovators are just in it for themselves. 

 

 

Q: What was the initial inspiration behind developing code security? 

A: That too many “security” products required a skilled expert to operate. They are too noisy, confusing, and hard to configure. There is a strong desire in this industry for tools that do a good job and have low false positives and I think we can get there.

Q: Could you talk about the team that worked on code security with you?

A: Not everyone came to the code security team from a security background. A lot of usability and development experts, as well as security engineers, have contributed to these products and their expertise speaks to the understanding of the end-user required to make code security products great.

Q: Which feature are you most excited about and why? What makes it stand out? 

A: SCA and “quick” SAST are both “buildless” systems, which means they can be deployed across entire enterprises with little to no configuration required to get the value out of them. This is the bar for a successful security program. You have to cover everything to some degree, not just 10% of your customer codebase.

Learn more about our innovations

Lacework code security helps prevent security issues from getting into the wild by identifying them before code is deployed, and helps prioritize and fix issues faster, wherever they are found in the application lifecycle. Check out our blog to learn more about our approach to code security. Stay tuned and follow us on LinkedIn to meet more of the technical experts here at Lacework.