The Story of IriusRisk: Building the Future of Software Security Design

The Story of IriusRisk: Building the Future of Software Security Design

In the late 1990s, Stephen de Vries found himself in a South African bank, meticulously combing through code to fix Y2K bugs. It was, as he describes it, “extremely dull.” But this mundane task would lead him down a path that would eventually transform how enterprises approach software security.

The journey began during the early days of corporate internet adoption. “Linux was just becoming a thing back then and I was extremely intrigued by how it worked,” Stephen recalls. As companies started connecting their internal networks to the internet, a new market emerged: “When you did that, you needed to install this thing called a firewall to protect you from the big bad world out there on the Internet where people were going to attack you.”

This transition from development to security marked the beginning of Stephen’s cybersecurity career. But the real insight came from his work in penetration testing. Companies would approach his team with a simple request: “This is our infrastructure, there’s stuff here. See what you can find and see what you can attack and let us know what are the security issues there.”

Over time, a significant shift occurred. “Companies were still sending us IP addresses, but increasingly they were sending us URLs,” Stephen explains. “They said, yeah, I don’t care about my infrastructure, I’ve got that protected…But we’ve written this unique application. It’s now live on the Internet. What are the security problems in this application?”

This evolution revealed a fundamental problem in how organizations approached software security. Drawing a parallel to architecture, Stephen notes: “If you’ve ever built a house, you’ll know that the architect of that house plays a pretty significant role in the safety of it…in the software world, it’s now 2023, and now is the first time when we’re saying maybe it’ll be good idea that we look at the design of the things we’re building from a security perspective before we go and build them.”

This realization led to the founding of IriusRisk in 2008, initially as a consulting firm. The transition to a product company in 2014 brought its own challenges, but the core mission remained: helping engineers design secure software from the start.

The company’s growth has been remarkable, with Stephen noting they achieved “112% growth, and the year before that, were at about 104%. So 85 was a slower year for us.” This success has been driven largely by expansion revenue, which Stephen describes as “the most satisfying growth that we can have” because it reflects real value delivery to customers.

Looking to the future, Stephen sees a fundamental shift in how software is built. “The act of writing little bits of code, little units of computation, microservices, functions, all of those things are going to become commoditized,” he explains. The real challenge – and opportunity – lies in how these components connect: “What’s going to become less commoditized and where the interesting problem space is, how do I connect all that stuff?”

This vision positions IriusRisk to be at the forefront of a crucial transformation in software development. As Stephen explains, they aim to “automatically analyze a lot of architecture, regardless of how you’ve deployed it…and automatically identify what are the architectural risks that you’ve introduced with this particular design.”

With new regulations requiring secure design practices and the increasing complexity of software systems, IriusRisk’s journey from Y2K bug fixes to automated threat modeling reflects a broader evolution in how enterprises approach software security – making security a fundamental part of the design process, not an afterthought.