Secret security weapon

There are dozens of brands of anti-virus, anti-spyware, desktop firewall and VPN products, and Benny Czarny has made it his business to know them all inside and out. Eight other engineers at OPSWAT, the San Francisco company that Czarny founded in 2002, do the same. Why?

There are dozens of brands of anti-virus, anti-spyware, desktop firewall and VPN products, and Benny Czarny has made it his business to know them all inside and out.

Eight other engineers at OPSWAT, the San Francisco company that Czarny founded in 2002, do the same. Why? So that other IT companies, now gung-ho on the concept of checking for anti-virus, anti-spyware, VPN or patch updates before allowing network access, can spare themselves the time-consuming task of keeping up with all the security software brands out there.

Vendors such as Cisco, F5 Networks, Symantec and Juniper Networks license the OPSWAT code that checks for more than 400 versions of security software from more than 35 vendors. They embed the code, a software development kit (SDK), into their network-access control products.

This has made OPSWAT (which informally stands for Omni-Platform Security with Access Technologies), a security vendor to security vendors, supporting methods of network-access control ranging from Microsoft’s Network Access Protection to Cisco’s Network Admission Control.

The anti-virus answer

“What is anti-virus, is the question,” says Czarny, a 34-year-old computer science graduate of Israel’s Technion, Israeli Institute of Technology, who confesses to being a “bit nerdy” in his fascination with software code, which he started programming when he was 11 years old. “Anti-virus is configuring a system to scan and update.”

Every anti-virus vendor, Czarny says, accomplishes this a different way – sometimes even differently in separate versions of the same product.

The API is supposed to be the direct path into how products work, so OPSWAT licenses every virus package it can find and seeks business relationships with as many vendors as it can to obtain the APIs.

But that approach doesn’t always work.

“Sometimes vendors are open, sometimes they hide things,” Czarny says. And he adds about the much-desired APIs: “Sometimes they just don’t have them.”

When OPSWAT meets those kinds of barriers, its software engineers in the United States and Israel have to dive into the security code using their own methods to be able to add the anti-virus software to the OPSWAT framework, which is basically an API for all other APIs.

Part of OPSWAT’s mission is to uncover new anti-virus and anti-spyware companies. While McAfee, Symantec and Trend Micro have practically become household names in the United States, there are younger firms – such as Beijing Rising Technology, KingSoft and Jiangmin in China, and MicroWorld in India – that OPSWAT also works with.

“The reason we’re contacting them is we have prospective customers based in East Asia that says these companies are important to our market, and we expect you to support them,” says Tom Mullen, OPSWAT’s vice president of business development.

Getting through the language barrier is a struggle, because the OPSWAT engineers don’t speak Mandarin or other Asian languages, but sometimes OPSWAT’s large global customers help with translation, Mullen says.

Several of OPSWAT’s vendor clients, including Cisco, Lockdown Networks and Juniper, demur at discussing the developer’s role in their products. But F5 gave credit where it is due.

A year ago F5 embedded OPSWAT software in its FirePass SSL VPN gateway and client software to quickly add a security-check function that customers wanted.

“In an access scenario, a user would log on and perhaps provide credentials, perhaps just a simple password,” for authentication, says Hari Krisnan, product manager at F5. “Now, before allowing access, FirePass can check the integrity of the client device for use of anti-virus software, for the latest signature files or just make sure patches are installed.”

If FirePass determines a client machine doesn’t meet security policy, that machine can be quarantined on a network for remediation purposes. (OPSWAT notes that its code is limited to the health check, and doesn’t play a role in quarantine or actual remediation).

F5 turned to OPSWAT for help on the health-check portion of network-access control because “there are so many versions and vendors of anti-virus products to be supported, and a wide range of firewalls,” Krisnan says.

Without OPSWAT, the software-development process would have been long and tedious. By licensing the code, which can check a desktop using a Java or ActiveX applet, F5 was able to comprehensively add health-check functionality, he says.

OPSWAT licenses its code directly to only two customers: California State University, Fullerton, and Microsoft.

While Microsoft wouldn’t discuss what it’s doing with OPSWAT, Sean Atkinson, California State Fullerton’s network analyst, says the college two years ago licensed OPSWAT’s software and mandated that staff and faculty working at home to use the VPN and to update anti-virus software.

“We use a Microsoft server for the quarantine,” he says. “We’re saying, ‘we’re not allowing you access to the campus network anymore without this [OPSWAT software].”

The software works by informing users whether they meet security requirements. Atkinson says he knows OPSWAT is small, but its tech support has been good, and he has volunteered the college for beta tests of new versions.

Czarny says having Fullerton as a customer has helped gain attention from some larger vendors as the idea of policy-based access control gained sway in the industry a few years ago. But OPSWAT’s focus will remain on development work for vendors, not users, he says.

For vendors embedding the code into their products, there is risk that a competitor with deep pockets could swoop in and buy OPSWAT, some analysts warn.

“OPSWAT is in the right place at the right time,” says Gartner analyst John Pescatore. “But there is the risk that some player could grab it, and there would be a period of time the licenses are valid; that might end.”

Others, including Joel Snyder, senior partner at consulting firm Opus One, says such fears are overblown. If OPSWAT gets gobbled up, he notes, another firm will come along to take on the task of pouring over endless numbers of security software products to support them in an API-based framework, if the need remains.

Perhaps so, F5’s Krisnan says, but he hasn’t seen one yet.

As for Czarny – whose hobbies include running the New York marathon – he says he’s in OPSWAT for the long run and has no plans to sell out.