In this episode of "On Location with Sean Martin and Marco Ciappelli," ITSPmagazine takes you behind the scenes of Black Hat 2024, where Appdome’s CEO, Tom Tovar, shares insights into the company’s revolutionary mobile app security solutions.
Welcome to another insightful story from ITSPmagazine, where we bring you exclusive content directly from Hacker Summer Camp at Black Hat Las Vegas 2024. This year, Sean Martin had the pleasure of sitting down with Tom Tovar, CEO of Appdome, to explore the company’s innovative approach to mobile app security.
A Dynamic Presence at Black Hat
Black Hat 2024 is buzzing with energy, and Appdome's vibrant booth has become a focal point for many attendees. Tom credits his marketing team for creating an engaging and visually striking presence that truly reflects Appdome’s mission. A standout feature is a unique widescreen shot setup that, although not yet shared on social media, perfectly encapsulates Appdome's vision for mobile app security.
The Origin of Appdome
During the conversation, Sean Martin asked Tom to share the origin story of Appdome. Tom, who began his career as a corporate and securities lawyer during the tech boom, later transitioned to roles in security and operations at NetScreen. His journey took a pivotal turn after teaching himself to code and recognizing the need for a more efficient way to secure mobile applications. Driven by frustration with existing solutions and encouraged by a venture capitalist friend, Tom set out to create Appdome, aiming to simplify and automate mobile app security.
Revolutionizing Mobile App Security with Appdome
Appdome’s approach integrates security into the mobile app development process through machine learning, making it easier to incorporate essential functions like encryption and anti-tampering. Over time, the platform has evolved to include advanced features such as malware detection and fraud prevention. By automating these processes, Appdome reduces friction for developers and users alike, offering a streamlined path to robust mobile app security.
Embracing Generative AI for User Empowerment
A highlight of the interview was the discussion around Appdome’s adoption of Generative AI (Gen AI). This cutting-edge technology offers automated support to users facing mobile app security threats, providing real-time guidance to resolve issues independently. This not only enhances cybersecurity but also raises awareness, helping users become more informed and vigilant.
Appdome’s Expanding Influence in Cybersecurity
With over 144,000 applications utilizing its platform and more than 11,000 builds handled daily, Appdome has established itself as a leader in mobile app security. Its widespread adoption across diverse industries underscores the platform’s scalability and versatility.
Looking Ahead: The Future of Mobile App Security
Tom Tovar also shared Appdome’s vision for the future, including the introduction of AI-driven recommendations to further streamline security integration. The ultimate goal is to achieve an auto-defend capability, making mobile app security more intuitive and effortless for users worldwide.
Conclusion
This exclusive interview with Tom Tovar at Black Hat 2024 highlights how Appdome is at the forefront of mobile app security, driving innovation and automation in a rapidly evolving landscape. As mobile threats continue to grow, Appdome’s solutions will be essential in ensuring secure, seamless experiences for users everywhere.
For more insights and updates from the cybersecurity world, keep following ITSPmagazine.
Learn more about Appdome: https://itspm.ag/appdome-neuv
Note: This story contains promotional content. Learn more.
Guest: Tom Tovar, CEO, Appdome [@appdome]
On LinkedIn | https://www.linkedin.com/in/tom-tovar-9b8552/
Resources
Learn more and catch more stories from Appdome: https://www.itspmagazine.com/directory/appdome
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Cutting-Edge Mobile App Security | A Brand Story Conversation From Black Hat USA 2024 | An Appdome Story with Tom Tovar | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new brand story here on ITSP Magazine. We are coming to you from Hacker Summer Camp, black hat Las Vegas.
USA 2024. Been, uh, it's been a good show. You guys have a great booth down there, by the way. Oh, thanks a lot. Yeah, we wanted to really make a splash, and I think we did. A lot of colors. You did? You did? I love the colors. And the energy down there that was good too. Fantastic. Yeah, we really loved it. We put some video there.
We wanted to show the diversity of what we have to offer. And I think we, our marketing team just did an amazing job putting it all together. It was tall. It was very tall. We had to do a wide, wide screen shot to capture that photo, which we haven't shared on social yet. People will get a chance to see that.
Um, I'm here with, uh, Tom Tovar. How are you, Tom?
[00:00:44] Tom Tovar: I'm doing well. Thanks for having me. No worries. Appreciate it. Yep. Thanks for having me.
[00:00:49] Sean Martin: And, uh, So, I had a chance to talk with one of your, uh, one of your teammates, Brian Reed. We talked about some of the stuff you were doing with OWASP. That was a great chat from, uh, Lisbon.
I want to use this time to maybe take a step back and get a, what we call the origin story. Why, why you took the time to create AppDome. What were some of the challenges you saw that you wanted to overcome and who are you doing that for? And of course, some of that starts with personal stories. Yeah. So maybe give us a little view of how this all came to be.
[00:01:26] Tom Tovar: Yeah, yeah, uh, we'll tell a short, short, short, short version of the story is, you know, I became a mobile developer, uh, very late in my career. Yeah, that's enough. Yeah, exactly. Exactly. I became a mobile developer very late in my career. Uh, so I started off as a corporate and securities lawyer, so in the tech boom.
Uh, and then I went to a security company called NetScreen, which is a firewall company. I did a lot of operations, a lot of sales, a lot of BD, the typical things that a lawyer might do. Had a lot of success doing those kinds of roles, and then took five years off to climb mountains. And, in that time, uh, that I was climbing mountains, I taught myself to code.
Okay, now when you start to learn to a laptop?
[00:02:03] Sean Martin: What are you, a laptop on there?
[00:02:05] Tom Tovar: Uh, no, when I was in Columbia, you know, when I came down and I needed to take a break.
[00:02:10] Sean Martin: I was just sitting on the peak.
[00:02:11] Tom Tovar: Yeah, yeah, it would be nice, right? A little C The battery doesn't do so well up there. Reassembly, reassembly.
Yeah, yeah, yeah. The battery doesn't do so well in the high mountains, but So when you're learning to code, uh, particularly late in your career, you want to get there fast. You want to do things quick. You want to, you're using a lot of low code, no code platforms to build applications. You're using a lot of modern frameworks to build applications, because it's just faster.
You know, you're not coding line by line by line. So, as I started to do this, um, I was building mobile applications and I came to the question of how do I secure them. And I went out and I looked at different products, looked at what was out there. And everything was requiring me to Forcing me to code line by line, which made me have to go to Stack Overflow.
I had to go to YouTube videos, had to figure out how to do all this stuff. And it was really annoying. It was driving me nuts. So I was complaining about this to some of my VC friends. I was like, this security stuff, why can't we make it easy? Why can't we make a push button? Why can't we make it a vending machine?
It should be able to just click a button and be done. I don't understand why it's so hard. Blah, blah, blah, blah, blah. And one of my, one of my venture capital friends said, well, why don't you just build that? And I was like, Oh. . Oh yeah. , . Maybe we should do that. So that's what started, that's how, that's how I jumped right in and started, started looking at it and, and working to, to build what we have today.
[00:03:28] Sean Martin: And do you still code.
[00:03:29] Tom Tovar: I do code. I'm not very good, but I've never been good at it. You know, but the good news is the engineer, our engineering team puts up with me, you know, every once in a while I'll give up a small POC or something and they giggle, like it was a good idea, bad implementation, but it's, it's still, you know, uh, engineering's like that, you know, it's a little like, uh, uh, like art, you know, you, you, you kind of give people a picture of what you want, but you give it enough detail where the people that really know how to do things can take it to the next level.
So I'm more of a, a POC creator at this stage. Yeah, but it works. It works.
[00:03:59] Sean Martin: You know, I've, I've seen what you do. So whatever you're doing is working. Thanks. Thanks. Thanks. Thanks. And so let's, let's talk about, I mean, security is fairly broad and even mobile security, if you want to look down to that, it's still, still a big chunk of stuff.
Yeah. So what, what's your definition of mobile security? What are you, what are you trying to accomplish with the one button?
[00:04:20] Tom Tovar: Well, the thing is, so, so our whole view or my whole design philosophy around the product was to solve the operational challenge of bringing defense into the mobile app. So, first step was making it simple, making it easy, eliminating friction.
So, the thing, the only thing that's really, that's really good, or the best thing to use to do that is machine learning. So, the first thing we built was a machine learning coding engine that did a lot of, did all the work for you. Uh, for a lot of classic security functions like encryption, obfuscation, anti tampering, uh, jailbreaking root, man in the middle.
So we started coding different functionality into it. What we found over time is that you can actually use those same, those same architectures and technologies to extend the defense model into things like malware, fraud, geo compliance, anti bot. EDR, XDR, MDM, and so forth and so on. So we realized that what we had stumbled upon was kind of a flexible, automated way of delivering security for mobile defense projects.
And that's, that's when it really got interesting. That's when we were like, well, as you say, security is not security. There's security, but there's all these other components that we can bring to bear. And deliver it easily for customers. And that, for us, that was just like transforming. Just like, it was like, BAH!
Boom! We were there, and we're having a lot of fun at it. I mean, there's so much to do. As you said, there's so many different attack vectors. I mean, you've been in this space a long time, so you know, like me, you know that it's not one dimensional. The attack surface is very multi dimensional. And if you're a modern brand or enterprise, you gotta be prepared for all of that.
[00:06:01] Sean Martin: And we're talking about, just so folks are listening, we're talking about A retailer building a retailer app for their customers or a manufacturing company building an app for their supply chain or whatever it is.
[00:06:13] Tom Tovar: It could be any kind of application, whether it's consumer facing applications for mobile banks, could be mobile games, could be retail, hotels, airlines, could be anything that we use on a daily basis including social media.
But it's also employee facing apps, you know, apps that we use in a work from home world, uh, to be more productive, to be more, uh, uh, to be better at our jobs, to do more with less. And I think in both cases, uh, the attack surface is just as broad. It's just as diverse. It's different, but it's just as broad, just as diverse.
And the challenge of your CISO is how do I solve both? And these days, as you know, we're all talking about platforms. We're all talking about bringing it together under one single pane of glass.
[00:06:59] Sean Martin: Someday we'll get there. Yeah. I think you're there, if not very close to it. Um, let's talk about the landscape.
So you had this, you had this drive for yourself. You start the company, you start building things. Where do we sit in terms of, let's speak to the CISOs here. So they struggle with this. Yeah. They have teams that are building stuff. They're trying to run this. Cloud Ops and IT Ops. And their SecOps teams are trying to figure out how to build, deploy, manage, and maintain these things safely.
Um, where do we sit in terms of capabilities for them to actually get their handle on this? Yeah, yeah, the evolution of the role and everything else.
[00:07:44] Tom Tovar: So I'd say in the web and in the cloud, uh, security world, uh, CISOs and cyber teams have been a great, uh, Uh, evolution from advisory into operational line responsibility.
In the web and cloud, they have tools and systems, technologies and products right now to deploy literally and to own the deployment of literally any class of defense that they need. Push a button, make it done. Right? Um, in mobile however, they're still in the dark ages of the advisory role. They don't own the means of delivery.
The dev team does. So they're really Exactly. Exactly. So they're putting a lot of, a lot of trust and a lot of faith, uh, for their, their objectives in another department that they don't run and they don't control, who has different priorities. So a lot of conflict happens. So where we come in is really to kind of help the cyber team kind of have the same level of control, have the same level of management, have the same level of visibility in mobile as they do in cloud and web.
So it's not that they can't do it, it's that they haven't had the tools to do it. They're already in operational role, and if you're the best CSO in the world, you already have your hands on the button. You already know that you've got to control how to deploy the defense, right? Otherwise, you're toast. So, what's true for web and cloud has to be true for mobile.
Otherwise, you can't do the job.
[00:09:06] Sean Martin: So, I think it's time, and I'm going to encourage everybody to listen to the other conversation I had with Brian, but I think it's time for you to describe what you do, a scenario of An app idea to development to deployment with security there. It's phenomenal, I have to say, what you've done.
[00:09:27] Tom Tovar: Yeah, so in a classic DevSecOps process or shift left philosophy, you're building an application and you want to get security into the build process as early as possible, right? That's shift left. The classic way we've done that in the mobile world is we do pen tests or code scans of the code and then if there's vulnerabilities or You know, gaps in the security model.
We open up tickets with the development team and ask the developer to fix this. A lot of time, developer doesn't have time. A lot of times they're under the gun to deliver an app. Uh, we have to give waivers. We have to let the app get out the door. We have to fix it. The decks go around and so forth.
Anyway, gaps exist. What AppDome does is, uh, we're a system that you install in the CICD pipeline and the cyber team instruments, the defense model that they want by choosing just Literally just turning on features that they want. And then, uh, the dev team issues the build command from their build system.
And our machine learning codes everything into the application for them. So, they can literally deploy 340 different defenses under a minute and a half. And everything is coded for them. There's no dependency on the dev team. There's no SDK. There's nothing they have to do. Everything gets coded into the application.
And then it continues on with the pipeline and you release the app on the test. Exactly. It goes on to test, goes on to release and everything else. So it's all about automation. So in a world where you've got less resources, you've got less headcount, maybe you've got less time from the dev team, uh, or whether you're trying to take on an operational responsibility and be the owner of the own deployment, AppDome is a perfect compliment to all the other tools that you have for web and cloud.
Right. So, so yeah, I mean, this notion of having a platform that. You know, and our customers will come to us on a regular basis and say, Hey, you know, can you solve this other problem for us? And we'll say, yes, we can. And we'll add a feature and just give them that same, turn it on, see it, solve it capability to deploy the app.
So it's, it's kind of magical, uh, but it's not magic. It's tech and, you know, we're doing it, doing it right.
[00:11:32] Sean Martin: I think you've, you've done, I've seen the UI. It's, yeah.
[00:11:35] Tom Tovar: Well, I didn't make the UI, so some really great designers out there always get a good designer.
[00:11:39] Sean Martin: So it looks cool, but to see what it, what's possible there and all the, all the different capabilities.
Yeah.
[00:11:47] Tom Tovar: Well, we wanted the product on the UI side to be, to be just as intuitive as, you know, cause again, if you're running a business, whether it's a pizza shop or a cyber shop, uh, it's gotta be an efficient business. You've gotta be able to do repeated You know, repetitive, you know, consistent, you know, quality assurance, getting it out the door.
So the UI is very important. You got to be able to look at it to understand how to use it. Your onboarding time for new, new, uh, teammates has to be really short. What I'm really excited about is we're also now bringing in Gen AI to solve the friction for the end user when they're under attack. And if you want to know more about that, I can tell you.
Let's do it. Okay. So, uh, in a classic scenario, whether you're a consumer or an employee, you have a mobile device that's in your hand and God only knows what happens with that, right? Maybe your kids get a hold of it, maybe you're, you click on a link you shouldn't or, you know, what have you. Malware gets installed on your device.
If the defenses are working properly, the defense will detect that malware on the device and not allow you to use that application, right? We'll protect the business, we'll protect your account, and not allow you to use the application. However, there's a business problem. You can't use the application. And the goal of the business is to get you to use that application, whether you're a banking customer, whether you're booking a trip for your honeymoon, or whether you're a workforce Exactly, whatever it is, right?
So there's a business problem. So the question is, how do we get you, as a user, pass that attack, and get you back to using the app? Okay, so it turns out that Uh, if you can take telemetry and intelligence from that attack, which we have, and we can feed that into AI models, which we've created. We can generate, using Gen AI, all the, all the, what is it, how to find it, and how to fix it, instructions that a support organization can give to the end user.
So the end user can say, ah, okay, I've got this threat on my device. This is why the brand is protecting me. This is how I find it on my device, and this is how I remove it. All of a sudden, you get instant, automatic support for the end user and the end user now can get past their own attack, self serve, and get back to using the app.
And also, you can increase cyber awareness for the whole global community. Absolutely. Yeah, and do cyber awareness training in that moment for employees. So, it's even better.
[00:14:14] Sean Martin: It's incredible. Yeah, incredible. So is this something that's deployed at the moment?
[00:14:18] Tom Tovar: Yeah, we just announced it just before Black Hat.
We just announced a couple days before Black Hat. We're demoing it all the time. Black Hat. It's kind of amazing because here's the thing. Cyber awareness inside enterprises is a big, big topic, right? How do you train people? How do you train people to be aware of the threats and why they shouldn't download on links and so forth?
Instead of making the defense, the security a negative, right? You've done something wrong. Flip it around, use it as an education moment so that now your users know the consequence of clicking on that link or doing something bad. Use that moment to educate them and let them self serve to, to, to remediate.
And then, and then you get productive users back and you get, you get active consumers back. Yeah. So yeah.
[00:15:02] Sean Martin: So any, have you had done proof of concepts with them? Yeah. Yeah. Yeah. Yeah. I mean, we can't, I can't tell you, I can't tell you who exactly, but yeah, any, I'm sure they've seen,
[00:15:14] Tom Tovar: I think it's amazing. I think it's amazing.
And, and here's the thing. So, so you can use gen AI for everything. So again, as a developer, it's not a be all end all of anything. Large language models have their limits. Uh, but what they're really good at doing is. Synthesizing a lot of unstructured data and giving kind of bullet point steps to follow.
So, you know, give me a recipe for a cake to make a chocolate cake or something, blah, blah, blah, blah, blah. I want the cake to have this number of calories and this number of carbohydrates, whatever, blah, blah, blah. And it'll do that. You tell it your specifications and it'll tell them back. So it's very good at doing things like that.
So you can do the same thing with threat resolution and, and, and threat discovery. By giving it enough telemetry to know, like, what is a threat, what kind of device is it, what operating system is it, what network is the consumer or the user on, etc, etc. And it can go out on the internet and pull all this information in and give you step by step alternatives for how to resolve that.
So, our customers are like, wow. Like, holy moly. And literally, they say, where are you guys getting these answers? We just tell them it's Gen AI and they're like, Oh my God, this is so, you're making it so easy for us because without it, what's the user going to do? You got to go Google. How to get this off your, your phone.
And that's a lot of Googling. That's a lot of Googling and you get frustrated.
[00:16:37] Sean Martin: Well, just like with Gen AI, you have to know what to prompt. Exactly. The answer is the same with a Google search. You have to know what to search. Yeah, exactly.
[00:16:44] Tom Tovar: Cause you can get a lot of garbage too. If you don't know, if you don't know what to do.
So, so we're handling all that for the enterprise and the brand. Now, my hope is that someday we'll integrate that capability directly into the application so that when you face an attack. You just, it'll say, learn more, you click it and inside the app experience you get all the, all that information.
We're not there yet, but I think we're going to be there really soon, so.
[00:17:09] Sean Martin: Well even just having that, that info handy is uh, incredible. What's um, I want to close because we're about to wrap here. I want to talk about the impact you're having for your customers. Um, so, trying to build this stuff in manually.
Who knows how many. cycles and days and hours that it would take to do this. So what, what are some, what's some of the feedback or comments that you're getting back from customers that, yeah, I don't know, is it how many apps are being used or built?
[00:17:45] Tom Tovar: So we have 144 plus 144, 000 and more applications on AppDome today.
Uh, we handle over, uh, 11, 000 builds daily. Uh, so it's a pretty robust. Like sass platform that people are plugged into using on a regular basis. I sometimes just. Turn on the back end and stare at it because I like seeing application brands just go, bleep, bleep, bleep, bleep, bleep, bleep, bleep with all of their different configurations, the permutations of choices that people are making and, and the types of applications, the how they're built, what's inside of them and all of that.
I can see all that. It is amazing the diversity of, of, of defense models and so forth. You know, funny story you asked about the origin story. You know, when we first launched APP do, um, we only had one defense. And so with one defense, automation doesn't make much sense. So people were like, yeah, I can do that myself.
Who cares? Right. Um, and then we had two and people were like, ah, two became four and four became eight, eight became 16 and 32 and so forth. And we just kept doubling the number of defenses over time. I don't really know what the, what the tipping point was. But somewhere around 30 ish defenses, people were like, okay, we can't do that ourselves.
And now, and now we're at three, 400 defenses and everyone's just like, okay, you guys have it all. Like it's just, and let's not forget that each defense has some, exactly. Each defense has multiple, multiple sub things that we do. So if you were trying to do all of this yourself, you'd either have to procure 20 different point products and have an entire engineering team dedicated to it or.
You know, somebody asked, someone said to me today at Black Hat, so you guys are like the Amazon, you know, just, just click it and ship it. And I'm like, exactly. You just click it and ship it for your mobile defense. And so it's, we're having a lot of fun with it.
[00:19:37] Sean Martin: I know we're out of time, but I always have one more question.
So I'm going to ask one more question because it's on this, this point of the different, uh, protections, uh, and the sub sub elements within them. That has to fit the business, right? The customer needs to be able to tune that to their risk appetite, their environment that they operate in. Is it internal employees and an external customer?
So, tell me quickly about
[00:20:06] Tom Tovar: Yeah, I think where we're going to get to, which is a very interesting question. Right now, the customer has all the choices. The customer chooses what defense to turn on, what defense to leave off. And that makes sense. But a lot of our customers are also saying At three, four hundred, what's looking to be six hundred, seven hundred defenses over time, you might, Aftone might get to the point where you have overloaded our team's ability to make good choices.
So what we're going to be doing in 2025 to give you a little bit of our vision is to use AI modeling to give recommendations to users and then ultimately have an auto defend capability where as you're building applications, we inspect the structure of the app. We understand what kind, what the app does, you know, functionally.
And then we just automatically adjust the defense model based on all the data that we have so that people can just do auto defend. I don't think anybody is willing to do that today because it's too many questions. But I think in the next three to five years, I think you will see auto defend kind of be a thing that everyone will want today.
Choice is king choice, the ability to turn something on and get it out and appealed. As quickly as possible. If you got an attack, and you can see the attack in our system, because we give telemetry and data visualization. If you can see it and solve it in a minute and a half, that's a pretty good, that's a pretty good response time.
So incident response, boom. Yeah, so that's really what it's about right now. Getting, giving the user choice, eliminating friction, spreading some education along the way, making it easy on folks, and then down the line, keep building in AI capabilities to make it even more simple. Alright. Cool. And hopefully we'll, we'll be around next year and we'll even have a way of more talk about an updated chat on that.
Exactly. Okay, cool.
[00:21:53] Sean Martin: Well, Tom, thanks a million. Thank you. Thanks for having me. Really appreciate it. Thanks to everyone at Black Hat for coming by and checking us out. Exactly.