Open in app

Sign in

Write

Sign in

Dinosaurs or cyber-security startup: when evolution is the key

Fred Raynal
Quarkslab
Published in
6 min readJun 16, 2020

--

Quarkslab is 8 years old. It is only now that we have decided to do our first round of investment (5m€). Why? Because it is time to scale up our model. Scaling up is a huge and challenging step in the evolution of a startup.

What model?

As a founder, I often describe Quarkslab as a private research facility.

It is private because we are a company and thus we need customers. That obvious statement hides some subtleties. Our customers are at the core of our organisation and they enable us to pay salaries and all sorts of other cost, but it also allows buying freedom for self-funded research. This pattern has been in our DNA since day one and it will not change. By doing this, we can choose the topics we want to investigate. Customers are important not only because they pay us, but also because they act like one of our research sensors. Within research, one can easily get lost working on a narrow topic that nobody cares about. Our customers allow us to stay focus on important ideas and topics that matter.

Research is the central word as it is — and will remain — our central activity. We do it for customers or for ourselves, but what is it exactly? It is catching up with the state of the art, then trying to bring something new: a new knowledge, a new way of looking at a problem, a new tool… It is all about learning, experimenting, daring, sharing. It is often about frustration especially when something is not working properly or when someone got where we wanted to be before us. But it is also using that frustration as a way to move forward, to keep learning, to remain strict with ourselves and with the level of challenge we accept to deal with. As a matter of fact, we use research to grow people, to share knowledge, and improve what we build. In cyber-security, being able to imagine new threats and counter-measures is fundamental.

Last but not least, a facility. Research is frustrating in a bad way if it only produces knowledge. In cyber-security, theory is very different from the real life. We have to face real world problems and provide solutions that address them. They may not be perfect or exhaustive, but at least they should solve some parts of the initial problem. We are a facility in the sense that our research has to create more than knowledge only. That is the reason why we also provide trainings, tools and products. They all originate from research and are subsequently packaged for diverse uses with “brain juice” and love.

This definition is what made us and what will continue to make us: a private research facility! It keeps us growing, evolving.

From the past to the future

Past: building modern tools

We have always mainly focused our efforts on digging mainly into applications, systems, and embedded software to understand what is under their hood: how do they work? Are they vulnerable? Is the cryptography strong enough? Is the design secure? And many more questions.

In the past years, we have studied very different systems running on very different hardware. Most of the time, this was done manually thanks to the expertise we accumulated over the years. Do you remember when we proved that the cryptographic design of Apple’s iMessage could allow them to eavesdrop a conversation? Or when we broke the secure boot of thousands of equipment using NXP iMX SoCs? Or when we reported bugs in a WebRTC system allowing anyone to spy on Signal? And others…

Based on our knowledge and experience, we started creating tools to help with our work and make some of our tasks easier. We then evolved those tools to make them work at scale in order to face new security challenges.

Present: from the lab to the developers

Previously, in the market, only end-users were accountable for the protection of their own data. Recently, the responsibility of security has been transferred from the end-user to the service provider or software editor who have the know-how to build robust and trustworthy solutions that handle and protect the new gold: data.

Editors must secure the data in order to preserve their own reputation and to protect the end-users. For the latter, regulations anyway force editors to create a high level of protection schemes for the gathered data.

Developers are key actors in that change. They are the ones building the products, thanks to their constructive mindset, whereas attackers will try to breach product pieces of code to find flaws. One actor is coding and building, the other one is testing and breaking.

That is why research is so important, especially in cyber security. The topic is a lot more complex than what it used to be, and that complexity will keep on increasing. Research is there to apprehend and adapt to complexity in order to provide the mandatory tools to face new challenges and new threats. Domains like media, telecom, industry, transport, IoT, payment, etc. deal with their own risks, and having up-to-date and evolving defences is necessary to adapt and survive.

Hence, security professionals are the ones who must walk the path to the developers, and provide them with simple but efficient, easy to use but sound security frameworks.

How can we do that? Private. Research. Facility.

Future: automating security

We want to provide easy ways to do security. Security is an opportunity with multiple challenges, from building, to shipping and running. It is not one magic spell fixing everything everywhere, it relies on multiple know-how.

And we, at Quarkslab, are building an ecosystem for applications, systems, and embedded security software where the developers can use our tools to remove bugs from their software, protect the code from external threats and continuously assess the security of their products.

We already provide some tools, like Lief (Library to Instrument Executable Formats), QBDI (QuarkslaB Dynamic binary Instrumentation) or Triton (a dynamic binary analysis framework), to perform reverse engineering. We are working on an orchestrator to automate file analysis (Irma), and an app shielding solution (Epona) bringing static and dynamic protections to applications. And we keep some surprises in our hat too ;-) The next step, is to have everything converge and that is where we are heading.

The key to succeed is evolution. And that is why we have completed our first round of fund raising.

We want to scale our model: reach out to more customers (from the *private* part), dig more and deeper (the *research* statement), and produce better tools and products (the final *facility*).

Final and most important personal words

Quarkslab is an experiment and an adventure. We did not know how we would grow, nor what we would build. Of course, as a founder, I had some ideas at the beginning but some have changed upon the time, due to the challenges we faced and people we met. And some others will pop up as we will scale.

And for that, I am deeply thankful to all the people who helped us along these 8 years: employees, current and former, customers (only current ;), advisors, partners, friends, supporters. I won’t give any names as I am old enough and I will probably forget someone, but to all of you: thank you!

Despite what I wrote, there is one person I really want to mention: my dad, Jean-Pierre Raynal. He has been an inspiration as a successful entrepreneur with very strong human values he transmitted to me. He passed away 3 months ago and I miss him for this new chapter.

--

--

Fred Raynal
Quarkslab

Written by Fred Raynal

42 Followers

CEO & founder at Quarkslab, focusing on app cybersecurity. Enjoy planting and growing seeds, sharing, experimenting and learning with people. www.quarkslab.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams