Hi! This is Yuka Inui from the ReachOne Editorial Team.
In August 2019, BizReach released yamory an OSS vulnerability management tool aimed to increase the productivity of system development done by IT engineers. (Click here for more) reachone.bizreach.co.jp
I interviewed Cyber Security Department Product Development Head, Yasuhiro Suzuki, who has been involved in yamory from it's proposal to managing the service entirely. We discussed how yamory came to be and the vision it aims to fulfill.
Yasuhiro was born in 1983. He earned his master's degree from the Tokyo Institute of Technology and joined BizReach in September 2010 after working for an IT consulting firm. He has been with BizReach since its foundation and has launched 4 services including CareerTrek. Currently, he is the Product Development Head of yamory, a service that he proposed himself, and is in charge of its product strategy and organizational management.
"As an Engineer, I Wanted to Solve the Issues We Face On-Site"
ーYou have been involved in yamory since its conception. What made you want to create this service?
I, myself, have been involved in multiple projects as an engineer. I have agonized over the man-hours spent on security measurements. It is common to use open-source libraries to develop software efficiently, but open-source libraries often have vulnerabilities. Previously, our company's engineers have manually investigated such vulnerabilities and implemented countermeasures individually. But doing so requires specialized knowledge and it also takes a lot of time and effort.
I wondered if there was a way to effectively lighten the load. I took advantage of the connections I had and asked engineers both in and out of BizReach for their opinions. However, though many shared my sentiments, the only option seemed to be to patiently fix the affected code.
That is when I strongly felt that if security risks were to be effectively managed, a new tool has to be developed. It is difficult to secure enough engineering resources to develop software that would only be used internally. However, if other companies saw a need for it too, I thought why not develop it as a security management software business.
It was around that time that BizReach started running New Bamboo!, an internal competition for new business proposals. I thought, "This is it!". (laughing)
ーSo that is how you came about proposing yamory via New Bamboo!. What was the board's reaction when they first heard the idea?
We live in a world where social issues emerge successively, one after another. Swimmy Minami and the rest of BizReach's Board of Directors always have their sights set on launching startups in fields with significant concerns. They were already watching the cybersecurity industry closely and hence took an interest in yamory. Cyber attacks — including the exploitation of OSS vulnerabilities to leak personal information, etc., are becoming more acute. yamory was deemed to be a very meaningful and rewarding project that can greatly contribute to solving such issues. Thus, the project was given the go-sign.
Starting With the Search for Similar-Minded Collaborators
ーHow did the project move forward after receiving its New Bamboo! approval?
I was alone so I started by looking for collaborators. Since its foundation, BizReach has always valued the principle of "Entrepreneurship Is to Seek Fellowship". I directly contacted people from outside the company and met with hundreds of them.
ーThat's a lot of people.
Developing security management software requires a lot of knowledge, skill, and experience. But most eligible talents already hold important posts in other companies and not a lot of them are thinking of changing jobs. So I started by meeting anyone who holds even the slightest interest and shared with them yamory's concept and the sentiments behind it, in the hope that they'd find it appealing. It was time well spent because by talking about the project's concept to various people, I was able to refine my thoughts and clearly define what issues I wanted to solve with the project.
ーWere you able to find the collaborators you sought after?
It wasn't easy but initially, I was able to find 5 engineers who are highly skilled in their respective fields and they are still currently the core members of our product development.
A programming language specialist from a well-known systems integrator with a Ph.D. in Language Theory. A committer to Apache Projects' document crawler. An engineer with considerable experience in infrastructure, management, etc. Also, an experienced security analyst/researcher was necessary for the project. And even though it is very rare for an engineer with such background to be interested in startups, they chose to join us eventually.
More than ever I believe that such amazing people joined yamory because they resonated with its vision and, as engineers, they find this project worth undertaking and is something they want to do.
The Issues Revealed Through Hypothesis Testing
ーHow did you go about developing the product?
We began developing a prototype to be used within the company. We tested our hypotheses repeatedly with the help of the company's cybersecurity team. After we have refined the product internally, we conducted closed beta tests with 12 companies that were interested in yamory.
ーWere there issues that became apparent as you conducted the tests?
Upon interviewing our clients, we discovered that their cybersecurity teams want a comprehensive grasp of what architectures and open source software their products are using, as they are usually only aware of the first few layers.
Also, it was relatively easy to build a prototype up to the point where the system crawls the internet for information on vulnerabilities and sends alerts. However, moving forward we realized that not having priority ratings can pose a problem to the users.
ーWhat sort of problem is that?
For existing systems, there are cases where alerts would be sent for hundreds, even thousands of vulnerabilities. When that happens, it is neither not realistic to solve all of the issues at once, nor obvious where one should start tackling the problems. So I thought it was necessary to attach priority ratings to the vulnerabilities.
We had several discussions on how to sort vulnerabilities that present higher risks and how it should be focused on. It became clear that vulnerability is more likely to be exploited if its corresponding attack codes or PoC's — programs that are meant to verify if a vulnerability can actually be exploited, is circulated on the internet. It is, therefore, necessary to prioritize such cases. We realized that we should consider not only the risk a vulnerability poses but also the probability of it being exploited.
"Using technology developed for BizReach's Job Search Engine, Stanby, we were able to crawl the internet for information related to cybersecurity in order to gather information on what attack codes or PoC's are in circulation. We are currently applying for patents for this technology and applying it to our ""Autotriage"" function, an automated sorting function based on the severity and probability of exploitation.
"We Want to Develop a Product That Is No. 1"
ーyamory is looking for founding members. What kind of people have joined so far?
We currently have a dozen members, composed of engineers, designers, UX researchers, etc. Each one has class-leading knowledge and experience in their respective field. Such powerful individuals are pushing towards a singular goal, and I think that's what makes this team so awesome.
ーWhat's the secret to keeping a team united towards the same goal?
We are aiming for self-organization. I want to let the team come up with the product's vision by itself and think about how it is to be realized. That's why we adopted frameworks like OKR and Scrum. People who prefer developing software in teams would fit in better than someone who prefers to do everything by themself.
I also value fostering working relationships based on equality, where opinions can be expressed freely. "Harmony" has been one of our team values from the time when we only had less than 10 members. I want to keep that unchanged even as our team grows.
But what's most important, is that none of us want to create something mediocre. All of us want to develop a product that is No. 1, and we are passionate about that. BizReach has a system in place for incubating businesses internally. I think it's a very good working environment for people who, like us, want to be passionate in their careers.
ーWhat specifically is good about BizReach's work environment?
BizReach's mission is "To Create Options and Explore Possibilities With the Power of the Internet". There is a culture of creating businesses that have an impact on society. The work environment makes it easy for anyone to try and undertake socially significant endeavors. And even if you fail, the company is generous enough to always give you another chance. In fact, that's what happened to me. (laughs) I have failed in the past, but I was given another chance with this formidable task.
That is possible specifically because BizReach has a business with a stable revenue base. Startups can be undertaken carefully and thoroughly without the pressure to pursuit quick profit. yamory is a product that takes time to develop. The service would not be possible if it weren't for these fortunate circumstances.
ーHow did you decide on the name "yamory"?
It comes from the animal "yamori" (Japanese for gecko). "Yamori" is written with the Chinese characters for "house/room" and "protection". Geckos protect houses by eating bugs and are considered good omens. The service aims to protect the system from cyber attacks by eliminating system bugs originating from OSS vulnerabilities. It matches our vision perfectlyーproject code "yamori", which was given from the start.
As development progressed and the time came to decide on the project's name, it became clear that no other name would fit better. However, we realized that in English, "yamori" might be mispronounced as "yah-MOH-ree". We want the product to be used by a wide audience all over the world. So we took into consideration the pronunciation in English and renamed it "yamory" (YAH-moh-ree). We are planning to release an English version and expand overseas within a year.
ーIt does match the product's vision, doesn't it? Can you tell us more about what yamory aspires to become?
"OSS is the spare parts of software and technology. For now, we are focusing on enabling users to use them securely. In the future, we plan on including infrastructure/network, OS/middleware and code/logic in our scope to achieve DevSecOps, a software development scheme that embeds security measurements and solutions into Agile. We aim to be a security tool used not only by security engineers but by all engineers.
ーSounds like that could significantly decrease the huge amount of time and effort spent on cyber security measurements at once.
Cybersecurity measures are difficult and take time to implement. By taking the burden off of them, I hope engineers would be able to focus on the high productivity aspect of software development. Being an engineer myself, this is my personal mission.
I believe that as Digital Transformation becomes a worldwide trend, the race to develop new services will be even more intensified. Paving the way for engineers to focus on developing software will lead to greater innovation and the launch of a wide variety of services. It would bring me great pleasure if, through yamory, I can assist engineers in software development and, as a result, contribute to the progress of human society.
We are Hiring!
Following its release, yamory is looking for more founding members. Click the link below if you are interested.