As Demand For Developers Rises, Denim Group Founders Stress Security
San Antonio—Dan Cornell and Sheridan Chambers had barely graduated from Trinity University in San Antonio—Chambers in 1997, and Cornell a year later—when they sold their first company, Atension, in 1999 to then-publicly traded Rare Medium Group.
Their stint at Rare, which suffered the same fate as many dot-com-era software businesses when the bubble burst in the early 2000s, was short-lived: They were gone after 14 months. By 2002, Rare was delisted from the Nasdaq.
“It felt like about 10 years,” Chambers says [[of their time at Rare. “We left and were evaluating what we could do. It led to founding Denim Group.”
Denim Group is a San Antonio-based cybersecurity provider that is in part an evolution of the duo’s personal journey. It started as another software development firm, but shifted its focus to cybersecurity in 2004 when John Dickson, a former officer in the Air Force’s Information Warfare Center and a corporate network security executive, joined as the company’s third partner.
That could be considered astute, as the import of information security in the corporate sector has risen dramatically during the last decade. Large-scale security problems, such as leaks at Target and Sony or most recently the Panama Papers, have made the issue prominent among top executives in Denim Group’s target corporate customers.
“Information risk management is now resonating with people at much higher levels of governance for an organization,” Cornell says. “With so much to gain from it, there’s so much to be lost. CEOs and other executives now care about this.”
Denim targets Fortune 2000 companies for its services, offering everything from assessing the security of their source code, testing the security of companies’ existing applications, and helping them write new ones, among other services. The security firm now has 85 employees.
While Cornell and Sheridan like having a busy business, one trend in the software industry has the company slightly concerned: the lack of cybersecurity training among new software developers. As the demand for software developers is on the rise, and more coding schools are opening to meet that need, most don’t offer enough cybersecurity training in their programs, if any, Cornell says.
“What we’re doing is dumping people out into the world, saying ‘go build stuff—build entertainment websites, build e-commerce websites’—but they don’t have a mindset that security needs to be a characteristic of the system we’re building,” he says. “That’s something that needs to be, industry wide, fixed if we want to get on the other side of this power curve of being able to trust the technologies that we’re deploying.”
The comments must be taken with a grain of salt, given the perspective the Denim Group founders come from. Still, bad coding would seem to be good for Denim’s business, right? The easy answer is yes, Chambers says. But unsecure applications won’t help Denim’s customers (or potential customers) right now, he says.
For the long term, Chambers says he has a positive view of coding-school programs because of the sheer demand. The Bureau of Labor and Statistics estimates 17 percent growth in the number of software developers by 2024, over the 1.1 million employed in 2014. But in the short term, the lack of cybersecurity training for new developers is potentially making software development less secure, he says.
“From a security perspective, it’s sort of exacerbating the problem,” Chambers says. “You’ve taken a classical, more scientific approach to building software development that you want to learn in a university setting and simplified it to, ‘This is how you write code.’”
San Antonio-based coding school Codeup does teach its students about security problems facing Web applications, such as cross-site scripting, SQL injection, and other common issues—though it doesn’t spend a lot of time on the topic, says CEO Michael Girdley. Instead, the training program focuses on what Girdley says employers tell Codeup they want: well-trained software developers.
“While there are tons of things they want us to build for them, this isn’t one of the things they’re asking us to include,” Girdley says of security training. He added that Codeup has closely examined doing a cybersecurity bootcamp, but it is currently on hold. “The demand for cyber isn’t as strong as the coding space.”