Matt Konda started Jemurai in 2012 after writing code, running agile teams and doing software architecture for about 15 years, including in the security industry. He wanted to approach security differently with software developers. Instead of pointing out flaws and breaking things, he wanted to engage in a constructive way through training, tool automation and building community across the developer and security communities. He brought this to OWASP where he served on the global board and as chair. Jemurai has serviced 100's of companies, half smaller startups and half very large companies that want to help their developers.
Over the years, Matt was involved in the Ruby, Java and Clojure communities in different cities. Together with teams from Jemurai and from OWASP, he contributed to open source projects like OWASP Glue. As involvement in local development communities grew, work with smaller niche startups that needed solutions for less mainstream languages became a trend. Companies using Clojure, Elixir, Scala and Python started to find Jemurai because of our involvement in the community.
In 2015, Jemurai started to grow and over the next year or two was when many of the current team started. We still did mostly consulting, but we worked on some larger secure development projects and continued to find ways to work with smaller startups, who typically didn't have money for larger scale training or application security initiatives but still needed help with their security story.
In 2017, Jemurai was working with a startup that was revolutionizing manufacturing through commercial 3d printing. There were both investment and customer drivers for building out a security program and at first we did it by hand with Github markdown based policies and word documents and spreadsheets. We based that work on NIST 800-53 because it seemed like the most accessible, freely available and robust standard at the time. Over 2018, we did another program or two this way.
We started building securityprogram.io (SPIO) when a UX advisor asked us "Who are you heroes to?" Although developers like us for our technical knowledge and pragmatism and our penetration testing often wins accolades from customers when we find things other firms (maybe firms running scanners?) miss, as we reflected on this further different answer emerged.
Small innovative tech companies that are fighting for deals with larger security conscious customers love that they can have a great security story and let their technology speak for itself. Because of SPIO, they found themselves on an equal playing field. They were more secure and they could legitimately expect to compete for enterprise business.
We loved helping these smaller tech companies because we feel like we are one of them. We're going through the same challenges. We are making the same tradeoffs. These companies come to us with excitement and energy and we feel as though we are enabling them to take on bigger and better things! It is the coolest feeling in the world when they look back at us and tell us we were part of their success. It is also a constructive lens to look at the security world through. In contrast to so many of the other tools that are cynical, compliance oriented or so complicated as to not be useful, we could really help.
Ultimately, securityprogram.io is a way to bring better to security to a lot more people and enable innovators to break into new business domains. We have fun delivering the software and the programs with the knowledge that we are doing so from a place of genuine alliance with these businesses - and with a clear driver to help our customers meet their security goals.