Marcus Richards
Cossack Labs empowers developers to easily build secure applications that treat sensitive data responsibly. We strive to enable responsible innovation—software is eating the world, so our goal is to help the software become more secure and privacy-respecting without slowing down the pace of innovation.
We build open-source libraries, proprietary developer tools, and bespoke solutions that address various cryptography & data security problems. Cossack Labs started in 2014 as a cryptographic R&D lab, published many research results as whitepapers, open-source tools, and contributions to community standards. Gradually we’ve extended our open-source offerings into off-the-shelf products and custom solutions in fintech, critical infrastructure, and massive consumer applications with tens and hundreds of millions of users.
Tell us about yourself?
I’ve been around security one way or another since mid-90s as a kid. With a modest STEM background, trajectory of telco and banking engineering and security—typical trajectory for infosec enthusiasts of my generation. I spent a considerable amount of time building security software in payment processing, confidential data exchange, cryptography, banking risk management, private data processing at scale.
Later, I had my fair share of technical and business auditing but found out that building defended and designing complex systems excites me more than breaking them and finding flaws. I learnt from experience that 90% of problems with security lie in the software that inhabits the human brain—so, for me addressing many security problems is an exercise of improving transparency, usability, and adaptability of security tooling. This eventually led me to become a co-founder of Cossack Labs, where I oversee product development and a part of solutions work for select customers.
If you could go back in time a year or two, what piece of advice would you give yourself?
Keep on walking, but mind the gap.
What problem does your business solve?
We protect innovations around the globe with convenient and easy-to-use cutting-edge cryptography and data security technologies. Cossack Labs’ tools and services are typically consumed in industries and verticals where cryptography and data security is a hard requirement—from classic finance and healthcare to sophisticated cryptocurrencies, AI-based software products, and rapidly virtualizing power grid infrastructure.
What is the inspiration behind your business?
We protect innovations around the globe with convenient and easy-to-use cutting-edge cryptography and data security technologies. Cossack Labs’ tools and services are typically consumed in industries and verticals where cryptography and data security is a hard requirement—from classic finance and healthcare to sophisticated cryptocurrencies, AI-based software products, and rapidly virtualizing power grid infrastructure.
What is your magic sauce?
We can balance our boring and thorough formal side with engineering practicality and flexibility most of the time without sacrificing either. It still looks boring though, and perhaps letting ourselves remain cold-headed and boring amidst agile chaos of modern software development is a part of our secret sauce.
We combine three core competencies in one team: formal cryptographic background, offensive / defensive security engineering background, and traditional software development background. This allows us to build secure and efficient tooling that is usable in a practical context yet brings advanced security benefits based on the latest best practices and applied research. We’re an old-fashioned full-cycle laboratory: from our own R&D to development and deployment, we have tight control over what and how we’re building, how it’s used, how it meets real-world threats, and how this security gets operationalized in product and organizational context.
What is the plan for the next 5 years? What do you want to achieve?
We have a large body of applied research and evidence from our customers, which we’re turning into open-source and proprietary tools, contributions to community standards. When you’re building a modern cloud app—there are all necessary bits of infrastructure management tools, application frameworks, databases, etc., all intertwined into a cohesive ecosystem. What we see is a few gaps from a data security perspective—and we’re looking to fill those gaps with an ecosystem of tools that allow encryption to come along the data throughout its lifecycle.
Security is moving from perimeters, scopes and infrastructure tools to application layer, and now it’s a part of developer’s responsibilities. Our vision is to empower developers to innovate securely, without distracting to security, yet keeping the data secure.
What is the biggest challenge you’ve faced so far?
Just like in every industry, building the right team and hiring the right type of people in data security is very hard. And it’s even harder when you’re looking to combine unique in-depth skills in one company. We’ve gathered a brilliant engineering force and proceed making it even stronger.
Some of the initial product concepts and technological ideas we brought to the market turned out to be too complex. We’ve built a company around building spaceships in the market where building reliable lorries is still a challenge. It’s not that we gave up building spaceships—but we’ve postponed them until we’ve gotten all the bits of technology right, usable for our emerging customer base.
How do people get involved/buy into your vision?
For a research-centric company, notion of a customer, adopter or beneficiary of our research is separated with a thin line. Start with open-source tools we build, or rely on our recommendations in improving cryptography in OWASP standards, or come and try some of our proprietary solutions for data protection inside cloud apps—there are numerous entry points to the ever-growing ecosystem of tools and research results we’re putting out to make tomorrow a safer world.
We’re always looking for interesting and novel collaborations with customers who want to go beyond a regular “take this product” approach and build something novel in data security, auditable systems, ML security, SCADA security, privacy-respecting data processing. To get in touch, please refer to our website. And, of course, try our open-source and proprietary tools!
