A Software Security Case Study
The acquisition of source code analysis tool vendor Fortify by HP in September of 2010 marks an important milestone in a decade long technology transfer story. I've been fortunate enough to occupy a front row seat for the entire show. That's because the earliest versions of Fortify's technology base were invented in Cigital's research labs way back in the late '90s. This is the story of technology transfer in the real world, beginning with a federal research grant and ending with a worldwide technology provider with global reach.
Technology transfer is as difficult as it is rare, most likely because of the time scale involved. The story you're about to read stretches over more than a decade and involves millions of dollars of research and development.
Born in the Research Lab
Cigital was founded in 1992 as Reliable Software Technologies (RST). In the early years, RST was a scientific research lab funded exclusively by federal grants. From 1992, Cigital was awarded and executed over $15 million in various government grants awarded by a number of agencies including DARPA, the NSA, NASA, the National Science Foundation, and the Advanced Technology Program of the Department of Commerce.
In 1999, Cigital turned its attention from early work in Java Security, fault injection, and software testing to software security. See the paper Software Assurance for Security for one of the earliest representative publications. Given Cigital's software-centric research focus, it was only natural for Cigital to pursue the notion of scanning code for security problems (especially in Java).
A number of Cigital's early research projects involved work on code scanning, including DARPA contract DAAH01-98-C-R145.
The open source release of ITS4 in February of 2000 marked an important milestone in source code analysis tools originating at Cigital. ITS4 was the world's first code scanner for security for C and C++ code. But ITS4 was far too simple for industrial use; it was basically a glorified grep engine with some simple vulnerability patterns. In the lab, we were exploring much better compiler-and-parser-based technology that took advantage of intermediate representations such as abstract syntax trees and could thus search for more sophisticated patterns. The research was published at a number of academic conferences, including ACSAC.
Negotiating the Research Valley of Death
The "research valley of death" is defined as the time in the life of a technology between early stage prototyping in the research lab and readiness for the kind of capital injection offered at later stages by venture capitalists. Many promising research prototypes languish in the valley of death, never to emerge as full-fledged technologies.
The Advanced Technology Program in the United States (run by the Department of Commerce) exists to help bridge early stage technologies so that they persist and evolve through the valley of death. Cigital's budding code scanning prototypes were supported and further developed under Advanced Technology Program cooperative agreement number 1997-06-0005, entitled Certifying Security in Electronic Commerce Components. This ATP research resulted in two patents: US Patent 7,302,707 (static analysis for buffer overflows) and patent 7,284,274 (combining static and dynamic analysis for security certification) . During the work, we built a working research prototype code named Mjolner.
Though Mjolner's technical approach to code scanning far surpassed the capabilties of ITS4, it was not at all ready for prime time use by non-scientists. In final analysis, the ATP funding supported the evolution of the work into an almost-usable tool and certainly helped negotiate the research valley of death.
Consultingware: Mjlolner to SourceScope
For a year or two between 2000-2002, Mjolner was renamed SourceScope. At worst, SourceScope was a hairy research prototype that required use in concert with a handful of open source tools to actually work. At best SourceScope was "consultingware" — that is, software written for use by savvy, well-heeled consultants willing to forgive its quirks and flaws in order to get some work done. SourceScope did work, but barely. It was supported by an internal engineering team at Cigital called Core Technologies and driven by use in the field by Cigital consultants.
During this time, Cigital delivered SourceScope only in the form of consulting engagements for code review. Attempts to sell the technology directly to end users always ended in failure — mostly because the technology was too difficult for normal developers or security analysts to use. SourceScope was able to ferret out more interesting source code vulnerabilities than ITS4 (and ITS4's closely-related cousin RATS), but using it was painful and involved a non-trivial understanding of how to navigate source code while reviewing code during the build process.
Venture Capital to the Rescue
In 2003 Ted Schlein, a partner at the venerable Silicon Valley venture capital firm Kleiner Perkins Caulfield & Byers contacted me. Knowing that Kleiner was the VC responsible for incubating such companies as Google, I immediately dropped everything and flew out to meet with Ted on Sand Hill Road. Ted wanted to start a company in the software security space. Roger Thornton, one of the co-founders of Fortify, was already involved in the project.
After intense discussions and negotiations, Cigital licensed the SourceScope technology and its associated rules to the Kleiner startup that eventually became Fortify. At that time, Fortify had 4 employees, all founders.
Cigital's SourceScope technology was delivered wholesale to the Fortify engineering team who proceeded to tear it apart and create a real software product from its guts. Fortify's engineers and scientists spent huge amounts of time and money transforming SourceScope from barely-working consultingware into a commercial grade software product. They assembled a world class engineering team. They lived with early customers. They hired usability consultants. And they kept a relentless focus on creating an excellent and usable software tool.
Into the World
After seven years percolating at Fortify — time that included several product release cycles and use by many hundreds of real customers — the technology hatched in the labs at Cigital was finally ready for prime time. In the time between 2005 and 2009 the market for software security grew steadily larger, spurred on in no small part by static analysis tools including Fortify, Ounce, Coverity, and Klokworks.
The biggest players in technology took notice of the software security trend and have since been bulking up in the software security tools space. Their first purchases were black box Web application testing tools. Next came the static analysis tools for white box code review.
IBM purchased Ounce Labs, and HP purchased Fortify. Competition between these two global technology providers should be fierce and will certainly help to develop the software security market even further.
To be sure, there is much work remaining to be done in source code analysis regardless of this technology transfer success story. The current set of commercial code review tools all have limitations, especially when it comes to data flow capabilities. At the end of the day, this story teaches us an important lesson: the non-trivial amount of time, money, and sweat that technology transfer really takes.