Home > Articles > Security > Software Security

Software [In]security: Technology Transfer

  • Print
  • + Share This
Gary McGraw discusses the evolution of a source code scanning tool from research project to commercial project and details the transfer of technology that made it all happen.
Like this article? We recommend

A Software Security Case Study

The acquisition of source code analysis tool vendor Fortify by HP in September of 2010 marks an important milestone in a decade long technology transfer story. I've been fortunate enough to occupy a front row seat for the entire show. That's because the earliest versions of Fortify's technology base were invented in Cigital's research labs way back in the late '90s. This is the story of technology transfer in the real world, beginning with a federal research grant and ending with a worldwide technology provider with global reach.

Technology transfer is as difficult as it is rare, most likely because of the time scale involved. The story you're about to read stretches over more than a decade and involves millions of dollars of research and development.

Born in the Research Lab

Cigital was founded in 1992 as Reliable Software Technologies (RST). In the early years, RST was a scientific research lab funded exclusively by federal grants. From 1992, Cigital was awarded and executed over $15 million in various government grants awarded by a number of agencies including DARPA, the NSA, NASA, the National Science Foundation, and the Advanced Technology Program of the Department of Commerce.

In 1999, Cigital turned its attention from early work in Java Security, fault injection, and software testing to software security. See the paper Software Assurance for Security for one of the earliest representative publications. Given Cigital's software-centric research focus, it was only natural for Cigital to pursue the notion of scanning code for security problems (especially in Java).

A number of Cigital's early research projects involved work on code scanning, including DARPA contract DAAH01-98-C-R145.

The open source release of ITS4 in February of 2000 marked an important milestone in source code analysis tools originating at Cigital. ITS4 was the world's first code scanner for security for C and C++ code. But ITS4 was far too simple for industrial use; it was basically a glorified grep engine with some simple vulnerability patterns. In the lab, we were exploring much better compiler-and-parser-based technology that took advantage of intermediate representations such as abstract syntax trees and could thus search for more sophisticated patterns. The research was published at a number of academic conferences, including ACSAC.

Negotiating the Research Valley of Death

The "research valley of death" is defined as the time in the life of a technology between early stage prototyping in the research lab and readiness for the kind of capital injection offered at later stages by venture capitalists. Many promising research prototypes languish in the valley of death, never to emerge as full-fledged technologies.

The Advanced Technology Program in the United States (run by the Department of Commerce) exists to help bridge early stage technologies so that they persist and evolve through the valley of death. Cigital's budding code scanning prototypes were supported and further developed under Advanced Technology Program cooperative agreement number 1997-06-0005, entitled Certifying Security in Electronic Commerce Components. This ATP research resulted in two patents: US Patent 7,302,707 (static analysis for buffer overflows) and patent 7,284,274 (combining static and dynamic analysis for security certification) . During the work, we built a working research prototype code named Mjolner.

Though Mjolner's technical approach to code scanning far surpassed the capabilties of ITS4, it was not at all ready for prime time use by non-scientists. In final analysis, the ATP funding supported the evolution of the work into an almost-usable tool and certainly helped negotiate the research valley of death.

Consultingware: Mjlolner to SourceScope

For a year or two between 2000-2002, Mjolner was renamed SourceScope. At worst, SourceScope was a hairy research prototype that required use in concert with a handful of open source tools to actually work. At best SourceScope was "consultingware" — that is, software written for use by savvy, well-heeled consultants willing to forgive its quirks and flaws in order to get some work done. SourceScope did work, but barely. It was supported by an internal engineering team at Cigital called Core Technologies and driven by use in the field by Cigital consultants.

During this time, Cigital delivered SourceScope only in the form of consulting engagements for code review. Attempts to sell the technology directly to end users always ended in failure — mostly because the technology was too difficult for normal developers or security analysts to use. SourceScope was able to ferret out more interesting source code vulnerabilities than ITS4 (and ITS4's closely-related cousin RATS), but using it was painful and involved a non-trivial understanding of how to navigate source code while reviewing code during the build process.

Venture Capital to the Rescue

In 2003 Ted Schlein, a partner at the venerable Silicon Valley venture capital firm Kleiner Perkins Caulfield & Byers contacted me. Knowing that Kleiner was the VC responsible for incubating such companies as Google, I immediately dropped everything and flew out to meet with Ted on Sand Hill Road. Ted wanted to start a company in the software security space. Roger Thornton, one of the co-founders of Fortify, was already involved in the project.

After intense discussions and negotiations, Cigital licensed the SourceScope technology and its associated rules to the Kleiner startup that eventually became Fortify. At that time, Fortify had 4 employees, all founders.

Cigital's SourceScope technology was delivered wholesale to the Fortify engineering team who proceeded to tear it apart and create a real software product from its guts. Fortify's engineers and scientists spent huge amounts of time and money transforming SourceScope from barely-working consultingware into a commercial grade software product. They assembled a world class engineering team. They lived with early customers. They hired usability consultants. And they kept a relentless focus on creating an excellent and usable software tool.

Into the World

After seven years percolating at Fortify — time that included several product release cycles and use by many hundreds of real customers — the technology hatched in the labs at Cigital was finally ready for prime time. In the time between 2005 and 2009 the market for software security grew steadily larger, spurred on in no small part by static analysis tools including Fortify, Ounce, Coverity, and Klokworks.

The biggest players in technology took notice of the software security trend and have since been bulking up in the software security tools space. Their first purchases were black box Web application testing tools. Next came the static analysis tools for white box code review.

IBM purchased Ounce Labs, and HP purchased Fortify. Competition between these two global technology providers should be fierce and will certainly help to develop the software security market even further.

To be sure, there is much work remaining to be done in source code analysis regardless of this technology transfer success story. The current set of commercial code review tools all have limitations, especially when it comes to data flow capabilities. At the end of the day, this story teaches us an important lesson: the non-trivial amount of time, money, and sweat that technology transfer really takes.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020