abandoning the consulting practice, because two of the products depend on knowledge of current attack trends and the most recent security vulnerabilities,” says Adams. “If you break that connection, you end up becoming less valuable. This is what has hampered organizations like Ounce Labs and Fortify Software—they’re great product companies but they don’t have security domain expertise, so it’s very difficult for them to keep up to date with attack trends.”
But try explaining that to a VC. Most of the potential funders Adams talked to didn’t get the need for an in-house consultancy, and counseled spinning it off.
Then the company contacted Brook Venture Partners, a seven-year-old firm with a history of investing in companies that offer both products and services. “When we found Brook and made this pitch to them, they said, ‘Oh gosh, there’s no way you can separate the service and the product,'” recounts Adams. “And we said, ‘We have found our funding source.'”
With the newfound cash, Adams will be able to spread the word about Holodeck, which is built around Whittaker’s philosophy that most of the security weaknesses that hackers end up exploiting only become apparent under “exception conditions,” when software is limping along under compromised circumstances that its designers never envisioned. (Whittaker himself left Security Innovation in 2006 and is now a software architect at Microsoft.) Holodeck is, in effect, a virtual computer that takes over communications between a software application and the actual hardware it’s running on, allowing testers to inject false messages that simulate a range of nasty exceptions. “You can take a word processing program and tell it that you’re out of memory, the hard drive has crashed, and the network is no longer available, and see what happens,” says Adams. “All of those things are very difficult to simulate manually, but Holodeck does them with the click of a mouse.”
The point, Adams explains, is to catch software vulnerabilities during the development process, before they’re found by hackers—and to get software engineers to think more carefully about how their software might behave in the real world, rather than the ideal one in their heads. “Most of the time you will not see a requirement in a software spec that the application must fail gracefully under zero memory conditions,” says Adams. “But you have to force yourself to think of these abuse cases rather than just the use cases.” The beauty of Security Innovation’s dual identity is that consultants helping big corporate clients with enterprise software systems constantly encounter new ‘abuse cases’ and hacker attack strategies—information the company is able to incorporate back into Holodeck and its Team Mentor software.
Adams says the recent rash of security breakdowns—such as the massive breach of credit card data at Framingham, MA-based TJX in 2007—has prompted many U.S. companies to get serious about software flaws (though he says European companies are a couple of years behind). In a way, he says, it’s all a replay of the e-commerce crises of the late 1990s, when the websites of businesses like E-Trade and Schwab collapsed under the pressure of too many users trying to access their systems all at the same time.
“The root cause was that developers didn’t know how to code for performance, and testers didn’t know how to find performance bugs,” Adams says. “Today, developers don’t know how to code for security, and testers don’t know how to look for security bugs. A lot of the organizations I work with are panicking about it. But my quaalude pill for them is, ‘Relax, we’ve been through this whole thing before, and we’ll get through it again.'”
Between its testing tools, its learning software, its training courses, and its consulting services, Security Innovation hopes to help all of its clients put in place what Adams calls a “secure software development life cycle,” where every piece of software has been subjected to security review at every stage in its creation and deployment. “It doesn’t take any longer to write a secure line of code than it does to write an insecure one,” he says. “The trick is knowing which one to write.”
