Strategy, security, and static analysis: what’s next for me

Fourteen years ago today was my last day at Digital Equipment Corporation before leaving to work on the technology today became PREfix and the company I started with a few friends that became Intrinsa, so it seems especially appropriate to post about this today …

coverity logoI’m delighted to announce that I’m starting a part-time strategy consulting gig working with San Francisco-based software engineering startup Coverity. My initial focus will be exploring possibilities in the security space, and I’ll be using techniques like community-driven strategy and design, asset-based thinking, and social network analysis. So it’s a very natural followup to each of my last three professional incarnations: static analysis architect, computer security researcher, and grassroots strategist.

My first interactions with the Coverity folks happened when Dawson Engler invited me to Stanford to give a talk back in 2000 or 2001. Since then, in one of those classic Silicon Valley success stories, they turned down initial VC offers and bootstrapped themselves before finally taking a $20M investment earlier this year. Their board includes friends and colleagues of mine from past startups Intrinsa and EDA Systems. How cool is that?

My posts here about software engineering and security give a pretty good flavor of my views of the current situation: despite excellent progress in some areas, there’s a lot of room for improvement. Where are the sweet spots? We shall see: I’m approaching this as an outsider coming back to the field after six or seven years away, and think I have a pretty unique perspective after my more recent work on social networks, diversity, culture change, and other aspects of computer science as a social science. The first step will be to get some different perspectives on the top-priority problems — and opportunities.

One of the things I’ve always liked about both the static analysis and security communities is this sense that we’re all on the same side. Oh sure, it’s very competitive, for individual deals and more generally at the technical level in terms of whose tools are more effective and which code bases are more secure. Looking more broadly, though, interests align: we all want software to be more reliable and more secure. And the market dynamics are helpful as well; it’s large enough, with a wide variety of different problems to solve, that there’s space for lots of successful companies — if customers see enough value.

So it could be an ideal situation for a “team of rivals” strategy; and, conveniently enough, the social networks in the security community are ideal for investigating this.* Are there synergies between binary-based tools like Zynamics BinNavi and BinDiff and Coverity’s static analysis technologies? What about the linkages between static and dynamic analysis? How to realize obvious synergies between the different static analysis vendors — e.g., agreeing on a common data model for detailed defect and path information, which would be a huge help for visualization and analysis tools? Does the emergence of vulnerability markets change the role of static analysis (and are there opportunities for cooperation with companies like Tipping Point and iDefense)? And so on …

Like I say, we shall see; at this point, I’ve got more questions than answers. As I learn more, I’ll be using Liminal States to share my impressions. And I’ll also be asking for others’ perspectives — here, and probably elsewhere as well. “Team of rivals” strategies benefit greatly from transparency: they need to work for everybody, so even though the rivals don’t necessarily trust each other, it’s still advantageous to disclose strategies up front and try to get feedback.

So stay tuned!

jon

* While of course at the same time looking for shorter-term opportunities for Coverity’s current tools and technologies. No disrespect to Coverity’s competitors or the excellent open source tools like FindBugs, but there are still a lot of security bulletins that can be traced back to very basic programming bugs: uninitialized variables, unchecked format strings, SQL injection. Coverity Prevent and Extend may be able to help. And the lines between strategy and tactics are often blurry: learnings from these experiments may well influence Coverity’s overall approach not just in security but more broadly.