Venture-Funded Consultants at Security Innovation Show Companies How to Make Software Unbreakable
Outside of a few giants like IBM, you’d be hard pressed to find many technology companies that offer both consulting services and boxed software products. Harder still would be finding a venture firm daring enough to fund a startup that wants to combine these two seemingly disparate lines. But software security startup Security Innovation, which has offices in Wilmington, MA, Seattle, and Amsterdam, has been doing just that—and to get the next level, it raised $7.1 million this summer from Wakefield, MA-based Brook Venture Partners.
Security Innovations CEO Ed Adams visited Xconomy back in July, and we’ve had such an unexpectedly busy August that I’m only now getting around to writing up the company history Adams related, which was fascinating. Adams himself is a rarity among software CEOs—amiable, frank, and understandable. The former Rational Software executive has been with Security Innovation since 2003, when he was invited to join by founder James Whittaker, then chair of the software engineering program at Florida Institute of Technology, whom Adams affectionately calls “the nutty professor.”
Whittaker had invented a program called HEAT: the Hostile Environment Application Tester. It stress-tested other software by subjecting it to simulated conditions most developers don’t think to anticipate, such as hardware memory shortages or corrupt keys from the operating system. Whittaker was giving HEAT away on the CD-ROM for his 2002 textbook How to Break Software. But “he thought he had created something really special, the next great quality-assurance testing tool,” says Adams, and he had put together a company to sell it.
Adams was interested in HEAT, but he found that what the nutty professor had actually created was “a body of knowledge and a group of experts who understood software security better than anybody on the planet.” He joined as CEO, and to pay the bills, he put HEAT on hold and transformed the company into a consultancy, which quickly found big clients both in the technology business (Microsoft, SAP, Symantec) and in the defense and intelligence realms (“certain three-letter agencies,” to be exact).
That put the company into an interesting—and slightly uncomfortable—position. “We were training organizations like Microsoft and SAP how to find security vulnerabilities and fix them,” says Adams. “But on the government side, we were showing these agencies how to exploit those same vulnerabilities for intelligence-gathering purposes.” Say the NSA wanted to monitor potential terrorist traffic flowing over a computer in an Internet cafe in Amsterdam; Security Innovation knew about operating-system weaknesses that could be used to implant these machines with undetectable spyware. In some cases, says Adams, these flaws were so useful that intelligence agencies would ask the company not to show its corporate clients how to fix them.
It was an untenable situation, so in 2005 Security Innovation spun off its government operations into a separate firm called SI Government Solutions. (That company was acquired by Waltham, MA-based Raytheon for an undisclosed price last April.) Also that year, Adams hired a product manager—a former Rational colleague—to return to HEAT, a command-line program lacking even a basic graphical user interface, and start transforming it into a viable commercial product. The result was Holodeck, named after the virtual-reality chamber from Star Trek. (“We are complete geeks,” Adams acknowledges.) The company also created two other software products, a “consultant in a box” program called Team Mentor and an e-learning package for software engineers looking to train themselves in security.
To market the three programs more widely, the company needed more capital. But there was a problem: Security Innovation was still both a consultancy and a software company, a combination that baffled most venture firms. “We were building out these product lines, but we had no intention of … Next Page »