Why ForAllSecure is on MIT Technology Review’s 2017 List of Smartest Companies

I am honored to share that ForAllSecure has been named to MIT Technology Review’s 2017 list of 50 Smartest Companies.   According to the MIT Tech Review team, to make the list, a company must exhibit technological leadership and business acumen, which set them apart from competitors. 

Nanette Byrnes, senior editor for MIT Tech Review business shared:

“Public and private, large and small, based in countries around the globe, this group of companies is creating new opportunities and pouncing on them. These are the ones that competitors must follow.”


The Case for Autonomous Cybersecurity and The Story of ForAllSecure

In the rest of this post, I will discuss the problems ForAllSecure seeks to solve with its autonomous cybersecurity technology, a short history of its technology development and overview of its go-to-market strategy.

Software is increasingly permeating nearly every aspect of our lives.  While many of these software-driven technology advances, from medical devices to autonomous vehicles, hold amazing promise to make our lives better, the prevalence of software has also left us more exposed to attack than ever.

The application attack surface is growing by 111 billion new lines of software code every year, with newly reported zero-day exploits rising from one-per-week in 2015 to one-per-day by 2021, according to the Application Security Report from Cybersecurity Ventures.

It’s alarmingly clear that human security analysts simply cannot keep up with the pace of code being written.

With this backdrop, the ForAllSecure team embarked on a mission to build technology that would make software safe, automatically.  While at Carnegie Mellon University, our founders, Prof David Brumley and graduate students Thanassis Avgerinos and Alex Rebert, made key advances in the area of formal verification of software programs.  In 2012, they decided to spin-out this technology into a startup, ForAllSecure, dedicated to the mission of making the world’s software safe.

To ensure that all the software that surrounds us, on our devices, systems and in critical infrastructure is safe, it must be done automatically.

This is what the DARPA Cyber Grand Challenge (CGC), the world’s first machine-only hacking competition, sought to demonstrate to the world in 2016.  As the US Dept of Defense’s agency responsible for the development of emerging technologies for national defense, DARPA spent nearly $60M on the two-year CGC program, with over 100 global teams participating in building autonomous systems that could attack and defend without human intervention.  

In August 2016, after logging thousands of engineering hours building the ForAllSecure bot, Mayhem, we competed as one of the final seven teams in an exciting showdown, and came out on top.  

Read more about the DARPA CGC.

Why Now?

This is the point in the story that brought me to the company.

An engineer by training, I’ve spent my career identifying and catching the waves of enterprise technology disruptions, including the emergence of multi-core processors at Intel, virtualization at VMware and hyperconvergence at Nutanix.  I’ve scaled startups from the ground up, helping them translate their technology into products and then bringing them to market.  

In the fall of 2016, I was looking for where the next wave of innovation might happen, and zeroed in on security.  I’ve noticed over my career that innovation often arises out of dire need, and it seemed like companies and organizations were constantly falling victim to malicious hackers despite massive spending growth on a myriad of security products.  The average large enterprise has over 54 security vendors!   

With so many startups being funded to tackle this high growth market, it’s understandably a massively crowded space.  However, what struck me when I surveyed the startups exhibiting at RSA this year was that most products seemed to offer some incremental benefit of finding more attacks or slightly lower rates of false positives, but few seemed to be creating new categories of security tools.  At ForAllSecure, we believe that it’s possible to decrease the volume of attacks by focusing on the software that are the targets of malicious hackers.

According to the Dept of Homeland Security and Software Engineering Institute, the majority of security incidents arise from exploits against defects in the design or code of software.  So why aren’t more technologies being developed to fix the code before it’s shipped?

The answer is complicated, but the reality of the situation is that most tools today require developers to spend lots of cycles running tools on source code and sifting through false positives while trying to also get their code shipped on time in fast moving markets.  On the other end, professional security analysts (white hat hackers) are employed to find vulnerabilities after code has shipped before a black hat hacker does.  In this model, highly used commercial software like popular browsers or desktop applications have large teams of these white hackers dedicated to shaking out vulnerabilities, but the rate of software creeping into everything around us creates a mounting problem that requires a new human-machine model that can scale AND doesn’t require developers to slow down their rate of output.


Bringing ForAllSecure’s Mayhem to Market

Designed to analyze binaries, or programs that developers have completed and compiled, Mayhem leverages over a decade of research and a patented application of bug-finding techniques to automatically generate exploits to identify vulnerabilities.  This means Mayhem solves two fundamental issues that slow down the state of the art today: 1) No need for source code, so even 3rd party code that is open source or legacy can be analyzed, 2) zero false positives.  

We don’t purport to replace a human security analyst with Mayhem, but instead seek to empower them to be more effective.  Much in the way centaur teams in chess function, Mayhem enables human analysts to focus on the really difficult issues while Mayhem can automate analysis and even patching at line speed for common classes of vulnerabilities.  For example, in the DARPA CGC, Mayhem found the SQL Slammer vulnerability and patched it in under 6 minutes.  The real life version in 2003 wreaked nearly a billion dollars in damage as it attacked over 75K servers before humans were able to update their systems.

There’s been an overwhelming response from companies and organizations looking to use Mayhem after the DARPA CGC event.  Today, ForAllSecure’s early clients and design partners include federal organizations and Fortune 500 enterprises that are building consumer and industrial IoT (OT), aerospace and automotive products.   

As a company, we are doing our best to scale our small but mighty 10 person team to meet market demand and learning lots along the way about how best to continue developing Mayhem for expanded use cases for both development teams and software end users.  

(Note: We are hiring developers, so please email us if interested!)

Making History

In closing, I thought it would interesting to bookend the MIT 50 mention with the fact that Mayhem is currently being exhibited as part of the Smithsonian’s Defense in Innovation showcase.   We are honored to be delivering our technology to the US Government as a client as part of our mission to make the world’s software safe, one application at a time.