ATP Helps Advance Testing Security in E-commerce
||Cigital, Inc., Dulles, VA
Duration and Cost:
funding amount: $2.0 M
- Cigital cost-share amount: $0.4 M
Report of the Completed Project:
In 1997, businesses were turning to the Internet to sell goods and services, but concerns about the security of the private information were hindering consumers’ adoption of e-commerce. At the time, there were no tools available to automatically scan for security holes in the data. Cigital (whose original name was Reliable Software Technologies; they changed their name in 2000), proposed to develop a “certification” pipeline, a series of tests through which a software component would process, and once it passed these tests, it would be given a digital stamp of approval. Thus, if successful, this project could have broad public and social benefits by accelerating e-commerce. However, both the technology and development process that Cigital proposed were unprecedented departures from the industry norm in 1997. As a small, 5 year-old company whose primary focus had been on consulting solutions, it could not devote too many resources to a project with a high degree of technical risk. Because of the innovation and technical risk of the approach, along with the potential for national economic benefits, it applied for and was awarded a project from ATP.
and Economic Impacts
Cigital researchers developed a key technology in the project, a source code scanner that could look at the overall system security through a single scanning system and then monitor the code during execution. This was just one of the many technical advances during the ATP project, which ultimately resulted in one issued patent and numerous publications and conference presentations. At the end of the ATP project, Cigital simplified the scanner and made it available as a public domain tool called ITS4, which could test software vulnerability and prescribe solutions to the revealed flaws. When 10,000 users quickly downloaded the program, it triggered further work to develop a more complex version of the free tool, which resulted in a new software product, SourceScope.
Cigital was able to translate the results from the ATP project into economic impact:
- The company
grew from 35 people at the start of the project in 1997 to over
100 (as of 2006).
- In 1999,
the Virginia Chamber of Commerce named RST a “Fantastic
50” winner and recognized it as the fourth-fastest growing
Virginia technology company. Also that year, Deloitte and
Touche named it a “Technology Fast 50” winner.
- Inspired by the technology of the ATP project, a key researcher left Cigital to start another firm, Secure Software, which develops code analysis tools.
Cigital’s software security identification and certification technology has had a big impact on many of its customers, which include over 30 Fortune 500 firms. Key benefits of ensuring software applications that are secure and reliable are: prevention of lost revenue; protection of brand reputation; and protection from liability. CEO Jeffrey Payne addresses the impact of the need for security services through an example:
“The true cost of security breaches is not the direct cost to correct the issue, but the damages to the brand and the market demand that occur. One of our customers had a software breach that caused its market value to drop $500 million when it was disclosed to the press. Many of our customers are concerned about the tens if not hundreds of millions of dollars they will lose in value if their customer data or credit card information is compromised.”
Payne adds that without ATP support, the original project would never have happened because of the lack of investor interest in the technology: “ATP filled the need for bridge financing between an idea and a prototype.”
Date created: November 2, 2006
November 3, 2006