Abstract: Technology Transfer: A Software Security Case Study - Where do security technologies come from? Grants are proposed by academics and funded by the government. Startups move technologies across the “valley of death” to early adopters. Global corporations take technology wide (by acquiring startups). And at every step there are key gaps and gaping pitfalls. Adoption is the acid test of innovation. Idea generation is perhaps ten percent of innovation; most of the work is on technology transfer and adoption. Chance plays a big role in terms of creating opportunities (e.g., R&D involves a lot of luck), but a company’s success depends on its ability to make good opportunities more likely and to capitalize on opportunities that do arise. Taking a great idea from the lab out into the world is hard work with many perils and pitfalls (including the “research valley of death”). Passionate individuals drive technology transfer more than process, with some people believing that the original researchers need to be personally involved all the way along. Prototyping is an important practice, often resulting in “researchware” that proves a concept but is not ready for common use. Transforming a prototype from the science lab to real-world use is a multi-stage, multi-year undertaking. My talk will use the story of static analysis for code review and its decade-long evolution as a driver for discussion. We’ll talk startups, big companies, venture capital, research agencies, and subject matter expertise. In general, technologists don’t appreciate business people enough and business people don’t appreciate technology enough. Most successful companies are brilliant at one, but also need to be adequate at the other.

Short Bio: Dr. Gary McGraw is co-founder of the Berryville Institute of Machine Learning. He is a globally recognized authority on software security and the author of eight best-selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications. He serves on the Advisory Boards of Maxmyinterest, Ntrepid, Ravenwhite, and Secure Code Warrior. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the Luddy School of Informatics, Computing, and Engineering.