[souprock]

I know of a company, called Security Innovation, that tried this in 2002. It went very badly at times. They added training and pen testing, and today they bring in just $20 million per year.

They opened an office in Seattle to fuzz for Microsoft. As soon as they proved that they could succeed, Microsoft hired away all the people, leaving the company with a lease for an empty office.

Generally, companies don't trust outsiders and/or don't see a need. You're up against internal politics too. People within the company don't want to compete with you and don't want to be embarrassed by you.

[tptacek]

Companies don't trust "outsiders" to do security testing? Veracode was doing 9 figures a few years ago and was recently spun out from Broadcom for almost $1Bn.

Also, 20MM/yr is not a revenue number to sneeze at. Enterprise security is a huge and mature product space and most aspirants in it do not hit that number. These companies aren't Uber, where every dollar coming in is going back out the door with an extra couple dimes to boot.

[bryant]

Eeeep.

There's a substantial counterargument to this I need to type up. I understand where you're coming from as someone who once ran a consultancy, Tom, but from the perspective of someone who hires security firms and consumes their services—and this is essentially a TL;DR for the opinion I need to flesh out here—we don't do it because we trust. We do it out of necessity.

TODO: Bryant to flesh this out in between laundry rounds tonight.

[tptacek]

My name is Thomas.

[eganist]

Well, apologies are due as I can't seem to edit that out of my post now. Sorry for making the assumption, Thomas.

But considering the gray patina my earlier comment has developed with time, I'll withhold my point as there doesn't seem to be interest in hearing it.

[tptacek]

I actually didn't understand your comment and it was downvoted before I responded (I didn't downvote it). I just wanted to make sure people knew how to spell my name.

[nickpsecurity]

First, that's a very successful company. Second, you're extrapolating what an entire market will do from one, ancient example. Today, there's a number of companies selling static analyzers, test generators, model-checkers, and I think I've even seen fuzzing. They tend to succeed if their tools get results for clients with little work on clients' side. They love push-button tools, too, that smoothly integrate into their workflow.

So, this company definitely has a chance. Further corroboration is the uptake Hypothesis was getting in Python shops. There's definitely a demand. I just don't know the numbers for this sector.

[andrei]

Thanks for the heads up! I haven't heard of Security Innovation, so definitely going to look more into what happened there.

I think the key difference though, is that we don't do any consulting/training/manual pentesting. We're more of a dev tool company than a security company in that we don't aim to replace security engineers but to make their lives easier.

[souprock]

The training and pentesting came later, saving the company.

The company was created starting from early fuzzing research at Florida Institute of Technology. The whole point of the company was to fuzz things for software companies. That mostly didn't work out.

That all might not be your fate, but consider it a warning. You could do a better job of making things accessible, or you could offer a more acceptable price point, or you could advertise better, or maybe 2019 is different enough from 2002 that such a business is more viable.

[tptacek]

Yes, software security in 2019 is markedly different from software security 17 years ago. 2002 predates the "Summer of Worms" and the Microsoft SDLC (for what it's worth, from 2004-2006, many of the world's software security firms were basically parked almost full-time in Redmond). It would be weird today to see an established company with a "shipping" product or SaaS service that couldn't provide a pentest attestation; back in 2002, it would be weird to see one that could.

For some perspective: the first published "integer overflow" attacks were from 2002 (the attack pattern was known but not published as such before then).