Software security: a study in technology transfer

Where do security technologies come from? Academics propose research and government (sometimes) funds it. Startups move technologies across the "research valley of death" to early adopters. Global corporations make technology widely available by acquiring startups. At every step there are gaps and pitfalls. Adoption is the acid test of innovation. Idea-generation is perhaps ten per cent of innovation; most of the work is on technology transfer and adoption. Chance plays a big role in creating opportunities (e.g., R&D involves a lot of luck), but a company's success depends on its ability to make opportunities more likely to occur, and to capitalize on those opportunities when they arise. Passionate individuals drive technology transfer more than does process; indeed, some people believe that the original researchers need to be involved all the way along the chain. Prototyping is an important practice, often resulting in "researchware" that proves a concept but is not ready for wide use. Transforming a prototype from the lab to the real-world is a multi-stage, multi-year undertaking. This talk will use the decade-long evolution of static analysis in code review as a driver for discussion. We'll talk startups, big companies, venture capital, research agencies, and subject-matter expertise. In general, technologists don't appreciate business people enough and business people don't appreciate technology enough. Most successful companies are brilliant at one, but also need to be adequate at the other.