It's good to see that the Department of Homeland Security (DHS) is sponsoring another innovator's booth this year at RSA 2019-particularly after meeting folks from the DHS Science and Technology Directorate (S&T) in Las Vegas at Black Hat 2018 where I learned about 13 DHS-funded commercial startups coming out of stealth mode.
At RSA 2019, another 11 DHS-funded startups transitioning to commercial product launch will be on display, according to the DHS S&T.
Because government defense agencies need to rely more and more on commercial software (including commercial security tools), the DHS is motivated to bring to market companies that can actually help with that mission.
"We consider ourselves the research arm for Homeland Security," said Vincent Sritapan, an S&T program director, during an interview at Black Hat 2018 in August. "We're focusing on mobile, phishing, man in the middle, IoT such as HP printers, PLCs for building controllers and firmware."
Recently, I talked with Anita D'Amico, CEO of Code Dx, an application testing company that is one of these DHS-funded startups at RSA.
"DHS S&T wants people to adopt good cybersecurity practices, so they're trying to get innovative cybersecurity technologies into operations as quickly as possible," says D'Amico, who has commercialized DHS application security R&D through Code Dx.
With funding from the DHS S&T Small Business Innovation Research (SBIR) Program, D'Amico needed to demonstrate a proof-of-concept in six months. If a product then meets DHS requirements, which hers did, the SBIR will fund the maturation of the technology through another two years.
In April of 2018, D'Amico, through the R&D group Secure Decisions, where she is the director, released a new product, Attack Surface Detector (ASD), that was funded through the DHS S&T Application Security Technologies and Metrics (ASTAM) program. Since then, the free tool has had nearly 30,000 downloads. When seed funding runs out in September, her company, Code Dx, will maintain ASD as an open source tool.
"ASD appealed to the DHS because it fills in flaws with conventional brute force and black box application testing," says Matt DeLetto, the lead developer of ASD. "That includes unconnected endpoints and optional parameters left behind by coders and administrators [such as a debug parameter] that can be exploited if left in the code."
If you're going to the RSA conference March 5—7, be sure to stop by the DHS innovator's booth, #1565. There will be demos every day all day featuring 11 new startups that DHS has deemed important enough to fund.