Cigital: Bug Zappers, A Dossier

Cigital chief executive officer Jeffery Payne likes to deliver good news to his customers first, when possible: that their systems are 100% secure. But, sometimes, he has to deliver bad news as well. That the software is totally unreliable.

“People are worried about security, but in the end the problems with software are the age-old problem, that it just doesn’t work,” he says.

Cigital, a software-consulting firm in Dulles, Va., has thrived by figuring out exactly why computer code doesn’t behave the way it’s supposed to. The firm, which markets itself as a provider of “software-quality management” services, operates as a kind of forensic-analysis squad for software developers.

“They’re one of the elite companies doing anything like this,” says Avi Rubin, an associate professor of computer science at Johns Hopkins University.

Payne and Cigital’s other founder, Jeffrey Voas, first met as graduate students in the computer science department at The College of William and Mary in the late 1980s. The duo (referred to inside the company as “the two Jeffs”) met up again in 1990, as Voas was finishing his doctoral thesis about how to make software more reliable. “He was talking about the fact that software didn’t work very well, and it started me thinking there was a business opportunity there,” Payne says.

There was—but for Cigital, it’s been a relatively small one. The 70-person company, which works on between five and 15 projects at a time, expects to pull in somewhere between $10 million and $20 million in revenue this year, Payne says.

That’s petty cash for big technology-consulting outfits such as EDS or IBM Global Services. But Cigital doesn’t aspire to vastness, although it sees great growth in companies’ needs for improving the reliability and security of software. “We’re not going to grow to be an Accenture, and we don’t think we need to,” Payne says. “We’re focused. This is all we do. You build a business by finding that one thing you do better than anyone else.”

Considering the small patch of green it putts on, Cigital has plenty of fans. It has worked with such companies as General Electric, Nortel Networks, Pfizer, Raytheon, Texas Instruments, MasterCard and Visa, as well as several government agencies, including the Air Force Research Laboratory, the Defense Advanced Research Projects Agency and the National Security Agency. Payne says Cigital has even done some consulting for Microsoft, though he declines to elaborate. (In February 2002, Cigital publicized a security flaw it discovered in the Redmond company’s just-released C++ programming tools, but a Cigital spokesman says this was completely unrelated to any work it has done for Microsoft.)

For MasterCard, Cigital’s testing and analysis of Java-based smart cards reassure the credit-card company that it has covered its bases. “I don’t like seeing articles in The New York Times that cause my CEO to call me up and say, ‘Are our smart cards vulnerable to this?’” says Simon Pugh, vice president of infrastructure and standards at MasterCard. “Now I’m in a position to say, ‘We’ve known about this problem for three years, and we have accounted for it in our testing procedures.’”

Pugh adds that Cigital is very straightforward about discussing any flaws it finds. “They don’t overreact or oversell,” he says. “It’s very easy to get melodramatic about security issues.

NASD, the private organization that regulates the securities industry, started working with Cigital in 2001 to automate its testing processes. “These guys had top-notch people,” says Martin Colburn, NASD’s chief technology officer, who oversees a team of 100 programmers. “They had great skills not only in developing the testing, but they also have an art form around using the standard tools that are out there.”

Meanwhile, human-resources consultancy Towers Perrin last fall hired Cigital for three weeks to audit how its retirement-systems group tested applications. “They delivered exactly what was expected, on time and on budget,” says Greg Velott, manager of retirement systems at Towers Perrin. Based on Cigital’s recommendations, Velott and his team were able to identify a higher percentage of critical bugs earlier: Fewer than 5% cropped up in the last two weeks of their latest six-month release cycle. In previous cycles, the group had been finding more than 25% of all major application defects in that final period.

Cigital’s Payne predicts that more companies will come to realize how closely software is tied to the bottom line. “In 1992, I couldn’t sell this to my mom,” he says. “It wasn’t critical enough to get the attention of business executives. Now we don’t have to convince people that software quality is a problem. Now they’re looking for an answer.”