The Department of Homeland Security is funding a start-up whose target market isn’t the federal government — it’s tech-savvy, smartphone-using businesses and everyday consumers.
The department announced plans this month to continue funding Fairfax technology company Kryptowire so it can pursue business in the private sector. The company sells software that can search for security vulnerabilities in mobile applications and archive the results. Customers include the Justice Department and a handful of entertainment and gaming companies — many of which use it to check whether apps they create compromise user data before deploying them to staff or customers, founder Angelos Stavrou said.
Although several federal programs fund technology research and development — such as the Small Business Administration’s Small Business Innovation Research grants and efforts in the Defense Department’s Defense Advanced Research Project Agency — it is unusual for them to fund a product’s transition into the private sector, said Forrester analyst Chip Gliedman.
The company spun out of a research project at George Mason University, where Stavrou is a computer science professor. The six-person team is staffed mostly by graduate students.
DHS granted George Mason University $250,000 in 2013 to create a system that will let government agencies inventory apps they had vetted. The department plans to renew funding to the university so Kryptowire can process more apps designed for consumer use, including from the Google Play, Amazon and iTunes stores, said Vincent Sritapan, program manager for the cybersecurity division of the Homeland Security Advanced Research Projects Agency.
The Defense Department’s Advanced Research Project Agency awarded Kryptowire funding in September 2013 to develop an authentication program that could use individuals’ “cognitive biometric” characteristics to identify them — their unique gait, keystroke touch or fingertip screen swipe, for instance, instead of a password.
Kryptowire’s technology complements the department’s “car wash” prototype from last year — a service for vetting and reviewing mobile applications before they are uploaded to app stores, Sritapan said. When looking at an internal messaging app, for instance, Kryptowire might examine which networks it connects to and how secure they are, or whether it leaks the user’s location information. It can also compare applications to detect potential copyright infringements.
If more businesses use security checks such as Kryptowire before deploying apps, their users may be exposed to fewer security risks, Sritapan said. And if Kryptowire’s system can access publicly available apps designed for commercial use, federal agencies and departments can vet those applications for internal use instead of developing their own, he added.
Adam Salerno, a mobile security engineer with Vienna consulting firm Veris Group, uses Kryptowire’s vetting software for some of his customers, which include the Justice Department, the Defense Information Systems Agency and commercial businesses. Some of his customers select apps based on the level of risk they’re willing to take, he said.
“Certain companies . . . might not care about certain risks more than they do others,” he said. “They might say, ‘We really don’t want someone to have our GPS location,’ or they might say, ‘I don’t care about that, but I really don’t want any [personally identifiable information] going out.’ ”
Although DHS doesn’t receive royalties from Kryptowire’s sales, it could be worth the investment if the system becomes a standard way to evaluate mobile applications, Gliedman said.
“Once it’s [more widely] available, you can then compel anyone who wants to sell to the government to make sure the app is secured, measured by this tool,” he said. With more development, the system could become like FedRAMP — a government-wide general security standard, he added.
Since its founding in 2011, Kryptowire has not pursued venture-capital funding. Its small staff focuses solely on product development and has relied on word of mouth to gain new customers. Customers pay about $10,000 to $15,000 a month, or about $100,000 a year, for subscriptions to Kryptowire’s app-vetting software. For an added cost, Kryptowire staff can analyze individual applications in detail and provide more in-depth reports on potential security vulnerabilities.
Ideally, support from the federal government could help the start-up sell more of its security services in the private sector, Stavrou said.
Businesses “don’t see security necessarily as a problem now,” he said. “The use case of security makes much more sense to government agencies and other high- risk companies, who understand the seriousness of the situation and that they have a lot to lose.”