Want to get paid to protect your open source software? Try ForAllSecure’s new fuzz testing product

Want to get paid to protect your open source software?

ForAllSecure, a cybersecurity company formed in 2012 out of patented technology developed at Carnegie Mellon University, announced last week that it launched a free version of its flagship product Mayhem in addition to a new $2 million incentive program around it to make open source software more secure.

The new Mayhem Heroes Program, as it’s called, will provide software developers with $1,000 each to integrate Mayhem into qualifying open source software GitHub projects. The news comes less than a month after the company announced a $21 million Series B round.

Mayhem is centered on an automated software testing method called fuzz testing, which provides invalid or unexpected inputs as a way to identify vulnerabilities in the software. Big tech companies like Google and Microsoft use fuzz testing to identify errors in their own internal software, but open source software developers are in need of more security audits and tools. And while ForAllSecure has found early success in working with customers like Roblox and Cloudflare, cofounder and CEO David Brumley told Technical.ly he wants ForAllSecure to drive adoption among individual software developers, too.

“We thought there was a great match here where instead of just saying everyone should be doing this, we incentivize people and say, well, why don’t we pay you $1,000 if you do these things for an open source project,” Brumley said.

Individual developers vs. companies

The hope is that giving around 2,000 software developers a reason to implement ForAllSecure’s Mayhem product will increase awareness and adoption of the product among software developers of all types. Brumley added that increased use of Mayhem through the new incentive program also gives ForAllSecure more examples of how the product works when the company pitches it to larger companies for enterprise use.

Why go to open source software developers rather than companies themselves with this incentive program?

“A lot of these open source projects end up in commercial products,” Brumley said. From software available in newer cars to components of Google Chrome, so much of the tech in the commercial world actually came from independent projects. Increasing fuzz testing of those before they’re adopted at wider scale, makes their applications safer for everyone.

The decision to provide this service directly to software developers is also reflective of the current individual basis for the cybersecurity industry, which has yet to see tech companies of all kinds adopt a consistent in-house approach to protection against attacks.

“We’ve seen developers play a more active part,” Brumley said of that trend. “And the easiest way for us to demonstrate that this would be useful on proprietary software is to show that it works on existing software.” So even as that trend starts to change, and more companies hire for in-house cybersecurity talent, “we’ll have this large database of existing software that people needed to have secure.”

Pittsburgh and cyber talent

ForAllSecure now operates as a remote-first company. While the team has an office in Oakland through the Pittsburgh Innovation District’s Avenu coworking space, only about a third of the company’s 30 employees are currently based here.

While Pittsburgh’s cybersecurity economy is still growing, ForAllSecure will keep operations here for the foreseeable future. After a stint in California for a year with the startup, Brumley found that the highly competitive marketplace for engineering talent made it hard to build a stable team. It also puts a bigger financial strain on startups trying to compete with larger corporations for that talent, and typically requires software engineers to make their own financial sacrifices should they choose to take a job at a small startup.

“But in Pittsburgh, with the money we pay, people can buy a house, they can be very stable, and then you get that longer-term commitment to the [company] mission,” Brumley said of his decision to move the team back to Pittsburgh.

Still, as ForAllSecure heads beyond the early startup stage and into more of a growth stage, the CEO pointed out that Pittsburgh’s smaller economy can have some shortcomings.

“You can’t just hire in Pittsburgh,” he said. “If you do, you’ll have to solve this problem of going and finding those people who have done startups —  which are primarily in Silicon Valley and bringing them in.” With the pandemic, however, a distributed workforce and remote hiring operations has made that challenge much easier.