Cyber businessDHS-funded app-vetting firm shows market promise

DHS recently announced it would continue funding technology company Kryptowire so the company could further pursue private sector clients. Kryptowire sells software which identifies security vulnerabilities in mobile applications and archives the results. The Washington Post reports that Kryptowire already has a client list that includes the Justice Department and a few entertainment and gaming companies, many of which use Kryptowire to review the safety of their apps before offering it to staff and customers.

The six person firm grew out of a research project at George Mason University (GMS), headed by founder and computer science professor Angelos Stavrou.

In 2013 DHS granted GMS and Kryptowire $250,000 to create a system which would let government agencies archive apps vetted by the team. The renewed funding will enable Kryptowire to process more commercial apps. If more businesses rely on Kryptowire’s software to vet their apps, it may become the standard way to review mobile application safety.

For DHS, the investment in Kryptowire means an accurate way to review all apps before issuing them to DHS employees. “Once it’s (more widely) available, you can then compel anyone who wants to sell to the government to make sure the app is secured, measured by this tool,” said Forrester Researchanalyst Chip Gliedman. With more development, the system could become like FedRAMP — a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, he said.

Adam Salerno, a mobile security engineer with consulting firm Veris Group, uses Kryptowire’s software to review applications for some of his clients, which includes the Justice Department, the Defense Information Systems Agency, and the private sector. Salerno notes that just because an app is identified as risky does not mean his clients will refuse to offer it to their customers or staff. “Certain companies . . . might not care about certain risks more than they do others,” he said. “They might say, ‘We really don’t want someone to have our GPS location,’ or they might say, ‘I don’t care about that, but I really don’t want any (personally identifiable information) going out.’”

Kryptowire has not pursued venture-capital funding, and relies on grants to operate and fund new research. The Defense Department’s Advanced Research Project Agency awarded Kryptowire funding in September 2013 to develop an authentication app that could use individuals’ “cognitive biometric” traits to identify them. Federal funding could help the company sell more of its services to the private sector, Stavrou said. For now only a small segment of the private sector, including critical infrastructure firms, telecommunications providers, and finance companies view mobile security as a problem worth paying for. “The use case of security makes much more sense to government agencies and other high- risk companies, who understand the seriousness of the situation and that they have a lot to lose,” Stavrou said.

Commercial clients pay about $10,000 to $15,000 a month for subscriptions to Kryptowire’s app-vetting software. The firm also offers more detailed and in-depth reviews of an app or program for an additional charge.