Code Intelligence was founded to provide enterprise customers with an easy way to use dynamic software testing. It has developed a product that gives software developers the ability to detect weaknesses in software during the programming phase, where it is much less costly to fix bugs than when software is already in production. The method called feedback-based fuzzing is superior to the old approach of static testing because it doesn’t create countless false alerts that people need to sift through. Code Intelligence’s software is sold through a Software-as-a-Service business model and makes the powerful method of fuzzing user-friendly and accessible to non-experts.

Why do companies such as Google, Bosch, and Deutsche Börse use Code Intelligence’s software?
Code Intelligence offers them a powerful but importantly also user-friendly tool to identify bugs in their software. Saving time and effort is of great value to these companies. This is basically true no matter what company it is. Security testing normally is a time-intensive and expensive process and it is hard to find the necessary software testing experts. Code Intelligence is a very cost-effective way to prevent bugs early during software development, at a stage when it is much less expensive to fix things than when the software has already been shipped.

What does Code Intelligence replace?
That depends on the client. If a company hasn’t done software testing before, Code Intelligence plugs a very large security hole. No company can develop flawless software. Some companies already have processes in place that Code Intelligence can strengthen. Our goal is to establish Code Intelligence as the worldwide standard tool for software testing. The tool that is widely used now is static code analysis, but in my experience, it is not very effective – as can be seen by the many bugs it misses. One of the large problems of this method is that it generates large amounts of alerts that need to be manually checked even in cases where there are no bugs, and this makes it too time-consuming. It also cannot identify all bugs. One of the great benefits of Code Intelligence’s approach is that it discovers only real bugs and can offer direct insights into how to reproduce and trigger those bugs.

“I’ve not come across a case yet where Code Intelligence hasn’t found bugs and improved the testing process.”

What if someone is skeptical about the approach of automatic vulnerability detection?
Of course, there are always skeptics but I’ve not come across a case yet where Code Intelligence hasn’t found bugs and improved the testing process. After that, they are usually convinced.

Some companies might not want to invest a lot into software testing but only do the minimum required by their compliance process.
That was true, but I think that mentality has changed. Most companies have woken up to the fact that software vulnerabilities are a serious threat to their business and that if bugs are found in production systems they are vastly more expensiv to fix than if they are cought early. Thus most companies are really trying to do software testing right, but are often struggling. We live in a world that is suddenly deglobalizing, and the rules of how state actors behave have markedly changed. It is not an exaggeration to say that cyberattacks have become much more frequent and aggressive. Software permeates our world. If the software they have developed is compromised, the financial impact on companies can be tremendous.

What kind of financial impact are we talking about?
A report by the company Tricentis puts the damage of 606 software fails they have analyzed at USD 1.7 trillion. I personally think that such figures involve a lot of guesswork and need to be taken with a grain of salt. But even if they are off, say, by orders of magnitude, it would still be a very substantial figure. Keep in mind that not all software is easy to fix with an update. Take the example of the automotive industry, with which Code Intelligence does a lot of business. The potential cost of recalling a fleet of cars to update the software embedded in its chips is huge. Then there are other industries where manipulation of software could result in worse harm han just financial loss. A study we conducted showed that medical staff doesn’t realize when patient monitoring software has been tampered with and thus patient lives are at risk. Critical infrastructure such as power plants are an obvious target for malicious actors, and the impact could be disastrous. There is not a single industry that should have blind faith in the software they run. Programming is complex, and it is next to impossible to program secure software.

Is there a concrete example that proves that the method Code Intelligence applies can detect software weaknesses other methods could not find?
The log4shell vulnerability that was discovered in December 2021 is one that will be remembered because it was so catastrophic. What made it so dangerous is that log4j is the most widely used Java library for logging input from users. The vulnerability allowed attackers to gain remote code execution access to the backend of a system, and what makes it worse, it was trivial to exploit. Anybody with even minimal programming skils could use this vulnerability and reach deep into otherwise protected networks. Malicious actors could used it for all kinds of attacks, such as installing ransomware, taking control of systems and stealing data. With Jazzer our Java fuzzer, these kinds of bugs can be found within minutes. Code Intelligence is the market leader in Java fuzzing, there is literally no competition. We are very proud that Google integrated Jazzer into their OSSFuzz Framework.

How is it possible that a small startup based in Bonn with a handful of software developers can achieve such a feat when other firms have hundreds or thousands of software developers?
First of all, Code Intelligence has grown significantly since its last financing round in 2020. It has developed from a small startup into a company with 36 employees and assembled a strong team of executives and expert developers you cannot easily find. Fuzzing has been around for a long time, but it used to be a blunt tool. Only when feedback-based fuzzing was invented a few years ago did it become really powerful. But still, it was an unwieldy method used by only a handful of experts. This is where our research comes in. Our research group is world-leading in the topic of developer-centric usable security and the usability of software tools security experts use. Based on this expertise Code Intelligence turned a complicated method that required a significant specialization and expertise into a more tool that can be used by any developer and integrated seamlessly into CI/CD pipelines. It not only finds bugs but explains them, which means these bugs can be fixed much easier. This developer-centric usability focus is not widespread yet and that gave us an edge.

The relevance of Code Intelligence’s approach has been validated by the Series A financing round that you recently closed. You raised USD 12 million from the Seattle-based venture capital firm Tola Capital which focuses exclusively on enterprise software startups. Not only did you convince a specialized US VC, but the round was also joined by Thomas Dohmke, the CEO of Github, the world’s largest code repository used by a community of more than 70 million developers. How will these investors help Code Intelligence succeed?
It is absolutely fantastic to have such great investors on board. The interactions with Tola were very professional and pleasant. We’re planning to open up an office in the US to strengthen our presence in this important market and are hiring globally. The engagement of Github’s CEO is a very strong sign that fuzzing is the future for open-source projects. Google’s OSS-Fuzz which integrates our Jazzer fuzzer can be directly integrated into Github and allows this large community of developers to make their projects more secure. One should not underestimate the impact that this will have. Most of the closed-source software that companies develop uses open source building blocks. This makes sense from an engineering perspective. Reusing code that has already been built is efficient, as many years have already been invested in developing and polishing it. But these open source libraries rely on small groups of volunteers to maintain them. Helping them ensure the quality of the code benefits everyone.

But Github is in a sense also a distribution channel for Code Intelligence, because developers get exposure to your tool?
The visibility that we get through Github is an enormous benefit. Developers can experience our tool and see firsthand how powerful it is and that fuzzing can also be used to find weaknesses in Java. This experience is a great motivator to integrate fuzzing into the company they’re working for. From a go-to-market perspective, we’re currently working on automation. Large clients with very complex software projects currently still need to work with our customer success team. The goal is for Code Intelligence to become automated to the point it won’t take more than downloading and installing the software. When it comes to the community of developers using our tools, one of the central hires going forward will be a community manager that interacts with them and helps the community grow. This will also help us grow our company because more people will become experienced with fuzzing.

I imagine it is quite hard to attract people with such skills to a startup, I mean they could probably also join one of the tech giants that have their own fuzzing teams.
There are a handful of firms that have their own fuzzing teams, but most companies that develop software don’t. It is much more efficient for them to work with our software instead of building these skills in-house, and the supply of new students that have excellent skills in this domain is very limited. But in a way, Code Intelligence is in a very good position. We are able to attract the best talent because we can offer them the opportunity to build the world’s leading fuzzer, not just do software testing for a big company. Literally everyone that is interested in the field of fuzzing has already heard of us. And Code Intelligence is growing very fast. Just recently, a security Vlogger I follow but don’t know personally published a video where he used our tool Jazzer, and showed how easily he found bugs with it. That made my day.