Technology transfer: Formal analysis, engineering, and business value

Abstract

In this work we report on our experiences on developing and commercializing Goanna, a source code analyzer for detecting software bugs and security vulnerabilities in C/C++ code. Goanna is based on formal software analysis techniques such as model checking, static analysis and SMT solving. The commercial version of Goanna is currently deployed in a wide range of organizations around the world. Moreover, the underlying technology is licensed to an independent software vendor with tens of thousands of customers, making it possibly one of the largest deployments of automated formal methods technology. This paper explains some of the challenges as well as the positive results that we encountered in the technology transfer process. In particular, we provide some background on the design decisions and techniques to deal with large industrial code bases, we highlight engineering challenges and efforts that are typically outside of a more academic setting, and we address core aspects of the bigger picture for transferring formal techniques into commercial products, namely, the adoption of such technology and the value for purchasing organizations.While we provide a particular focus on Goanna and our experience with that underlying technology, we believe that many of those aspects hold true for the wider field of formal analysis and verification technology and its adoption in industry.