Spinout Stories: MuseDev

While most engineers and scientists join Galois to be part of a company that conducts groundbreaking research, for our unique culture of collaboration, or for the great benefits and work-life balance, there’s a lesser-known but equally exciting perk of working at Galois: participating in the creation of spinouts

Throughout my time as a research engineer at Galois, I have had the opportunity to contribute to numerous spinout companies. My first such experience came only nine months into my tenure, when I dove headfirst into the inception and development of MuseDev. As a company, MuseDev’s eventual goal was to bring advanced static code analysis capabilities into developer workflows, but that’s not where the story started. Like so many of our spinouts, it all began as a Galois research project.

MuseDev’s Genesis

Galois’s original goal was to develop a continuous integration environment for formal verification using our Software Analysis Workbench (SAW). As we did early exploration of the market, we found that even the more lightweight analyzers based on static analysis were not being broadly deployed and configured effectively across the industry. At the same time, numerous research results were being published on the effectiveness of code analysis tools. The findings were that developers were far more likely to fix bugs if they were identified at the time the code was written, as opposed to surfacing them in a security review much later down the road. 

In other words, our research unearthed a clear opportunity to develop a product that would solve a real-world problem – and when that happens at Galois, we spin out a new company to focus on the product. In this case, that spinout was MuseDev.

The Evolution of a Company… and an Engineer

MuseDev’s mission quickly evolved into developing and marketing a product that provided deep static analysis findings as comments in pull requests. The app employed best-in-class analyzers, and aggregated the results from the analyzers using machine learning. The result was high quality, high confidence findings delivered right when they were needed.   

I joined the MuseDev team during the early incubation period, about a year before the company launched as an official legal entity. On the engineering side, much of my initial effort was focused on building the scaffolding to deploy the MuseDev technology. This included packaging and deploying the application on kubernetes and AWS as well as building integrations with the Github marketplace. As the company progressed, I migrated towards doing more applied R&D, particularly in the machine learning space. That work focused on combining program analysis techniques to retrieve structural information about an application, which then fed into a machine learning algorithm that was capable of pre-configuring and tuning static analysis tool configurations to the particular application being analyzed. We also leveraged similar techniques to help triage and prioritize findings coming from multiple static analysis tools on the same code base.  

In addition to contributing on the engineering and applied R&D side, I was able to participate in and contribute to the business and cultural process of building the company. This included the go-to-market strategy, user journey, pricing models, organizational values, and hiring. Having just graduated from my PhD less than a year prior to joining Galois, I was ecstatic to be able to get exposure to all of the aspects that go into creating a successful organization. And I got to do a lot of cool science and engineering along the way – all while maintaining the comfort and stability of my “day job” at Galois. 

From MuseDev to Sonatype

About a year after we officially launched MuseDev, we started closely collaborating with a company called Sonatype – a leader in open source and software supply chain security. In March of 2020, Sonatype officially acquired MuseDev and the technology formed the foundation of the Sonatype Lift product. 

Lift was a best-in-class code analysis platform that made the kinds of advanced static analysis we love at Galois available to the everyday developer. It even offered a plug-and-play GitHub app that was free for open-source projects. I was particularly excited to see the machine learning for bug triage research I had worked on become a part of the Lift product. 

Only the Beginning

Post-acquisition, I’ve since returned to the Galois fold, but my work with spinouts is far from finished. These days I am part of a team actively launching a new Galois spinout called ExistX, a technology services company tackling the world’s toughest systems engineering challenges.  

Make no mistake, I’m still deeply involved with and invested in Galois’s own research. Just this year, I’ve had the opportunity to lead a number of cutting-edge projects, including digital engineering projects with DARPA and the Air Force Research Laboratory (AFRL). Working on spinouts just makes this work all the better – keeping researchers like me grounded in and connected to real-world impact and application. It gives our research direction and provides a productive outlet for the inevitable innovations and solutions that emerge from our work, while simultaneously helping preserve Galois’s identity as a technology research company. 

In other words, my experiences with MuseDev, ExistX, and other spinouts has made my career all the more exciting and satisfying. And it’s just getting started. 

Stay tuned!