July 1, 2002

The Open Source way to fame and fortune

- By Robin "Roblimo" Miller -
Imagine this: you are a competitive but not outstanding player of the online game Team Fortress. You decide you are becoming a little too addicted to the game, so you decide to try your hand at a little Open Source coding instead. You write a little intrusion detection program for fun, without expecting many people to be interested in it. Four years later you're head of a well-capitalized, fast-growing company based on your little Open Source project. And you are still an avid gamer.

This is the story of Marty Roesch, who started out using an Open Source programming project as the equivalent of Methadone for his Heroin-like online gaming addiction, hoping his little hobby programming project, Snort, might generate "a few emails." He thought Snort would help him improve his coding skills, and might be more useful to society than playing another few round of Quake or whatever, but did not think of it as a potential business. He already had a decent programming job. He and his wife (an electrical engineer) already had a spacious, brand-new house in Eldersburg, Maryland, with plenty of computers in it, all home-built by Marty. Snort was nothing but recreation.

A classic Open Source beginning

Snort was a true case of a programmer scratching his own itch. Here was Marty with his home network, wanting to see who, if anyone, was trying to penetrate it. He was working on security-oriented software at work, and had a strong background in the industrial-strength computer security field, but this was a small and simple detection system for home use. He had recently read Eric S. Raymond's "The Cathedral and the Bazaar," and had been "enthralled" by the Open Source model it outlined, so as soon as he had a little bit of working code he posted it on the Internet for others to see, use, and poke at.

Snort didn't get a lot of attention at first. Marty says that during the first year after its initial release, in 1998, he got "maybe 10 emails per day." Then, in response to feature requests he'd gotten, he says, "I rewrote about 80% of the code and gave Snort the capability to take plugins." Suddenly interest jumped. Now Marty was getting 50, 60, 100 emails a day, and, he says, "I was starting to get regular contributors, and hearing about banks, universities and military installations that were using Snort."

This last was a little unsettling to Marty. His little home-grown software program used to protect critical financial systems? To defend military computer networks against intruders? But the emails kept coming, and he even got hardware donations from several companies that were using Snort so he could scale his testing beyond what he could do with his home-built computers. He also started to get a little attention from security-specific online media, made the pages of a few IT trade magazines, and started getting invited to speak at computer security conferences.

The limitations of Open Source as a business model

So far Marty was happy with Snort as a "giveaway" thing. He had found that it took more than coding skills to make an Open Source project fly; that to become popular, an Open Source project had to be, as he puts it, "relevant to something people are interested in, and must have strong differentiation from existing projects." Beyond that, he learned "the political aspects of leading a community of users."

So, you might say, by starting and leading an Open Source project, Marty gained the skills needed to run a software company. At the same time, he ran into a mindset -- this was back in 1998 and 1999, don't forget -- that said Open Source was fine, Open Source was fun, that maybe some Open Source code could be used here and there by businesses and government agencies in minor roles, but because there was a "community" instead of a "company" behind most Open Source projects, business types could never take it seriously. That meant Snort's adoption by companies and governments might never be formal in the sense that Upper Management approved its use and assigned people specifically to work on or with it no matter how many geeks quietly installed it on surplus computers and ran it back in the server room on their own.

Marty says the idea of building a business around Snort came from "several friends and advisors," plus people he talked to at conferences who said they liked Snort, but couldn't get their bosses to approve its use because their companies simply didn't "do" Open Source; that if Snort was a commercial product they'd have no problem getting it approved for use -- and getting purchase orders to pay for it. The next step was to figure out how to build a business based on Snort without compromising Open Source ideals, to which Marty subscribed wholeheartedly by now. Indeed, one factor that made him want to start his own business was that he felt the company he was working for at the time was misusing some Open Source code here and there, and he didn't want to help them do this.

This dissatisfaction, combined with the sense that Snort could be turned into a business somehow, along with what Marty called "a desire to make some sort of difference in the world," is what finally made him decide to take the plunge into his own company. After all, thousands upon thousands were downloading Snort not only from Marty's own little server but also from SourceForge.net (which hosts the project's CVS tree) and other mirrors.

Now all Marty had to do was solve the classic, "How do I make money from software I give away?" problem.

The solution turned out to be:

  • Give the commercial product its own groovy name, something like Sourcefire.
  • Come up with (proprietary) tools that make the basic (GPL) Snort code easy to understand and use for non-technical managers.

  • Load Snort and the additional tools into a box, and sell the box as a complete solution, instead of just selling software.

  • Sell service, training, support, customization, and so on.

This is, in many ways, the basic "How to Make Money with Open Source" gospel preached by many of the movement's staunchest advocates. It is a path almost any Open Source project could take, assuming it is popular and useful enough, and has enough people willing to buy the resulting commercial product, and the project's leaders are willing to start small, with small dreams, and grow their business carefully while keeping a close eye on expenditures.

Don't get a fancy office until you have money coming in!

Marty started Sourcefire, the company, in his home. He had servers and boxes and packing material all over the place. At one point, he says, they had 17 servers being prepped for shipment in the kitchen. The programmers (including Marty) worked in the basement, and when Marty finally hired a salesman, he worked from a card table in the living room. At one point, Marty says, the house's wiring was so overworked that whenever the salesman, Bill Sento, came to work and fired up his monitor, all the power in the basement would go out and they'd have to reset a breaker or two. (Bill is still with Sourcefire -- and has a "real" office now.) It was a shoestring operation all the way. Some IT businesses seem to operate on a "spare no expense" principle. Marty operated on a "have no expenses" principle. The day Sourcefire collected for its first shipment, it became profitable. And, Marty claims, sales have not been hard to come by. Some of this has been luck and timing; Sourcefire started its sales effort in August 2001, and on September 11, 2001, "security" suddenly became the sales buzzword that topped all other buzzwords.

Note that Marty hired a salesperson early on. He also hired two of the six "core" Snort developers. (Three others work, respectively, for MITRE, Carnegie Mellon University, and CERT, and Marty himself is the sixth.) Even while getting Sourcefire going, Marty stayed active with Snort.org and ran all over the country speaking at various security conferences. In essence, Marty's speaking gigs, backed by the tens of thousands of users Snort had accumulated by this time, made up the company's "marketing effort." The only trick left was to get buyers signed up and product shipped, and to do it at the lowest possible cost.

One thing that helped bring in a bunch of cash quickly was selling Sourcefire as a corporate "appliance" security solution, not as a $49.95 "software only" consumer product. Although product prices are not detailed on Sourcefire's Web site, a company press release from February, 2002 says, "The OpenSnort Management Console costs $20,000, with an additional $9,995 for each OpenSnort Sensor deployed across a network." Marty talks of at least one early $300,000 order. If you get even a few orders this big, keep working from home for a little bit, and don't go crazy hiring a lot of people or buying things you don't really need, you can hardly help making money.

Next phase: investment capital and a "real" office

Contrary to what some people believe, even in the current unsettled economic climate there is investment money available for people or companies who have well-developed products or services -- and can prove that those products or services can be sold for more than they cost to produce. Marty says he raised $2 million on his own without much trouble, and later managed to get another $5.5 million, again without going too crazy in the process.

Now, with $7.5 million behind it, Sourcefire has space in a deluxe, tech-oriented office park, complete with lots of slick, cubicle-type partitions, a climate-controlled server room, and fancy new Macs all over the place. There's a high-end phone system, a "slide your card" access control system on the doors, an impressive reception area, and all the rest of the trappings you'd expect to see at the headquarters of a go-go tech company. But Marty says the lease was obtained at a bargain price. "Look around here," he says. "Half the offices in this [complex] are vacant. We hardly pay anything compared to what this place would have cost a year or two ago." He also points with pride to the low price he paid for the furnishings and fixtures, which were left behind by the now-bankrupt previous tenant. "We paid pennies on the dollar for it all," he says. (A Marty-guided tour of the facility is a lesson in corporate cheapness, one that many new ventures' leaders ought to take before they decide how to spend their investors' money.)

Marty himself has a desk in the middle of the programmers' "giant cubicle" bullpen, where his status as the company's Alpha Geek is obvious to the trained eye (in part because of its central location), but probably not detectable to a visiting MBA. He is wearing a T-shirt, shorts, and because he expects company today (this reporter), what he calls his "better pair of sandals."

The only obvious "recreational" space in the office is the toy and changing table-equipped Baby Room, which is there in case Marty wants to bring his toddler to work or other employees want to bring theirs. But aside from the Baby Room, this is a purely functional place of business, one where programmers program, managers manage, salespeople sell, and where everyone in sight seems to be doing real work instead of playing with Nerf guns half the time. Clothing is ultra-casual (company T-shirts are common), but neat and clean. Slashdot is not visible on any monitors, although this is certainly a Slashdot-reading bunch. Everyone in sight looks like he or she has plenty to do.

This contrasts with some -- really too many -- companies in technology businesses that have obviously "bulked up" their payrolls and leased more office space than they really need, where half the people can't really explain what they're doing or why they are necessary to the company's operation.

Coding philosophy and platform choices

Snort is still an Open Source project, with all Snort code produced by Sourcefire fed directly back into it. It has a large and enthusiastic user community, with Marty as its leader. When he came up with Snort version that first allowed plugins, which is when Snort started to get truly popular, he says it consisted of about 25,000 lines of code, but soon ballooned to 65,000. This, Marty says, "is about the size of the BSD base kernel."

Sadly, a huge price was paid for this expansion in the form of instability. Many of the contributed plugins, Marty says, "were bug-filled, crashy, and slowed things down." He blames a lot of the problems Snort had for a while on XML. He says, cheerfully, "XML is the tool of Satan," and goes on to talk about how XML can take "1,000 lines to do what you could do in 100 lines without it." His current thrust with Snort is to simplify, not to add more features, and "to maintain more security against attacks on the IDS [Intrusion Detection System] itself, along with better self-preservation mechanisms." His motto for the current round of revisions is "No cruft!" and he says he and his Snort co-developers expect to have a lot fewer lines of code in the next Snort iteration than in the one currently available for download.

Snort development started in Linux, on boxes Marty built himself. (He has always been a hardware tinkerer, starting back when he was a teenager and worked part-time for a "mom and pop" computer shop.) Later Marty moved his own development work to a box running FreeBSD, then OpenBSD, and finally back to a FreeBSD version with a nice GUI attached to it: Mac OS X.

The reason Marty chose to go with an all-Mac office, once he had money to go out and buy computers (and no longer had time to assemble them himself), was that that they could run Microsoft Office and other programs that make it easy to share documents with customers outside of the Open Source world, but still offer a FreeBSD command line development environment. "It's cheaper to do it this way than to have two computers on each developer's desk," Marty says. "Besides, the new Macs have great sound and look nice." He expresses some disappointment with Apple's commercial support. "Dell offers on site service, but if you want your Mac fixed you have to take it to them," he says. But overall he thinks the decision to go with Macs was good.

Marty's only Windows computer is a game box he has at home -- and built himself. "It's got a 2.2 Gig processor and..." he goes on, proudly reeling off specs just like any other game junkie who builds his own machines. Make no mistake about it; $7.5 million in capital will not suddenly turn an ardent gamer into a dour businessman who goes around giving lectures about how Quake is ruining an entire generation. No way. Marty is more likely to talk about which video cards are best for playing Quake, and other games, over a beer or three. Indeed, he'd rather do that than be CEO of Sourcefire, and freely admits it.

It's more fun to be CTO than CEO

We've all watched it happen: Someone who is a cool hacker turns into a lousy manager. An excellent writer become a crummy editor. A decent manager or project leader ruins a company as CEO. The Peter Principle is always out there, waiting to bite those who fail to heed its timeless warning.

On June 4, Sourcefire put out a press release announcing that Marty was stepping down as CEO and would now be CTO, and that newly recruited Wayne Jackson would become CEO. Marty says he made the decision to recruit a professional CEO long ago, and that he'd been actively looking for the right person for five months before settling on Wayne.

"I didn't want to be walking around with a copy of 'CEO for Dummies' under my arm, trying to figure out what to do next all the time," Marty says. So Wayne, who Marty says has been hugely successful with several other companies, to the point where he's already reasonably rich, "but still enjoys the challenge," gets the CEO office, gets to wear the suits, and gets to deal with the venture capitalists and other investment-type people. And if the company ever does an IPO (which it might if things keep looking good, although Marty ducks a direct "Are you planning an IPO?" question with a sly smile), Wayne will get to deal with the lawyers, investment bankers, stockbrokers, financial analysts, government regulators, and all the other fun people who suddenly get involved with your company if you decide to sell stock to the public.

This is a slick move for two reasons. First, Sourcefire is suddenly being run by a guy with major "Fortune 500" credentials and a track record in making small, high-growth companies successful, so no one of the MBA persuasion can ask funky questions about how some guy like Marty, with a T-shirt over his potbelly and a taste for late-night coding or gaming sessions (and beer), who would rather wear sandals than wingtips, is qualified to run a mega-million-dollar enterprise. Second, Marty gets to keep his desk in the middle of the geek bullpen and hang with the people he likes, and if he wants to go down to the nearby Last Chance Saloon on a Thursday night, when beer is half price and there are entire tables full of Open Source coders, Linux advocates, gamers, freshmeat editors, and other low-lifes showing each other their latest PDAs, digital tire gauges, and other toys (and drinking plenty of cheap beer), he is free to do so without worrying about how it will affect his company's image with the Wall Street crowd.

Can this show keep on the road?

If Sourcefire is going to expand and keep raking in the bucks, Marty needs more people. "I need the kind of people who know a lot about networking," he says. "Linux zealots, Open Source gurus, self-starters who are self motivating so I can just turn them loose, who don't have a lot of ego," is how he describes those who would fit in with his current team. An advantage of the current rough IT job market, at least from Marty's (management as opposed to personal) perspective, is that there are plenty of unemployed folks out there who fit this mold. But even so, he's slow and cautious about hiring. In a twist that would have been considered insane only a few years ago, Marty, his new CEO, and their venture capital backers have decided to wait until they have ramped up sales enough to cover the company's newly-increased expenses before they ramp up hiring. This "take in more money than you spend" concept is a little hard to grasp at first, but the more you think about it, the more sense it makes, at least in a fuddy-duddy, "old economy" kind of way.

Assuming hiring and other expansion costs can be balanced correctly against sales growth, a big obstacle to Sourcefire's continued success might just be Microsoft's Palladium security initiative, which supposedly will make all computers so secure that other security measures (like Snort or Sourcefire) will no longer be necessary. Marty isn't wasting a lot of time worrying about that one, though. "Palladium will only affect us if it works," he says, and adds, somewhat cynically, "I am not impressed with press releases [from Microsoft] that say 'We'll be secure in five years.'"

There are also companies competing with Sourcefire in both the software and hardware sides of the IDS marketplace. If you ask Marty what kind of competitive threat they represent, he'll give you an earful about how almost all of them offer nothing but proprietary products, and how Snort is raking in awards from security gurus worldwide, then he'll move into a general dissertation on the superiority of the Open Source development model, and why he believes it is better then proprietary development, especially in the security arena. (We won't repeat that speech here; every NewsForge reader has surely heard it dozens of times and knows it by heart.)

Open Source: be proud, say it loud

Marty believes that the idea of Open Source, which was considered a liability to be overcome, at least in the sales sense, when he first starting kicking around the idea of doing something to make money from his Snort efforts, is now more accepted in the mainstream corporate and government management world than it was only a few years ago.

"It used to be that when people asked me what I did," Marty recounts," and I said, 'I'm an Open Source programmer,' it didn't seem to mean anything to them. Now, when people I meet in hotel lobbies or airport lounges -- random strangers -- ask me what I do, and I tell them I'm an Open Source programmer, at least now some of them know what I'm talking about, and it's a job title they respect."

Click Here!