Finite State is Modernizing Software Security for the Connected World

How this Columbus startup is redefining product protection for embedded devices

What do your car’s built-in GPS, a large-scale power plant and cutting-edge medical equipment have in common? They are all connected devices that operate using highly vulnerable embedded software. As more of the devices that power our world — and the ones we use in our day-to-day life — require high-level connectivity, they become increasingly susceptible to security risks. So how do developers and manufacturers ensure that their products are safe and secure? Answering that question is the expertise of Columbus-based software startup Finite State.

“Our mission is to protect the devices that power our modern lives,” said CEO and Founder Matt Wyckhouse. “We’re focused on devices that are not traditional personal computers, but all of the other things that are actually computers. We help developers of those technologies — like medical device manufacturers, industrial automation manufacturers or vehicle manufacturers — build the software that powers those devices both more securely and more proactively to find the vulnerabilities and eliminate them before they go to market.”

To detect these vulnerabilities and security risks, embedded system firmware is uploaded to the Finite State Platform, which assesses product security and provides risk analysis. Specialized aspects of the platform, such as the Software Bill of Materials, offer full visibility into software elements, including coded materials and third party components. Similar to a nutrition label found on food at the grocery store, Wyckhouse said that the Software Bill of Materials creates a software ingredients list. From information included in this list, the platform generates results that provide developers and manufacturers with action steps they can take to protect their products against firmware attacks and other security threats.

“Software developers make mistakes when they’re writing code, especially for embedded devices,” said Wyckhouse. “We try to proactively identify those as well. That all happens behind the scenes. We analyze a customer’s software through our cloud-based system, which uses a massive amount of computation to provide results. Usually, the product security team will take those results and work with their engineering teams and others to fix the problems that are identified and make sure the software is secure for their customers.”

Wyckhouse began his journey into the realm of cybersecurity at Battelle after studying computer science at The Ohio State University. There, he built cybersecurity programs before helping launch a high-level cybersecurity division at the company. In his new role, Wyckhouse saw firsthand how embedded devices were becoming less and less secure, despite their increasingly critical role in everyday life. The heightened risk and Wyckhouse’s desire for devices that were more secure and reliable sparked the creation of Finite State. He left Battelle for the startup world and began working with investors to build his new company.

“I wound up leaving Battelle and I spent a year at another startup company to get an understanding of what it was like to be in a startup and get outside of the government sphere that I’d been in,” said Wyckhouse. “I met Andy Jenks and Mark Kvamme from Drive Capital. Even when I was at Battelle, I knew I wanted to start this company and spent a lot of time talking with them about the concept. That’s what eventually led to me pitching Drive Capital, getting an initial funding round. Then, we were off to the races.”

For Wyckhouse, the best place to grow and develop Finite State was in Ohio. Access to capital and the wide array of talent available in Columbus were driving factors in keeping the company in the Buckeye State.

“We had investors who wanted us to be in the Midwest, so having access to capital was a huge deal,” he said. “Having those Ohio roots has allowed us to do things more effectively than most companies because we came from the perspective of underdogs. But we thought of being in Columbus as an unfair advantage. That talent base was accessible and at a much lower price point than Silicon Valley. Then you have the cultural characteristics of the Midwest — there’s less ego here. People want to make an impact and work hard and have fun at the same time, so it’s been a great place to build a team.”

As embedded devices’ role in daily life grows, Finite State aims to raise the bar in mitigating security risks and reliably detecting product vulnerabilities. In a world where connectivity is key, Wyckhouse hopes to make an impact by emphasizing the importance of software security for the modern world.

“Our guiding purpose and my personal purpose is to raise the bar,” he said.” We should not be able to live in a world where the most critical devices are the most insecure ones. Their security needs to improve dramatically, and we have the ability to make an impact. We find really serious vulnerabilities in products on a routine basis. If we had not found those things, those products go to market and put those critical networks at risk. That’s really rewarding for me and for our team and that’s what really drives us.”