Interview A Nutrition Label for Software

Normally, Abhishek Shah is at home in the IT security, computer architecture and cryptography laboratories at Columbia University in New York. With an innovative startup idea, the doctoral student was able to secure participation in the Entrepreneurship Explorer Ruhr 2023 (EER) training program of WORLDFACTORY International and the Cube 5 Incubator. In an interview, Abhishek Shah talks about his nutrition label for software, how he experienced his time in Bochum and why the Ruhr city doesn’t have to take a backseat to New York.

Every year, the Entrepreneurship Explorer Ruhr invites international and entrepreneurially-minded students and early career researchers to the Ruhr region to to get them ready to start a business. This year, the focus was on startup projects in the field of cyber security.

Mr. Shah, please briefly describe your scientific background.
I studied computer security in my undergraduate and graduate programs at Columbia University in New York and have taken several paths to this approach. Initially, my primary role was consulting. I tried to use the existing security tools on the market and applied them to different customers and clients. However, I found the existing tools to be inadequate. So, I then spent time on building new tools, but these tools were based on existing research ideas with their own limitations. I started doing research and that led me to my graduate program, where I’ve been working on building new ideas to address the limitations that I saw in my work experience.

Cybersecurity has very real impact on our lives. We see nation states targeting and spying on individuals and war operations being disrupted.

What interests you most about your scientific work?
I think relevance and speed are the most important aspects for me. Cybersecurity has very real impact on our lives. We see nation states targeting and spying on individuals, war operations being disrupted and critical infrastructure, including power grids, becoming vulnerable. I work in software security, and the beauty of it is that, unlike hardware, software is a fast-moving world. With hardware, it can take months or years to go from idea to production to real-world application; with software, it’s quite a bit faster. I’ve seen a research idea turn into code in a matter of weeks, and now everyone is interacting with it.

Why did you choose Bochum?
In the field of IT security, Ruhr University Bochum is well-known, publishes extensively and participates in academic conferences. This is how I became aware of Bochum. Germany is a very respected nation and the culture is different from the US. So I thought coming here would be a good educational and academic experience.

The “security nutrition label” is an approach to measuring the security of software.

Can you describe your startup idea?
When we eat food, it usually has a nutrition facts label that indicates both the ingredients and the nutritional properties, for example, how much fat, sugar and carbohydrates a food contains. I wanted to develop something similar for software. The “security nutrition label” is an approach to measuring the security of software that provides an overview of its individual components. The hardest part is to give a metric that indicates how much security a software contains, where the security problems are and what they actually mean.

For whom is the label of interest?
The immediate use case is enterprises, specifically cyber insurance companies. Right now, the assessment of a company’s vulnerability is not based on its software, but on other factors. Therefore, my idea could be a tool to develop better pricing models for cyber insurances.

Where are you in the startup process?
At the moment, I’m still at the very beginning of the startup process. It will take at least another year before until I can develop my idea further, because I want to finish my studies first. The next step would be to prototype the tool that can measure software security.

It all culminated in the simulation of a real pitch. It was my very first pitch and it was nerve-wracking, but also really good.

What did the Entrepreneurship Explorer Ruhr 2023 program look like?
It was a series of workshops with different content and mixed with interaction. Instead of traditional lectures, speakers shared their own startup stories and experiences. We were then asked to apply what we had learned to our own startup idea and received feedback on it. It all culminated in the simulation of a real pitch. It was my very first pitch and it was nerve-wracking, but also really good. We had seven minutes to pitch our idea and could hear the countdown ticking.

The further you advance in your PhD, the less willing you are to take risks.

How has the program helped you?
My cousin once said that the further you advance in your PhD, the less willing you are to take risks. You see all the ways your product can fail; here, it was the other way round. I could see all the ways the product could succeed.

The exposure to the startup culture and the whole aspect of entrepreneurship education were very important for me. How I express myself linguistically, how I describe things in an academic environment is different from a non-academic environment. People care about different things. In the program, we looked at the entire ecosystem of entrepreneurial education: what a startup really means, how to set it up legally, what a business model looks like and how to develop a go-to-market strategy.

How does the startup scene in Bochum differ from the startup scene in New York?
It was really cool to see that the German government supports the entrepreneurial community in many ways, for example with the EXIST program. We have similar venture capitals in the US, but the government support is not as extensive. It tends to be directed at scientific companies and institutions, such as universities, rather than startups.

I think what was really special about the Ruhr region was seeing how many people work in IT-security. There’s the Max Planck Institute, there’s CASA, there’s Ruhr University Bochum, the Horst Görtz Institute, and of course Cube 5. The whole ecosystem that’s been built around here just for cybersecurity is something I’ve never seen before. You can see all the components in different ways in the US, but the coherence here is really special.

The whole ecosystem that’s been built around here just for cybersecurity is something I’ve never seen before.

What will you take away?
One thing I’ll remember is the openness I felt here. One of my fears was that I would not be able to speak German very well and then wondered what that would be like. People were very friendly and willing to speak English with me.