Interviewed By Muktadir Mubassir, Team MBR

A seasoned professional with experiences in diverse roles at quite a good number of esteemed organisations such as British American Tobacco, Novartis, Aramex, Robi, ACI Logistics, and so on, Mr. Mushfique Manzoor has always had an entrepreneurial mindset. He is one of the key figures behind the launch of the largest retail chain in the country, Swapno. Mr. Manzoor and his friend from Notre Dame College, Dr. Munawar Hafiz, formed the startup OpenRefactory in September 2016, which provides a one-of-a-kind tool, iCR, that can not only detect bugs in codes with super precision but also fix those automatically. He completed his bachelor’s and master’s degrees from the Institute of Business Administration, University of Dhaka. Team MBR was in a conversation with Mr. Manzoor and had the opportunity to learn about the behind-the-scenes story of OpenRefactory and his vision for this startup.

Muktadir Mubassir: You have years of corporate experience in various important roles at different renowned organisations such as British American Tobacco, Novartis, Aramex, Robi, and so on. Could you please elaborate on how these diverse experiences influenced your mindset to establish a unique startup like OpenRefactory?

Mushfique Manzoor: I have always been intrigued by innovation. All throughout my career, I tried to do something innovative within, and sometimes beyond, the boundaries of the roles that I was in. The diverse experiences that I went through enabled me to look at a broad spectrum of things. If you look at the industries I have worked in, they are diverse, including telecom, tobacco, logistics, FMCG, and so on. I believe it has enabled me see and connect the farthest and diverse ends together. For instance, during my FMCG days, I launched ready-to-drink Ovaltine vending cart in selected locations in Dhaka which got regional recognition. During my AKTEL days (now known as Robi), I along with my team launched the very first mobile-network- based hunting number service for call centers of Standard Chartered Bank and BRAC Bank which ultimately led to today’s 5-digit hunting short- code service that all banks and enterprises use. When I left Robi and started the journey to establish the retail chain of Shwapno all across the country, no one could actually think that such a retail chain could be established. At that time, we actually made plans to dethrone the market leader which was achieved in about a year, with the establishment of 60 outlets nationwide. It was surely a big challenge. It takes a certain amount of ‘craziness’ above everything else to pull off such an initiative, especially in our country. I had the opportunity to be in a general management role, as Country Manager, very early in my career when I was posted in Vietnam and then in Nepal to set up ARAMEX franchisee operations on those countries. I was also part of a team in setting up a cargo airline in Dhaka. All these experiences taught me invaluable lessons in business development and management and made me more confident of our talent. Like everyone else, I got influenced by how startups were raising funds from investors solely based on ideas in the west and flourishing and I started to look for real innovative ideas for new business/startup. The co- founder of OpenRefactory, Dr. Munawar Hafiz, and I are good old friends. We got into Notre Dame College in 1993. Later on, he got into BUET to pursue computer science, and I got into IBA to pursue business administration. In our friendship, we know each other’s skills and strengths, and we complement each other very well. During his PhD in the United States, Munawar worked on bug identification and fixing. The tools that were available back then on the market were capable of identifying the bugs, with limited accuracy, but those could not fix the bugs. Munawar wanted tools to not only identify bugs precisely but also fix bugs, like spellings, in word processing software. In May 2012, we were having dinner at a restaurant in Chicago, Illinois and he discussed his project on automated bug fixing. The idea sounded amazing to me. So, we planned to form a startup and bring the product to market. Over the next couple of years, Munawar fine-tuned the algorithms. Once it became more stable, Munawar applied for a grant from the US National Science Foundation. While drafting the plan for the grant, Munawar contributed to the technical parts, and I contributed to the business parts. With the drafted plans, we won a USD m 225,000/- grant, and we formed a company named OpenRefactory in the United States in September 2016. In 2019 we shifted our development center in Bangladesh by setting up our subsidiary, OpenRefactory Bangladesh Ltd. In 2021, OpenRefactory became champion in the Bangabandhu Innovation Grant (BIG), the flagship event for startups in Bangladesh.

Muktadir Mubassir: OpenRefactory uses its automated analysis and correction tools to fix bugs and vulnerabilities in complex digital systems. Would you kindly share the operating procedure of OpenRefactory and how it is differentiating itself in its area of business?

Mushfique Manzoor: Bug detection tools have been there for more than 20 years, and all of these tools can only detect bugs though the accuracy is poor. None of these tools can actually fix the bugs automatically. While these tools can suggest corrections the programmers have to review the suggestions and then rewrite the codes manually to fix the errors. Even if the same error recurs in the code multiple times, it needs to be solved individually every time. Secondly, the existing tools generate lots of false positives. In the case of false positives, the tools show that there are errors. However, when the programmers review it, they find no bugs. As of now, the rate of false positives is very high in the industry. There are even billion-dollar players in this space but their rates of false positives are as high as 90%. That means, out of every ten bugs reported by these tools, nine of those are not even bugs in the first place. Thirdly, when someone intends to use these bug detection tools, they need to use the cloud and share their codes with the bug detection companies. These are the three major unwanted realities in the industry that need to be addressed.

Here comes OpenRefactory with its tool iCR. Firstly, iCR can detect critical security vulnerabilities that other bug detection tools cannot. For instance, OpenRefactory has been capable of detecting Log4Shell, which remained undetected by all the bug detection tools for eight years. This bug itself is estimated to have caused more than USD 100 trillion worth of financial losses all over the world. Till now iCR is the only tool that can detect Log4Shell and similar critical bugs like Text4Shell.

Secondly, on the SAMATE benchmark (Software Assurance Metrics and Tools Evaluation, developed by US Dept. of Defense, Dept. of Homeland Security and NIST of Dept. of Commerce), our rate of False Positives is less than 6%, whereas it is around 94% for the industry leader, Sonar. We made a huge difference in this aspect, maintaining an accuracy level of almost 16 times. Thirdly, as of now, OpenRefactory is the only bug detection tool in the world that can automatically replace bugs with corrections in the source codes in about half of the cases. The other half needs to be corrected manually. Lastly, OpenRefactory is not cloud-based software as a service. So, we do not see the codes of the clients. Our tool is deployed at the clients’ end, and the clients run them on their own servers under their own control.

Muktadir Mubassir: OpenRefactory’s signature product, Intelligent Code Repair (iCR), helps fix bugs efficiently and significantly reduces the time it takes for bugfixing in conventional manners. Would you kindly share with us some statistics on the degree of operational efficiency that can be achieved employing iCR based on user feedback?

Mushfique Manzoor: As I mentioned earlier, on the SAMATE benchmark, the rate of false positives is less than 6%. It is around 94% for Sonar, which is one of the industry leaders. As a result, with iCR being deployed, the efficiency of the programmers can be enhanced by at least 15%, though it may vary from organisation to organisation. In monetary terms, a 500-member team of programmers can save about USD 20 million a year, considering the global average salary of programmers is USD 40,000 a year. For a 50-member team, the saving is about USD 2 Million, which is still a lot of money.

Muktadir Mubassir: Mishandling codes may sometimes result in infringement of intellectual property rights. How does OpenRefactory ensure the confidentiality of the codes while rendering its bugfixing services?

Mushfique Manzoor: Whenever iCR gets deployed, it is deployed at the clients’ end. It is not deployed at OpenRefactory’s end. The clients do not have to upload their codes to OpenRefactory. The iCR is not even in the cloud. iCR is delivered to the client in a Docker container and it operates inside the Docker container which is deployed at the clients end. Whatever the clients have written gets scanned by iCR at their end, and all the confidentialities remain with them. Our deployment model itself ensures that confidentiality remains with the clients and we don’t get to see clients proprietary codes.

Muktadir Mubassir: Automated analysis and correction tools may not identify all the bugs or may detect false bugs. Would you kindly share with us how accurate OpenRefactory’s bug detection is and how it is working on improving the accuracy?

Mushfique Manzoor: OpenRefactory’s bug detection accuracy stands out in the industry. Our statistics are far ahead of those of many of the industry leaders, like Sonar. As I already mentioned, on the SAMATE benchmark’ Juliet Testsuite v1.3 which comprises of 1.8million Lines of Code (LoC) over 9,575 files, our false positive rate is below 6%. In contrast, Sonar’s false-positive rate is approximately 94%. If we consider the true positive rate, it is 98% for iCR and 77% for SonarQube on the same above mentioned benchmark. So, it is evident that iCR can detect bugs with more accuracy than the industry leaders. We are continuously working to sharpen the accuracy of iCR through fine-tuning the Deep Static Analysis, Machine Learning and Code Refactoring elements of our analysis engine in line with OWASP Top10, CVE Top 10, CWE Top 10 as well as National Vulnerability Database of USA which result in regular feature and maintenance update of our tool.

Muktadir Mubassir: Software projects may vary in terms of size and complexity. Do the prices for OpenRefactory’s services vary depending on the size and complexity of the projects? May we know how the revenue model works?

Mushfique Manzoor: OpenRefactory’s pricing structure is adaptable to the diverse needs of software projects across different organisations. We recognise the spectrum of software development, ranging from freelancers to industry giants like Google and Facebook. To accommodate this diversity, our pricing varies based on the segment of users and the complexity of projects.

For users integrating iCR into their Continuous Integration and Continuous Deployment (CICD) pipelines or using on-demand usage we offer License subscription where users receive licence to deploy on their premises and gets billed by number of contributors per month. This is typically seen in larger enterprises with heavy development environment.

Our other subscription model offers different pack sizes of certain Lines of Code (LoC) scanning capacity for a specific duration (monthly or yearly). Unlike usual LoC where everything including white space is counted, iCR does not count white space in the code for calculating LoC which is a benefit to the client and is called OpenRefactory Bundled Lines of Code (OBLoC). A good analogy to this is the mobile/cellular data packs. Every time iCR scans any code it deducts its OBLoC capacity purchased, iCR will continue to scan the code as long as it has enough OBLoC capacity in it.

Furthermore, we provide managed security audit services, leveraging our tools and expertise to manually review code and deliver comprehensive reports. While this involves exposure to client code, we maintain strict confidentiality under legal obligations.

In summary, our revenue model encompasses subscription packages tailored to code review needs, contributor-based pricing for enterprise- scale projects, and managed security audit services, ensuring flexibility and confidentiality for our valued clients.

Muktadir Mubassir: OpenRefactory currently provides its services in Java and C. Does it have plans to extend its services to other programming languages?

Mushfique Manzoor: OpenRefactory currently offers services for four programming languages: Java, Python, Go, and C. Each language includes support for its respective frameworks along with the native language, such as Java EE, Spring, Springboot and Android for Java; Django and Flask for Python; and http(standard library), Fiber, Gin for Go. iCR for C, being our initial offering, is currently undergoing a significant update.

Looking ahead, we are expanding our language support to meet evolving industry needs. This year, we are introducing Rust, a language positioned to replace C and C++ in the future. Additionally, we plan to incorporate JavaScript into our portfolio by the end of this year, followed by PHP in 2025. However, as with any startup, operational dynamics like revenue, growth, and funding may influence the timeline. Our goal remains to enhance our offerings to best serve our clients’ diverse needs.

Muktadir Mubassir: Geographical barriers are not an issue for OpenRefactory, considering the types of services it provides. How successful has OpenRefactory become in terms of onboarding international clients? Would you kindly share with us how you envision OpenRefactory’s future?

Mushfique Manzoor: OpenRefactory has successfully onboarded international clients across various regions, leveraging its robust service offerings and overcoming geographical barriers. While our Silicon Valley office primarily caters to the United States market, our development centre in Bangladesh manages operations for the Asia Pacific, Middle East, Africa, and parts of Europe. This strategic setup has enabled us to serve clients globally, including prominent organisations like the RedHat, The Linux Foundation and Highrise Talent in the United States, TCS and RouteMobile in India, Cataleya in Singapore as well as clients across Europe, Australia, the United Arab Emirates, and Bangladesh.

Looking to the future, our vision is to democratise access to OpenRefactory’s tools, making them integral and indispensable for programmers of all levels, from beginners to seasoned professionals. We aspire to see widespread adoption of our tool, iCR, becoming a routine practice akin to brushing one’s teeth before bed. Our goal is to instill a culture where developers habitually run code scans with iCR before finalising their work, ensuring code quality and security.

From a business perspective, our aim is to grow and leave a lasting impact, bringing recognition to Bangladesh on the global stage of technological innovation. Historically, almost all fundamental innovations in computer science have originated in Western countries, particularly the United States. However, OpenRefactory, with its Bangladeshi talent, for the first time, is pioneering an innovative solution to a fundamental computer science problem. We hope to inspire and pave the way for other Bangladeshi businesses to tackle fundamental challenges and drive real innovation in the sector and ultimately contributing to the advancement of Bangladesh’s tech ecosystem.