Cybersecurity 'Paul Revere' touts adversarial model

This undated photo provided by VeraCode shows Chris Wysopal, chief technical officer of Veracode. Wysopal was in his early 30s when he and his cohorts from the Boston hacker collective pals L0pht formed the early cybersecurity firm @stake. In 2006, after Symantec bought the company, Wysopal co-founded Veracode. Last year, CA Technologies acquired his 700-employee company. (Veracode via AP)

BURLINGTON, Mass. — Chris Wysopal and his Boston hacker collective pals from the L0pht sounded the alarm on the sad state of software vulnerability in a now-legendary 1998 appearance before Congress. Then-Sen. Joe Lieberman hailed the group as "modern-day Paul Reveres."

Wysopal remains active in cybersecurity today as chief technology officer of Veracode, now part of CA Technologies. He spoke with The Associated Press recently on the state of security. Questions and responses have been edited for clarity and length.

Q: How did Microsoft in 2002 come to embrace the mindset of allowing friendly, "white-hat" hackers to pick apart software to expose flaws?

A: White hats go after the thing that is going to get the biggest bang for the buck, generate the most impact. That's why we targeted Microsoft and that's why Microsoft was under the most pressure.

Q: And the rest of the industry followed suit?

A: Every (big) company that grew up after Microsoft got to start from scratch — the Googles and the Facebooks, the Amazons. The mindset had already changed. You have to build software and systems securely or you're doomed.

Q: Can you explain your support of "ethical" software development — making programs secure from the get-go?

A: Often startups, in order to get off the ground, have to do some harm or they would never be able to build anything. But we also have large companies that aren't doing the right thing. They've built a product and amassed a massive amount of revenue but they still aren't securing that.

Q: The cybersecurity industry has exploded. How can people know which firms to trust?

A: Once you get past the well-categorized security products such as firewalls, IDSes (intrusion detection systems) and anti-virus, it seems like a free-for-all. No one wants to talk about their security failures publicly. So if a product failed on them and they get breached they're probably not going to talk about it. Most customers rely on a handful of analyst firms for guidance. But thousands of new products come out every year. It's a real challenge.

Q: One of the worst-known security breaches, at Equifax, occurred in part because company workers failed to install security patches. What are information-technology departments to do when there's a steady stream of patches that need to be constantly applied to maintain security?

A: They don't necessarily need to do that. I recommend pushing back on the vendors and saying, "You need to show me you have a secure development process that is lessening the amount of patches that I have to deal with."

Q: What should be done to improve the security of U.S. election systems?

A: I would require (companies) selling this equipment to show they have a process where they're deploying adversarial testing against themselves. If they don't have that in-house they should be hiring someone — a third party — to do that for them and show evidence they're doing that.

Must Read

US regulators: Official recall of 1M Samsung Note...

Sep 16, 2016

U.S. regulators are issuing an official recall of Samsung's Galaxy Note 7 phone because of the risk...

US elections still vulnerable to rigging,...

Dec 26, 2016

The presidential election in November has cast light on long-known problems in the voting system

Trump says he doesn't trust computers as he rings...

Jan 1, 2017

President-elect Donald Trump says that "no computer is safe" when it comes to keeping information...

Trump still not sold on Russian link to hacking

Jan 1, 2017

President-elect Donald Trump says "no computer is safe" when it comes to keeping information private

Cruise ship operators bringing high tech to the...

Jan 4, 2017

High technology is taking to the high seas

About Us

The World Insiders brings you exclusive coverage from across the globe in a timely, easy to consume format sourced directly from our regional media partners.

Contact us: sales[at]theworldinsiders.com

Subscribe Now!