Cybersecurity 'Paul Revere' touts adversarial model

This undated photo provided by VeraCode shows Chris Wysopal, chief technical officer of Veracode. Wysopal was in his early 30s when he and his cohorts from the Boston hacker collective pals L0pht formed the early cybersecurity firm @stake. In 2006, after Symantec bought the company, Wysopal co-founded Veracode. Last year, CA Technologies acquired his 700-employee company. (Veracode via AP)

BURLINGTON, Mass. — Chris Wysopal and his Boston hacker collective pals from the L0pht sounded the alarm on the sad state of software vulnerability in a now-legendary 1998 appearance before Congress. Then-Sen. Joe Lieberman hailed the group as "modern-day Paul Reveres."

Wysopal remains active in cybersecurity today as chief technology officer of Veracode, now part of CA Technologies. He spoke with The Associated Press recently on the state of security. Questions and responses have been edited for clarity and length.

Q: How did Microsoft in 2002 come to embrace the mindset of allowing friendly, "white-hat" hackers to pick apart software to expose flaws?

A: White hats go after the thing that is going to get the biggest bang for the buck, generate the most impact. That's why we targeted Microsoft and that's why Microsoft was under the most pressure.

Q: And the rest of the industry followed suit?

A: Every (big) company that grew up after Microsoft got to start from scratch — the Googles and the Facebooks, the Amazons. The mindset had already changed. You have to build software and systems securely or you're doomed.

Q: Can you explain your support of "ethical" software development — making programs secure from the get-go?

A: Often startups, in order to get off the ground, have to do some harm or they would never be able to build anything. But we also have large companies that aren't doing the right thing. They've built a product and amassed a massive amount of revenue but they still aren't securing that.

Q: The cybersecurity industry has exploded. How can people know which firms to trust?

A: Once you get past the well-categorized security products such as firewalls, IDSes (intrusion detection systems) and anti-virus, it seems like a free-for-all. No one wants to talk about their security failures publicly. So if a product failed on them and they get breached they're probably not going to talk about it. Most customers rely on a handful of analyst firms for guidance. But thousands of new products come out every year. It's a real challenge.

Q: One of the worst-known security breaches, at Equifax, occurred in part because company workers failed to install security patches. What are information-technology departments to do when there's a steady stream of patches that need to be constantly applied to maintain security?

A: They don't necessarily need to do that. I recommend pushing back on the vendors and saying, "You need to show me you have a secure development process that is lessening the amount of patches that I have to deal with."

Q: What should be done to improve the security of U.S. election systems?

A: I would require (companies) selling this equipment to show they have a process where they're deploying adversarial testing against themselves. If they don't have that in-house they should be hiring someone — a third party — to do that for them and show evidence they're doing that.

Must Read

Hungry startup uses robots to grab slice of pizza

Sep 14, 2016

A Silicon Valley startup is using robots and software to take a bite out of the pizza-delivery...

Hyundai recalls SUVs; software flaw may stop...

Sep 15, 2016

Hyundai is recalling about 41,000 small SUVs in the U.S. because a software glitch can stop the...

Oregon settles lawsuit for botched health care...

Sep 16, 2016

Oregon is announcing a settlement of a lawsuit in which it accused software giant Oracle America...

US gov't accuses Fiat Chrysler of cheating on...

Jan 13, 2017

The U.S. government is accusing Fiat Chrysler of failing to disclose software in some of its...

Watchdog to probe Comey's, FBI's actions before...

Jan 12, 2017

The Justice Department inspector general has opened an investigation into department and FBI...

Sign up now!

About Us

In The Headline sought to bring professionalism back into journalism, bringing you only the most exclusive and the most impactive news from all over the globe.

Contact us: sales[at]intheheadline.com