Cybersecurity leader touts adversarial model
BURLINGTON — Chris Wysopal and his Boston hacker collective pals from the L0pht think tank sounded the alarm on the sad state of software vulnerability in a nowlegendary 1998 appearance before Congress. Then-Sen. Joe Lieberman hailed the group as “modernday Paul Reveres.”
Wysopal remains active in cybersecurity today as chief technology officer of Veracode, now part of CA Technologies. He spoke recently on the state of security. Questions and responses have been edited for clarity and length.
Q: How did Microsoft in 2002 come to embrace the mindset of allowing friendly, “white-hat” hackers to pick apart software to expose flaws?
A: White hats go after the thing that is going to get the biggest bang for the buck, generate the most impact. That’s why we targeted Microsoft and that’s why Microsoft was under the most pressure.
Q: And the rest of the industry followed suit?
A: Every (big) company that grew up after Microsoft got to start from scratch — the Googles and the Facebooks, the Amazons. The mindset had already changed. You have to build software and systems securely or you’re doomed.
Q: The cybersecurity industry has exploded. How can people know which firms to trust?
A: Once you get past the well-categorized security products such as firewalls, (intrusion detection systems) and anti-virus, it seems like a free-for-all. No one wants to talk about their security failures publicly. So if a product failed on them and they get breached they’re probably not going to talk about it. Most customers rely on a handful of analyst firms for guidance. But thousands of new products come out every year. It’s a real challenge.
Q: What should be done to improve the security of U.S. election systems?
A: I would require (companies) selling this equipment to show they have a process where they’re deploying adversarial testing against themselves. If they don’t have that in-house they should be hiring someone — a third party — to do that for them and show evidence they're doing that.