Cybersecurity 'Paul Revere' touts adversarial model

BURLINGTON, Mass. — Chris Wysopal and his Boston hacker collective pals from the L0pht sounded the alarm on the sad state of software vulnerability in a now-legendary 1998 appearance before Congress. Then-Sen. Joe Lieberman hailed the group as "modern-day Paul Reveres."

Wysopal remains active in cybersecurity today as chief technology officer of Veracode, now part of CA Technologies. He spoke with The Associated Press recently on the state of security. Questions and responses have been edited for clarity and length.

Q: How did Microsoft in 2002 come to embrace the mindset of allowing friendly, "white-hat" hackers to pick apart software to expose flaws?

A: White hats go after the thing that is going to get the biggest bang for the buck, generate the most impact. That's why we targeted Microsoft and that's why Microsoft was under the most pressure.

Q: And the rest of the industry followed suit?

A: Every (big) company that grew up after Microsoft got to start from scratch — the Googles and the Facebooks, the Amazons. The mindset had already changed. You have to build software and systems securely or you're doomed.

Q: Can you explain your support of "ethical" software development — making programs secure from the get-go?

A: Often startups, in order to get off the ground, have to do some harm or they would never be able to build anything. But we also have large companies that aren't doing the right thing. They've built a product and amassed a massive amount of revenue but they still aren't securing that.

Q: The cybersecurity industry has exploded. How can people know which firms to trust?

A: Once you get past the well-categorized security products such as firewalls, IDSes (intrusion detection systems) and anti-virus, it seems like a free-for-all. No one wants to talk about their security failures publicly. So if a product failed on them and they get breached they're probably not going to talk about it. Most customers rely on a handful of analyst firms for guidance. But thousands of new products come out every year. It's a real challenge.

Q: One of the worst-known security breaches, at Equifax, occurred in part because company workers failed to install security patches. What are information-technology departments to do when there's a steady stream of patches that need to be constantly applied to maintain security?

A: They don't necessarily need to do that. I recommend pushing back on the vendors and saying, "You need to show me you have a secure development process that is lessening the amount of patches that I have to deal with."

Q: What should be done to improve the security of U.S. election systems?

A: I would require (companies) selling this equipment to show they have a process where they're deploying adversarial testing against themselves. If they don't have that in-house they should be hiring someone — a third party — to do that for them and show evidence they're doing that.

You may also like these

Apple CEO hopeful banned apps will return to...

Dec 6, 2017

Apple's chief executive says he's optimistic some apps that fell afoul of China's tight internet...

China charges former rising political star with...

Feb 13, 2018

Chinese authorities have charged former rising political star Sun Zhengcai with bribery

China first home-built aircraft carrier completes...

May 18, 2018

China says its first entirely home-built aircraft carrier has successfully completed five days of...

Tesla will build its 1st factory outside US in...

Jul 11, 2018

Electric car producer Tesla will build its first factory outside the United States in Shanghai,...

Tesla announces deal for Shanghai factory

Jul 11, 2018

Tesla announces plans for Shanghai factory

About Us

Science Tech Today is all about the present with what’s new in the Science and Technology world. “Keep up with today, and don’t be left behind.”

Contact us: sales[at]

Subscribe Now!