Cybersecurity 'Paul Revere' touts adversarial model

Chris Wysopal and his Boston hacker collective pals from the L0pht sounded the alarm on the sad state of software vulnerability in a now-legendary 1998 appearance before Congress. Then-Sen. Joe Lieberman hailed the group as "modern-day Paul Reveres."

Wysopal remains active in cybersecurity today as chief technology officer of Veracode, now part of CA Technologies. He spoke with The Associated Press recently on the state of security. Questions and responses have been edited for clarity and length.

Q: How did Microsoft in 2002 come to embrace the mindset of allowing friendly, "white-hat" hackers to pick apart software to expose flaws?

A: White hats go after the thing that is going to get the biggest bang for the buck, generate the most impact. That's why we targeted Microsoft and that's why Microsoft was under the most pressure.

Q: And the rest of the industry followed suit?

A: Every (big) company that grew up after Microsoft got to start from scratch — the Googles and the Facebooks, the Amazons. The mindset had already changed. You have to build software and systems securely or you're doomed.

Q: Can you explain your support of "ethical" software development — making programs secure from the get-go?

A: Often startups, in order to get off the ground, have to do some harm or they would never be able to build anything. But we also have large companies that aren't doing the right thing. They've built a product and amassed a massive amount of revenue but they still aren't securing that.

Q: The cybersecurity industry has exploded. How can people know which firms to trust?

A: Once you get past the well-categorized security products such as firewalls, IDSes (intrusion detection systems) and anti-virus, it seems like a free-for-all. No one wants to talk about their security failures publicly. So if a product failed on them and they get breached they're probably not going to talk about it. Most customers rely on a handful of analyst firms for guidance. But thousands of new products come out every year. It's a real challenge.

Q: One of the worst-known security breaches, at Equifax, occurred in part because company workers failed to install security patches. What are information-technology departments to do when there's a steady stream of patches that need to be constantly applied to maintain security?

A: They don't necessarily need to do that. I recommend pushing back on the vendors and saying, "You need to show me you have a secure development process that is lessening the amount of patches that I have to deal with."

Q: What should be done to improve the security of U.S. election systems?

A: I would require (companies) selling this equipment to show they have a process where they're deploying adversarial testing against themselves. If they don't have that in-house they should be hiring someone — a third party — to do that for them and show evidence they're doing that.