Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:55 AM
Connect Directly

Q&A: 'Weld Pond' Talks Secure Software

Chris Wysopal sheds light on how his revolutionary testing technology saw the light of day, and discusses his new book, and his security fears

He pioneered vulnerability research, but he's no hacker. Chris Wysopal -- a.k.a. "Weld Pond" and formerly of the famed hacker group known as the L0pht -- is now co-founder and CTO of startup Veracode, a new security software testing services provider.

Wysopal, who co-authored the industry's de facto word on the responsible disclosure of vulnerabilities, has literally written the book on software security testing, The Art of Software Security Testing. And he and other former executives of @stake (purchased by Symantec in 2004) recently rolled their software security testing technology into a service offering from Veracode, which they launched this week.

Wysopal spoke to Dark Reading senior editor Kelly Jackson Higgins about the new business, bugs, and his book. (See Security Startups Make Debut.)

Figure 1: Chris Wysopal

DR: What's the origin of the binary-testing technology that Veracode now offers in its new services? And why didn't Symantec adopt it?

CW: We developed it at @stake... The first couple of years it was a skunk-works project and we were figuring out if it could be done. Nobody had done binary analysis where it could be as accurate as source-code analysis.

Symantec purchased @stake for its consulting business. We came along as part of the company and it didn't seem like there was a good fit. Symantec had divested itself of developer tools and things of that nature. So [we spun] out the technology and it took about a year to do it... Symantec got a small equity stake in the company [Veracode].

DR: Why binary-code testing for more secure software products?

CW: There's no silver bullet. A flight-control system, for instance, has to be very secure. You need to do design reviews of it, source code reviews, and security testing... The fact of the matter is testing costs a lot of money and takes a lot of time. And there is software out there that doesn't need to be secure, like an internal Web application to look up the [company] cafeteria menu.

We're trying to make it easier and more cost-effective for all software to get a security analysis. Binary is cheaper if you are offering it as a service -- you don't need to install software on lots of different desktops and have developers running the tools... We can fit into the development cycle and different milestones of the development cycle. You don't need extra resources to get a security analysis.

DR: Why The Art of Software Security Testing?

CW: I got the idea about two or three years ago when I was at a large software vendor [client] site, and three or four of us from @stake were doing security testing. We kept interfacing with the QA [quality assurance] people, asking them, "Do you have a testing tool that can do this -- we want to take it and modify it." This got them asking, "what are you actually doing, and can we sit here and watch you do this?" We [realized] we should really write all this stuff down so other QA people can learn, too.

We are trying to bridge some of the artistry of penetration testers, who are traditionally self-taught, to a more formalized software development process. I think [security software testing] has really only been formalized in software development groups in the last two or three years... Before that, it was being done by forward-thinking companies that would hire people from @stake and have them come in and be part of their QA process.

We want to bridge the gap between the security world and the QA practitioner.

DR: How much has changed in the security research world since you first co-wrote the definitive "responsible disclosure" RFC for the industry?

CW: I think it's changed a little bit. Software vendors are more responsive than when we first wrote that document four years ago. There's always been a group of people that doesn't necessarily want to work with this vendor and give them free security research. They think vendors are not going to take security seriously and build their products more securely [without public disclosures]. Some of those ideas may have been true several years ago, but I think most vendors understand that security vulnerability in their software is not good for sales: If you Google on a software name, the first five hits in the list usually come up with vulnerabilities.

The problem I have with the Month of Bugs is they don't give any time for a vendor to respond to the issue. It's a good thing to raise awareness of a particular class of problems and vulnerabilities in a certain area. But cramming it into a month where there's no way for a vendor to respond in that timeframe is not necessarily a good thing.

DR: Do you consider yourself a reformed hacker?

CW: I see myself mostly as a software developer.

My QA, software, and vulnerability research background has helped me understand the big picture, and having a diversified view of security is important. I think that actually sitting down and doing vulnerability research is important to understanding how to secure software.

My first foray into writing security tools was software called L0phtCrack that became a product at @stake, and then at Symantec.

DR: What scares you most about security today?

CW: We're just starting to scratch the surface of some of the vulnerabilities in the whole Web application space -- Cross Site Request Forgery (CSRF) and Ajax-style development. I don't think we understand the ramifications of a very powerful, rich client/service model where the code is sort of running all over the place

We're definitely very interested in coming up with solutions for these dynamic mashup applications. We are coming up with testing techniques to find vulnerabilities [here].

DR: So what else should we expect to see from Veracode?

CW: We didn't just take a binary static analyzer and bolt a Web front-end onto it. We built a software assurance platform where we could plug in multiple types of engines, and take threat feeds and other types of vulnerability information, and build a rich software assurance platform. You can look for us to be announcing other different services on top of our platform.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Veracode
  • Symantec Corp. (Nasdaq: SYMC) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/13/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
    Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-13
    The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
    PUBLISHED: 2020-07-13
    The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
    PUBLISHED: 2020-07-13
    An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
    PUBLISHED: 2020-07-13
    The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
    PUBLISHED: 2020-07-13
    A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version allows unauthenticated remote attackers to start a telnetd service on the device.