Seven Questions on Software Security for Veracode’s Chris Wysopal
When you think about all the high-profile hacking attacks that have occurred in the last several years, you might be surprised to learn that making software secure before it’s in use isn’t always a high priority for the companies that make it.
Hackers can go after a lot of things to get what they want. Make a server hard to hack, they’ll go after the network. Harden the network, they’ll then go after something else.
Lately that something else has been software applications. They might be small applications that run on the Web or mobile apps that run on a smartphone.
Companies are moving so fast to launch Web apps and mobile apps that they often don’t bother to think much about security, assuming that the people writing the code know what they’re doing. That’s not always the case.
At the recent RSA Conference in San Francisco, I talked with Chris Wysopal, the CTO of Veracode. Based in Burlington, Mass., Veracode helps software developers bake security into the apps they create so that they’re less likely to have to go back and fix things later after a vulnerability has been found — or worse, after an attack.
If his name sounds familiar, it’s because he’s the same Chris Wysopal who years ago was better known as Weld Pond, a member of the respected hacker think tank L0pht Heavy Industries. Its seven members famously testified before Congress in 1998 that with their accumulated knowledge they could “bring down the entire Internet in 30 minutes.” Another L0pht member was Peter Zatko, better known as Mudge, who recently left DARPA, the research arm of the U.S. Department of Defense for a job at Google.
The next year several L0pht members went on to start @Stake, a security consulting firm that they sold to Symantec in 2004.
Wysopal founded Veracode with another L0pht member — Christien Rioux, a.k.a. DilDog — in 2006. Since then the company has raised about $74 million in five rounds of venture capital funding from investors including Meritech Capital Partners, Atlas Ventures, .406 Ventures, StarVest Partners, Rovi and Symantec. It has been growing by about 50 percent a year since then.
Here’s a little of what we talked about.
Re/code: Chris, I think the fact that Veracode exists is kind of surprising. With all the hacking attacks we’ve experienced over the years, the notion that building software to be secure the first time seems obvious, and yet — here’s Veracode, and it’s a relatively new company. What is it about securing applications that’s so hard?
Wysopal: It’s funny, I was just on a panel about whether or not companies who buy software should require security testing of the vendors they buy software from. There were people from Microsoft and EMC — two of the biggest software companies in the world — arguing that they don’t want testing, and one person representing the views of the utility industry, which buys a lot of software. Basically the vendors don’t want to be tested, because they know they’ll find problems and they’ll have to fix them, but it doesn’t mean that the software is good or bad. I came up with the analogy of going to the skin doctor to check for cancerous lesions. If you have them it doesn’t mean that your overall health is good or bad, it just means you have a lesion and you have to do something about it. … But I can understand why the vendors don’t want it, because it slows down the sales process.
So where are you seeing this kind of testing put into place?
Financial companies. The FS-ISAC, the security group for the financial industry, and which I think is one of the best of the security user groups, came out in December with two new recommendations: One was to ask vendors about their security process and the level of training of their developers. And the other was to conduct static binary analysis testing on the software, which is to say test it for security glitches before you use it. The two go hand in hand, and that’s the process we’re pushing for. The financial industry led the way with application security, and I think health care will be next, given the push for electronic medical records and to automate processes and all the little companies popping up to do that.
So what’s the big security trend you’re seeing right now?
People are trying to move faster and faster to deploy technology. They see it as a way to grow and reduce friction in their business. Marc Andreessen says that software is eating the world. So not only do we have startups disrupting the traditional players, like WhatsApp disrupting the telco industry, but we’re seeing similar disruptions coming in financial services and health care from software, either from new companies or established ones building it themselves or buying it. And what they’re doing is different from before: Mobile apps and cloud apps and consumer-facing Web apps. All of this stuff increases the risk because it’s completely distributed over the Web, and the apps talk to each other and they touch sensitive data. My job is to keep them from being reckless. A startup company can be reckless. They start out with no security policy and end up with 100 million users, and then realize too late they have big security holes. A bank can’t do that.
So what’s the answer?
You have to bake security into the way you’re building the software. You can’t build it and then test for security and then go back and redo the software. Writing it secure the first time is faster. So our customers are measuring the code they get from their outsourced developers, and they’re seeing that the code that comes in clean gets deployed faster, and so they send more work to the companies who do that. If there’s the right kind of testing done along the way, there’s an incentive to build better software. What we’re trying to do at Veracode is make it easy.
Are you on the lookout for any new kinds of threats and vulnerabilities?
The threats don’t really change that much, at least not the traditional ones. Basically attackers figure out new ways to exploit how businesses run their infrastructure. What we’ve realized is that the way that organizations are deploying technology is really out of control right now. And there’s a lot of websites out there collecting customer information that the CIO or CISO doesn’t even know about. A bank may have a promotional site with their names on them, but which the bank didn’t build and which nevertheless collects sensitive data. I talked to one CISO from a major company who said that all the breaches that hurt his company’s brand and put them at legal risk came through a third-party site with the company’s name on it that they didn’t know about. A CISO for a major company told me exactly that.
Can you get ahead of the attackers?
You can, before the attacks begin. We did do this with one company around the time of the LulzSec attacks. There had been some chatter picked up by law enforcement agencies that this company was going to be the next target, the next Sony. It was a very large global manufacturing company. They came to us and said they didn’t even know how many websites they had. They had done so many M&A transactions and had so many products, they had no idea. … They gave us a list of domain names and IP address they controlled, and we scanned all their apps and sites for problems. We scanned 8,000 applications in two weeks. We found hundreds of vulnerabilities which they fixed. But they were able to avoid being the next Sony.
What about software-as-a-service applications? What does that shift mean for your clients?
We’re an SAAS company ourselves. Our customers, especially the financial services ones, hold us accountable the same way they would their own infrastructure. Since we’re a small growing company, we use cloud applications for human resources — for payroll and things like that. We ask our vendors if they’ve been audited for different things, and they have to show us. Have they had a manual penetration test? What’s their security program like? It’s easy. You hold your service providers to the same level to which you would hold yourself.