Chris Wysopal on L0pht, new threats, and what cyber needs

Chris Wysopal (Founder and CTO at Veracode) is a legendary figure in cybersecurity. As part of the Boston hacker collective L0pht, he hacked into Microsoft in the 90s – and then in 1998, he testified in front of the US Congress that the internet was hopelessly insecure, and could be taken down in 30 minutes or less.

Wysopal is coming to Riyadh to speak at Black Hat MEA 2023. So we caught up with him ahead of the event, to give you a quick glimpse at his perspective on security and hacking.

What were the very first steps you took into cybersecurity? What led you to being part of L0pht?

“The very first steps were logging onto dial-up bulletin board systems (BBSs) and looking for technical information on how different devices and systems connected to computers. I didn't just want to run software on my computer, a lowly IBM PC with 2 floppy drives. I wanted to connect to other systems to explore and see what they could do.

“This led me to learn about hacker BBSs where people would talk about what systems they found and how they worked. This quickly led to hacker meetups like 2600 Magazine meetups and closed BBSs where you needed to know the sysop, typically by meeting in person.  

“I met Brian Oblivion who ran Black Crawling Systems. We became friends and he invited me to visit the L0pht in the South End of Boston. He had founded it a few months earlier with Count Zero and was looking for like-minded hackers to share the space. When I say like-minded it meant people who wanted to explore systems and technology like PCs, mini-computers, cell phones and really anything digital or network connected. Sharing knowledge and resources with a team meant we could do much more than solo. I was hooked!”

You testified in front of the US Congress in 1998. If right now, in 2023, you could put together an ideal audience (including all the people and/or organisations, from anywhere in the world, that you think could be most influential in shaping the future of cybersecurity) who would be in that audience?

“Cybersecurity is a wide tent. It needs people who are breakers, like me, but it also needs builders and investigators. It needs these disparate groups of people with different mindsets and skill sets to come together to solve the problem of building a secure digital world.

“So I would like to bring together a diverse community of thinkers, even an interdisciplinary community. I love it when I talk to software engineers or lawyers, who have a deep understanding of their craft, yet want to help solve our collective cybersecurity problem. So I would want to bring people from multiple walks of life and experiences together and work on the challenges we all face in the cybersecurity realm.”

What were your biggest goals when you founded Veracode – and have you achieved them? And how have the company's goals changed over the last 17 years?

“When I founded Veracode I wanted every developer building software to have access to application security testing so they could make their applications and products secure themselves without needing specialised application security consultants.

“I was one of those consultants for four-and-a-half years at @stake. I realised the problem of vulnerable software needed automated testing solutions to scale to all the software being built in the world, which has likely increased tenfold in the last 17 years. So the need is at least ten times what it was when I started Veracode.  

“I now think most developers have access to this technology, but not all. There is still some work to be done there. The company's goals have changed somewhat from simple testing of one application for one team, to needing to support complex software development at a large scale, hundreds of pieces of software working together spanning, mobile, cloud native, container based, serverless, microservices, APIs, etc. It's not your mother or fathers 3-tier Java app anymore.

“That is where the challenge lies: supporting many languages, environments, and cloud technologies. So this has made the goals much more ambitious but necessary for the future of cybersecurity.”

What types of threat (or vulnerability) are you most concerned about right now?

“I worry about the very widespread vulnerabilities that come from common open source packages that are built into thousands of software applications. This is what happened with the log4j vulnerability from the end of 2021. It required thousands of development teams to spring into action to update, rebuild and redeploy their software before attackers could scale up their attacks.

“Many of these open source vulnerabilities cannot be easily stopped with network or host level security protection. They can only be solved through developer effort. This update process needs to be automated as much as possible as attackers get faster launching new attacks.”

What's one thing you wish everyone knew about cybersecurity?

“I wish everyone knew how easy it is to attack a vulnerable system with easily downloadable tools. There is a mystique out there that attackers are geniuses. Really, everyone with a few hours of training can learn how to do this – and they should.”

What's the value of events like Black Hat MEA to you?

“Black Hat MEA is a venue that can bring lots of people together from all over the world to share their knowledge and learn together. I am looking forward to learning new perspectives and solutions from new colleagues that I have yet to meet. If you bring an open mind and a friendly attitude you can learn so much from a cybersecurity conference such as Black Hat MEA.”

Thanks to Chris Wysopal at Veracode. Learn more from Chris at Black Hat MEA 2023.