Cybersecurity: From an afterthought to a strategic asset
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreChris Wysopal (Founder and CTO at Veracode) is a legendary figure in cybersecurity. As part of the Boston hacker collective L0pht, he hacked into Microsoft in the 90s – and then in 1998, he testified in front of the US Congress that the internet was hopelessly insecure, and could be taken down in 30 minutes or less.
Wysopal is coming to Riyadh to speak at Black Hat MEA 2023. So we caught up with him ahead of the event, to give you a quick glimpse at his perspective on security and hacking.
“The very first steps were logging onto dial-up bulletin board systems (BBSs) and looking for technical information on how different devices and systems connected to computers. I didn't just want to run software on my computer, a lowly IBM PC with 2 floppy drives. I wanted to connect to other systems to explore and see what they could do.
“This led me to learn about hacker BBSs where people would talk about what systems they found and how they worked. This quickly led to hacker meetups like 2600 Magazine meetups and closed BBSs where you needed to know the sysop, typically by meeting in person.
“I met Brian Oblivion who ran Black Crawling Systems. We became friends and he invited me to visit the L0pht in the South End of Boston. He had founded it a few months earlier with Count Zero and was looking for like-minded hackers to share the space. When I say like-minded it meant people who wanted to explore systems and technology like PCs, mini-computers, cell phones and really anything digital or network connected. Sharing knowledge and resources with a team meant we could do much more than solo. I was hooked!”
“Cybersecurity is a wide tent. It needs people who are breakers, like me, but it also needs builders and investigators. It needs these disparate groups of people with different mindsets and skill sets to come together to solve the problem of building a secure digital world.
“So I would like to bring together a diverse community of thinkers, even an interdisciplinary community. I love it when I talk to software engineers or lawyers, who have a deep understanding of their craft, yet want to help solve our collective cybersecurity problem. So I would want to bring people from multiple walks of life and experiences together and work on the challenges we all face in the cybersecurity realm.”
“When I founded Veracode I wanted every developer building software to have access to application security testing so they could make their applications and products secure themselves without needing specialised application security consultants.
“I was one of those consultants for four-and-a-half years at @stake. I realised the problem of vulnerable software needed automated testing solutions to scale to all the software being built in the world, which has likely increased tenfold in the last 17 years. So the need is at least ten times what it was when I started Veracode.
“I now think most developers have access to this technology, but not all. There is still some work to be done there. The company's goals have changed somewhat from simple testing of one application for one team, to needing to support complex software development at a large scale, hundreds of pieces of software working together spanning, mobile, cloud native, container based, serverless, microservices, APIs, etc. It's not your mother or fathers 3-tier Java app anymore.
“That is where the challenge lies: supporting many languages, environments, and cloud technologies. So this has made the goals much more ambitious but necessary for the future of cybersecurity.”
“I worry about the very widespread vulnerabilities that come from common open source packages that are built into thousands of software applications. This is what happened with the log4j vulnerability from the end of 2021. It required thousands of development teams to spring into action to update, rebuild and redeploy their software before attackers could scale up their attacks.
“Many of these open source vulnerabilities cannot be easily stopped with network or host level security protection. They can only be solved through developer effort. This update process needs to be automated as much as possible as attackers get faster launching new attacks.”
“I wish everyone knew how easy it is to attack a vulnerable system with easily downloadable tools. There is a mystique out there that attackers are geniuses. Really, everyone with a few hours of training can learn how to do this – and they should.”
“Black Hat MEA is a venue that can bring lots of people together from all over the world to share their knowledge and learn together. I am looking forward to learning new perspectives and solutions from new colleagues that I have yet to meet. If you bring an open mind and a friendly attitude you can learn so much from a cybersecurity conference such as Black Hat MEA.”
Thanks to Chris Wysopal at Veracode. Learn more from Chris at Black Hat MEA 2023.
Join the newsletter to receive the latest updates in your inbox.
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreFind out why CISOs and investors are investing in AI-powered integrated cybersecurity platforms.
Read MoreCybersecurity education in schools could empower a new generation of skilled, engaged cybersecurity professionals, and solve the cyber workforce shortage.
Read More