In this first installment of Take5, I interview Chris Wysopal, the CTO of Veracode about his new company, secure coding, vulnerability research and the recent forays into application security by IBM and HP.
This entire interview was actually piped over a point-to-point TCP/IP connection using command-line redirection through netcat. No packets were harmed during the making of this interview...
First, a little background on the victim, Chris Wysopal:
Chris Wysopal is
co-founder and CTO of Veracode. He has testified on Capitol Hill on the subjects of government
computer security and how vulnerabilities are discovered in software. Chris
co-authored the password auditing tool L0phtCrack, wrote the windows version of
netcat, and was a researcher at the security think tank, L0pht Heavy
Industries, which was acquired by @stake. He was VP of R&D at @stake
and later director of development at Symantec, where he led a
team developing binary static analysis technology.
He was influential in the creation of responsible vulnerability disclosure guidelines and a founder of the Organization for Internet Safety. Chris wrote "The Art of Software Security Testing: Identifying Security Flaws", published by Addison Wesley and Symantec Press in December 2006. He earned his Bachelor of Science degree in Computer and Systems Engineering from Rensselaer Polytechnic Institute.
of automated, on-demand application security solutions. What sort of application
security services does Veracode provide? Binary analysis, Web Apps?
2) Is this a SaaS model? How do you charge for your services? Do you see manufacturers
using your services or enterprises?
3) I was a Qualys customer — a VA/VM SaaS company. Qualys had to spend quite
a bit of time convincing customers that allowing for the storage of their VA data was
secure. How does Veracode address a customer’s security concerns when uploading their
We are absolutely fanatical about the security of our customers data. I look back at the days when I was a security consultant where we had vulnerability data on laptops and corporate file shares and I say, "what were we thinking?" All customer data at Veracode is encrypted in storage and at rest with a unique key per application and customer. Everyone at Veracode uses 2 factor authentication to log in and 2 factor is the default for customers. Our data center is a SAS 70 Type II facility. All data access is logged so we know exactly who looked at what and when. As security people we are professionally paranoid and I think it shows through in the system we built. We also believe in 3rd party verification so we have had a top security boutique do a security review our portal application.
4) With IBM’s acquisition of Watchfire and today’s announcement that HP will buy
SPI Dynamics, how does Veracode stand to play in this market of giants who will
be competing to drive service revenues?
5) Do you see the latest developments in vulnerability research with the drive for
pay-for-zeroday initiatives pressuring developers to produce secure code out of the box
for fear of exploit or is it driving the activity to companies like yours?