Take5- Five Questions for Chris Wysopal, CTO Veracode

In this first installment of Take5, I interview Chris Wysopal, the CTO of Veracode about his new company, secure coding, vulnerability research and the recent forays into application security by IBM and HP.

This entire interview was actually piped over a point-to-point TCP/IP connection using command-line redirection through netcat.  No packets were harmed during the making of this interview...

First, a little background on the victim, Chris Wysopal:

Chris Wysopal is co-founder and CTO of Veracode. He has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. Chris co-authored the password auditing tool L0phtCrack, wrote the windows version of netcat, and was a researcher at the security think tank, L0pht Heavy Industries, which was acquired by @stake. He was VP of R&D at @stake and later director of development at Symantec, where he led a team developing binary static analysis technology.

He was influential in the creation of responsible vulnerability disclosure guidelines and a founder of the Organization for Internet Safety.  Chris wrote "The Art of Software Security Testing: Identifying Security Flaws", published by Addison Wesley and Symantec Press in December 2006. He earned his Bachelor of Science degree in Computer and Systems Engineering from Rensselaer Polytechnic Institute.

1) You’re a founder of Veracode which is described as the industry’s first provider
of automated, on-demand application security solutions.  What sort of application
security services does Veracode provide?  Binary analysis, Web Apps?
 

Veracode currently offers binary static analysis of C/C++ applications for Windows and Solaris and for Java applications.  This allows us to find the classes of vulnerabilities that source code analysis tools can find but on the entire codebase including the libraries which you probably don't have source code for. Our product roadmap includes support for C/C++ on Linux and C# on .Net.  We will also be adding additional analysis techniques to our flagship binary static analysis.

 
2) Is this a SaaS model? How do you charge for your services?  Do you see manufacturers
using your services or enterprises?
 

Yes. Customers upload their binaries to us and we deliver an analysis of their security flaws via our web portal.  We charge by the megabyte of code.  We have both software vendors and enterprises who write or outsource their own custom software using our services.  We also have enterprises who are purchasing software ask the software vendors to submit their binaries to us for a 3rd party analysis.  They use this analysis as a factor in their purchasing decision. It can lead to a "go/no go" decision, a promise by the vendor to remediate the issues found, or a reduction in price to compensate for the cost of additional controls or the cost of incident response that insecure software necessitates.

 
3) I was a Qualys customer — a VA/VM SaaS company.  Qualys had to spend quite
a bit of time convincing customers that allowing for the storage of their VA data was
secure.  How does Veracode address a customer’s security concerns when uploading their
applications?

We are absolutely fanatical about the security of our customers data.  I look back at the days when I was a security consultant where we had vulnerability data on laptops and corporate file shares and I say, "what were we thinking?"  All customer data at Veracode is encrypted in storage and at rest with a unique key per application and customer.  Everyone at Veracode uses 2 factor authentication to log in and 2 factor is the default for customers.  Our data center is a SAS 70 Type II facility. All data access is logged so we know exactly who looked at what and when. As security people we are professionally paranoid and I think it shows through in the system we built.  We also believe in 3rd party verification so we have had a top security boutique do a security review our portal application.

 
4) With IBM’s acquisition of Watchfire and today’s announcement that HP will buy
SPI Dynamics, how does Veracode stand to play in this market of giants who will
be competing to drive service revenues?
 

We have designed our solution from the ground up to have the Web 2.0 ease of use and experience and we have the quality of analysis that I feel is the best in the market today.  An advantage is Veracode is an independent assessment company that customers can trust to not play favorites to other software companies because of partnerships or alliances. Would Moody's or Consumer Reports be trusted as a 3rd party if they were part of a big financial or technology conglomerate? We feel a 3rd party assessment is important in the security world.

 
5) Do you see the latest developments in vulnerability research with the drive for
pay-for-zeroday initiatives pressuring developers to produce secure code out of the box
for fear of exploit or is it driving the activity to companies like yours?
 

I think the real driver for developers to produce secure code and for developers and customers to seek code assessments is the reality that the costs of insecure code goes up everyday and its adding to the operational risk of companies that use software.  People exploiting vulnerabilities are not going away and there is no way to police the internet of vulnerability information.  The only solution is for customers to demand more secure code, and proof of it, and for developers to deliver more secure code in response.