In this first installment of Take5, I interview Chris Wysopal, the CTO of Veracode about his new company, secure coding, vulnerability research and the recent forays into application security by IBM and HP.
This entire interview was actually piped over a point-to-point TCP/IP connection using command-line redirection through netcat. No packets were harmed during the making of this interview...
First, a little background on the victim, Chris Wysopal:
Chris Wysopal is
co-founder and CTO of Veracode. He has testified on Capitol Hill on the subjects of government
computer security and how vulnerabilities are discovered in software. Chris
co-authored the password auditing tool L0phtCrack, wrote the windows version of
netcat, and was a researcher at the security think tank, L0pht Heavy
Industries, which was acquired by @stake. He was VP of R&D at @stake
and later director of development at Symantec, where he led a
team developing binary static analysis technology.
He was influential in
the creation of responsible vulnerability disclosure guidelines and a founder of
the Organization for Internet Safety. Chris wrote "The Art of
Software Security Testing: Identifying Security Flaws", published by Addison
Wesley and Symantec Press in December 2006. He earned his Bachelor of Science
degree in Computer and Systems Engineering from Rensselaer Polytechnic
Institute.
of automated, on-demand
application security solutions. What sort of application
security
services does Veracode provide? Binary analysis, Web Apps?
2) Is this a SaaS model?
How do you charge for your services? Do you see
manufacturers
using your services or enterprises?
3) I was a Qualys customer
— a VA/VM SaaS company. Qualys had to spend quite
a bit of time
convincing customers that allowing for the storage of their VA data
was
secure. How does Veracode address a customer’s security concerns when
uploading their
applications?
We are
absolutely fanatical about the security of our customers data. I look back
at the days when I was a security consultant where we had vulnerability
data on laptops and corporate file shares and I say, "what were we
thinking?" All customer data at Veracode is encrypted in storage and at
rest with a unique key per application and customer. Everyone at Veracode
uses 2 factor authentication to log in and 2 factor is the default for
customers. Our data center is a SAS 70 Type II facility. All data
access is logged so we know exactly who looked at what and when. As security
people we are professionally paranoid and I think it shows through in the system
we built. We also believe in 3rd party verification so we have had a top
security boutique do a security review our portal
application.
4) With IBM’s acquisition
of Watchfire and today’s announcement that HP will buy
SPI Dynamics, how does
Veracode stand to play in this market of giants who will
be competing to
drive service revenues?
5) Do you see the latest
developments in vulnerability research with the drive for
pay-for-zeroday
initiatives pressuring developers to produce secure code out of the box
for
fear of exploit or is it driving the activity to companies like yours?