Chris Wysopal is the founder and CTO of Veracode. Unlike many CTOs in the cybersecurity business, Wysopal has a long history of actually doing security and was one of the founders of L0pht Heavy Industries, one of the original hacker collectives. It gives him a unique insight into application security and is one of the reasons why he founded Veracode.
Enterprise Times caught up with Wysopal at the RSA Conference 2020 in San Francisco. One of the challenges for security teams today is that they are very time poor. Wysopal made the point that both manual code reviews and pentesting take too long. The result is that no-one wants to do them and that’s a problem for any security team.
Software growth is exploding and we are now seeing software in areas where we never thought it would be. To get an idea of the complexity of the problem, Veracode has just issued its State of Software Security report. The results are not encouraging. In fact Wysopal said what Veracode learned was: “that all software is insecure”. He continued saying: “Over 70% has vulnerabilities.”
Wysopal goes on to talk about how we need to set an acceptable risk for software. He also talks about the need to get the cadence of testing right in order to reduce security debt. Agile teams, who are driving the explosion of software, often talk technical debt but not security debt.
Wysopal also talked to the problem of liability. The software industry sells everything with no warranty. As software becomes pervasive in everything then there is a need for regulators and consumer law to look at the risk and liability issues.
To hear what else Wysopal has to say, listen to the podcast
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
use the Enterprise Times page on Podchaser
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there