“All software has vulnerabilities until proven otherwise”
On May 19, 1998, seven young men in suits and with made-up names sat before the United States Congress to talk about computer security. They were part of the collective of hackers – in this case more cyber experts than hackers – known as the L0pht and they went down in the history of the sector for the forcefulness of their warnings. Any of them had the skills to bring down the internet in less than half an hour, they warned.
One of them was Weld Pond, known in his life before and after as Chris Wysopal (Connecticut, 55 years old). In his speeches that day, he pointed out the lack of accountability on the part of software development companies and gave an example of the password extraction system that he had developed with his comrades: “Before its launch, security experts they claimed that it would take thousands of years to crack a Windows NT password – an operating system aimed at companies. Our program can do it in days and even hours ”.
23 years after that appointment, the computer security expert and co-founder of the code review platform Veracode makes a bittersweet assessment of the appearance: “We were trying to create awareness that people who were building computer programs could do a better job. and offer secure systems. From that point of view, we were successful. Things have improved, but not enough ”, reasons the expert, who intervened last week at the technological event Collision, during a video call interview.
Wysopal saw the birth and growth of the information security industry. In its beginnings, it looked for vulnerabilities —problems that can be exploited by cybercriminals— reading the program code line by line and now leads the technology division of Veracode, a tool capable of detecting these flaws in an automated way and in a multitude of programming languages in the products of more than 2,500 customers. According to the latest installment of the state of the sector report that the company has produced for more than a decade, 24% of applications have very serious security flaws.
Question. Do we need another wake-up call?
Answer. Our wake-up call was theoretical. That’s one of the downsides of security research. You say that you have found some bugs that can be exploited and you assume that they will be fixed before someone does something wrong with them. Back then, the feeling was that no one else could do something like that. We knew a lot of capable people. We knew we were not special. But to someone without our abilities, this seemed like black magic. Back then, everything was theoretical. People don’t act on theories. But now we have concrete examples happening all the time. We put these ideas on the table 23 years ago, but there has been no action until truly devastating attacks have started to occur. Unfortunately that’s the way the world works.
P. He has continued to insist on the need for companies to take responsibility for their IT products. Do you see a way to stop being the citizens who pay the cost?
R. It is very difficult to change that. There is a lot of computer program open out there and many startups ―Experienced tech companies ― working on groundbreaking projects that wouldn’t see the light of day if a bunch of legal restrictions were put on them.
In addition, it is very difficult for the average consumer to make a difference because they have no economic influence. But for example, the United States government or large companies have a tremendous economic advantage. If they get manufacturers to create better programs, consumers will see the impact. The best individual users can do is assume their applications are vulnerable and make sure to update them.
P. Do we continue to demand less from digital goods and services than from the physical?
R. Yes. We treat them differently, but they have value and can harm us. I think now that software is crossing over to the physical world, we are beginning to understand it. We talk about critical infrastructures like dams and power plants, and that makes it more real. The bad side of the virtual is becoming more relevant to normal people, because we are using technology in a different way.
P. Can a tool like Veracode detect any kind of vulnerability?
R. The old-fashioned type of cybercriminal who kneels down and delves into a small piece of a computer program can still find things that are unique and that we don’t detect at scale. That fear is still there. But what we are trying to do is get rid of the other hundred things that we know how to solve. If you don’t address that, you are easy prey for anyone who wants to exploit your software.
P. Are those line-to-line reviews still necessary?
If you are a big tech or you work with critical systems, you have to do both: automated and manual. But I don’t think all programs require it. There are thousands and thousands of software providers. Take a look at your phone. It will have a hundred applications from different companies. Who knows who wrote them? That is the problem we are trying to solve, that of the medium-sized company. I think we can lower that 24% of very serious vulnerabilities to 1% by doing everything that many companies are failing to do because they give more priority to the time it takes to reach the market or the future.
P. Does the evolution of the attackers’ methods and objectives complicate things?
R. Yes. In the nineties, the aim was simply to make a demonstration, or to leave a company badly by leaving its page unusable. Now the same vulnerabilities are used to steal data and monetize it. Therefore, the impact is worse.
P. You have also pointed to open source as a source of problems …
R. The great advantage of open source is that it allows developers to have a lot of functionality available instantly, without having to build them from scratch, thus saving time and resources. The downside is that you have less control over the security of the code you are using. You have to monitor all the different pieces of open source that are being used and update them if any vulnerabilities are discovered.
In addition, it is a greater source of problems, because we use it more. It is like building a house. If you do it yourself, you don’t have problems with suppliers, but if you have ten different people making different parts of your house, you will have to manage them all and ensure that they are doing a good job.
P. How does the activity of groups like L0pht fit into this new scenario?
R. That community is super important because there are a lot of things that could not happen in a 100% professional environment. A lot of people who were into this in the late nineties who have now crossed over into the commercial world because to solve these problems you have to build something that people can buy and reinforce it with people that I brought nine to five. I think that the commercial world has a better chance of solving problems and the community hacker has a better chance of making us aware of them.
P. If you were seated again in congress, what would your message be?
R. I would tell them to hold manufacturers accountable. I know they can do better. Now we know how to build technologies that are safer and more resistant to attacks. This was one of the messages we gave 23 years ago, and I think it’s starting to happen now. It’s amazing how slowly things change.
And I would tell users to assume that everything software has vulnerabilities until proven otherwise.