Chris Wysopal, CTO and co-founder of Veracode, is a well-known and well-respected entrepreneur and computer security expert. He describes his job as “building services that enable developers to write secure code.” Securing coding, he admits, is still a work in progress.
- You co-founded Veracode a decade ago, what keeps you there?
I don’t feel like we’re done yet. The majority of software is still not written with security in mind – we haven’t revolutionized the software industry yet, and that’s one of my missions and goals. To secure all software! Ten years in, I feel like it’s actually a 20-year mission.
- If Veracode could win any customer, who would you like it to be?
The US Government Agency – IRS for example. They have everyone’s data, and a breach there would be really, really bad. I’d love them to use Veracode.
- What is the best part of your job?
I love it when we get to be on the incident response team battling incidents, because it’s fun and exciting. Often, what we do makes an impact but it’s kind of boring because the impact is so far removed from the action. We’re not a smoke alarm or a fire department; we’re a sprinkler system installer. Happily, the incident response part is starting to happen more for us. I’m most proud whenever a customer adapts security testing in their development lifecycle as best practice, because we’ve changed the way they operate forever, and they’ll always be secure. That’s the best part.
- What’s the most misunderstood thing about information security?
That it is a good thing to have so many things shared in secret in an intelligence community model to make a secure world. For some reason, many security people flock to a spy versus spy mentality because there is an intelligent adversary. This is not an appropriate model for dealing with criminals. We should be exposing all the indicators of compromise, sources of attack, attacker fingerprints, far and wide so that criminals have nowhere to hide.
- What’s the worst part of your job?
Being breached. Either Veracode itself, or one of our customers. Anyone and everyone in security worries about that. Red-eye flights and all the travel is also a downside. We’re expanding more into Europe so that means more travel and longer travel.
- If you could change one thing about the information security sector, what would it be?
It would be to build better bridges to the people building technology so that security gets built into all of the software and services we depend on, and is not an afterthought. Security and development and system buildings need to be on the same team and not opposed to each other in a ‘cop vs civilian’ model. We need to be on the same team to build a secure technology world.
- Who do you really admire in the industry?
I admire Dan Geer because of both his longevity of relevance in an ever-changing industry and that he follows his principles steadfastly.