Episode 127: Chris Wysopal on Reducing Attack Surface in the Age of AI
Mar 24, 2025
auto_awesome
Chris Wysopal, co-founder of Veracode and a pioneer in application security, shares his rich history in cybersecurity from the hacking collective 'The L0pht' to leading vulnerability research. He discusses the shift towards comprehensive application risk management and highlights the dual-edged sword of generative AI in development – amplifying speed while introducing new security challenges. Wysopal underscores the importance of automated remediation and deep security integration in the software lifecycle, all while cautioning against the rising threats from social engineering attacks.
Chris Wysopal emphasizes the transition from traditional vulnerability testing to comprehensive application risk management in the face of escalating software complexity.
He highlights the dual-use of AI in cybersecurity, stressing its role in accelerating development while raising significant security challenges and vulnerabilities.
Deep dives
The Origins of Vulnerability Research
Chris Weissopel shares how his early interest in computers spurred his fascination with vulnerability research during the late 80s. He describes his experience with bulletin board systems, highlighting the thrill of discovering unconventional information that was not taught in traditional educational settings. This curiosity eventually led him to join the Loft, a pioneering group focused on identifying software and hardware vulnerabilities rather than simply reporting them. The Loft's early efforts contributed significantly to the formalization of vulnerability research, marking a crucial development in the field of cybersecurity.
The Gray Hat Phenomenon
In the discussion about ethical boundaries in cybersecurity, the concept of 'gray hats' emerges from Weissopel’s experiences at the Loft. He explains how the ethical ambiguity surrounding vulnerability research led to the coining of the term, defining gray hats as individuals who operate in the space between white and black hats. The Loft's work often stirred controversy, as their actions were seen as both beneficial and disruptive, challenging the conventional understanding of ethical hacking. This unique positioning highlighted the necessity of exploring vulnerabilities while navigating the complex ethical landscape of cybersecurity.
Transitioning to Application Security
Weissopel outlines the evolution of Veracode, the company he co-founded focused on application security. Initially concentrating on static and dynamic application testing, the company has significantly pivoted towards managing risks associated with third-party code in applications. He emphasizes that as software depends more on external libraries, the complexity of ensuring security increases, particularly with rising concerns about malicious code. This shift has transformed Veracode into a leader in risk management within application security, reflecting broader trends in the cybersecurity domain.
The Role of AI in Cybersecurity
The conversation addresses the dual-use of AI in cybersecurity, highlighting its benefits for both defenders and attackers. Weissopel articulates concerns over how generative AI can contribute to the creation of both more applications and vulnerabilities, complicating the security landscape. Conversely, he discusses how Veracode utilizes AI to automate the security testing and fixing process, aiming to simplify developers' interactions with security tools. This evolving relationship with AI signals a critical development, as balancing its use in securing software against its potential exploitation by malicious actors becomes increasingly vital.
In this OODAcast, Chris Wysopal shares his insights from decades in cybersecurity, detailing his journey from the early hacking collective "The L0pht" to co-founding Veracode. Wysopal reflects on the evolution of cybersecurity, highlighting his early contributions to vulnerability research and advocating the importance of adversarial thinking in security practices. He emphasizes the transition from traditional vulnerability testing to comprehensive application risk management, recognizing the increased reliance on third-party software and the escalating complexity of securing modern applications.
Wysopal also discusses how generative AI technologies are significantly accelerating application development but simultaneously creating substantial security challenges. He stresses that while AI-generated applications multiply rapidly, their vulnerability density remains comparable to human-written code. To manage this growing risk, Wysopal underlines the necessity of integrating automated, AI-driven vulnerability remediation into the software development lifecycle.
Looking forward, Wysopal advocates for embedding security deeply within the application creation process, anticipating that AI will eventually assist in producing inherently secure software. However, he also underscores the enduring threat of social engineering attacks, urging enterprises to prioritize comprehensive security awareness programs to bolster their overall cybersecurity posture and resilience. The conversation examines some very interesting correlations between the mindset of the great hackers and the success of great entrepreneurs. Both take a good bit of grit, an ability to focus and be creative and perhaps most importantly: Persistence.
Learn more about Chris Wysopal's approaches and the company he founded at Veracode. For insights into reducing your organization's attack surface see: State of Software Security 2025
Get the Snipd podcast app
Unlock the knowledge in podcasts with the podcast player of the future.
AI-powered podcast player
Listen to all your favourite podcasts with AI-powered features
Discover highlights
Listen to the best highlights from the podcasts you love and dive into the full episode
Save any moment
Hear something you like? Tap your headphones to save it with AI-generated key takeaways
Share & Export
Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more
AI-powered podcast player
Listen to all your favourite podcasts with AI-powered features
Discover highlights
Listen to the best highlights from the podcasts you love and dive into the full episode