2008 InfoWorld CTO 25: Chris Wysopal, Veracode

An obsession with software security forms the basis for a new model to assessing apps' safety

Chris Wysopal's obsession with software security has brought him fame as a member of the L0pht hacker "think tank," led to stints as lead security researcher at @stake and director of development at Symantec, and helped produce the Organization for Internet Safety, which was founded on guidelines for the responsible disclosure of software security vulnerabilities developed by Wysopal and MITRE's Steve Christey.

But Wysopal's fixation has arguably paid its greatest dividend in the form of Veracode, an application security assessment company that Wysopal launched in early 2007 and that unveiled a security rating system for applications in April 2008. Leveraging industry standards such as CWE and CVSS, the Veracode rating system is the fulfillment of Wysopal's vision of creating a trusted third party -- think Underwriters Laboratories or Moody's Investor Services -- to provide formal security ratings of software applications to consumers of those applications.

[ Discover what insights you can take advantage of from the other 2008 InfoWorld CTO 25 winners. ]

Wysopal started Veracode with fellow L0pht and @stake alum Christien Rioux, who serves as Veracode's chief scientist. The company's application security analyzer is based on work begun by Wysopal and Rioux at @stake on automating security testing, as well as efforts on binary code analysis that Wysopal spearheaded at Symantec. Veracode has produced an offering that differs from other static security analyzers in two important respects. First, it analyzes the application binary, not the source code, allowing security testing to be done as part of the development process or even when source code is not provided or available. Second, it's provided as outsourced service: customers send Veracode the binary, then Veracode sends back a report. 

So far, Veracode serves primarily software vendors and financial services companies that both build and buy software. Because Veracode is gaining visibility into code being written by hundreds of development groups across the globe, it's in a position to measure the quality of an application against others of the same type. A financial services company outsourcing a Web app to India, for example, could learn from Veracode how the quality of the product it's getting compares to similar Web apps outsourced to India or elsewhere. Wysopal hopes to gather enough of this data to eventually issue quarterly or annual reports on the state of the software industry.

In the meantime, Wysopal is counting on the magic formula of binary analysis, automated security ratings, and SaaS (software as a service) to make Veracode the Moody's of the software industry. "The thing that makes Veracode truly special is the fact that we can do the security analysis of an application as a trusted third party," Wysopal notes. "It's not so much that Veracode has incrementally more accurate analysis results than a source code analysis-type tool; it's that we have created a model where software security testing is workable for the whole software vendor-purchaser ecosystem."