Hackers to Founders

menu close

Ep. 16 - The Birth of the CVE System, created by Adam Shostack

/ 01:43:24/E17 Download MP3
Who created the CVE system? That's Adam! In this insightful episode of "Hackers to Founders," host Chris REal0day Magistrado welcomes Adam Shostack, a renowned cybersecurity expert and co-creator of the Common Vulnerabilities and Exposures (CVE) system. Adam recounts his journey from a curious and geeky childhood, engaging in activities like D&D and building with Legos, to his influential career in cybersecurity. He delves into his early experiences at Brigham and Women's Hospital, where he first encountered the importance of security and privacy in medical systems. Adam shares his entrepreneurial ventures, including his pivotal roles in startups like Net Tech and Zero Knowledge Systems, highlighting the challenges and rewards of building security-focused businesses during the nascent stages of the cybersecurity industry. His passion for threat modeling is evident as he discusses his work at Microsoft, where he developed user-friendly threat modeling tools and authored influential books to make security practices more accessible.

Beyond his technical achievements, Adam emphasizes the significance of education, training, and mentorship in advancing cybersecurity. He explains his transition from product development to focusing on training and creating scalable educational programs, ensuring that essential security skills are widely disseminated. Adam also explores his collaboration with Cyber Green to establish cyber public health, aiming to apply public health methodologies to measure and mitigate cyber impacts effectively. Throughout the conversation, Adam underscores the importance of diversity in fostering innovative solutions and the need for adaptable strategies in an ever-evolving threat landscape. His dedication to making cybersecurity more inclusive and his visionary approach to integrating interdisciplinary techniques position him as a key thought leader committed to enhancing global security practices.

People
  • Adam Shostack: Renowned cybersecurity expert, co-creator of the Common Vulnerabilities and Exposures (CVE) system, author of several influential books on threat modeling and security design.
  • Frank Abagnale: Subject of the book "Catch Me If You Can," which influenced Adam's childhood interest in security and deception techniques.
  • Leonardo DiCaprio: Actor who portrayed Frank Abagnale in the movie adaptation of "Catch Me If You Can."
  • Mike Howard: Worked alongside Adam on the Secure Development Lifecycle team.
  • Steve Lipner: Collaborated with Adam on threat modeling initiatives.
  • Rob Kinnaki: Worked with Adam on the cyber public health project, contributing to the development of new cybersecurity disciplines.
  • Tara Wheeler: Partnered with Adam in establishing cyber public health methodologies.
  • Heidi Trust: Recommended by Adam as a notable figure intersecting usability and security.
  • Gene Spafford: Part of Adam's professional network, contributing to cybersecurity discourse.
  • Steve Belvin: Known to Adam, part of his network of cybersecurity professionals.
  • Bruce Schneier: Part of Adam's extensive network within the cybersecurity community.
  • Marcus Ranham: Known to Adam, contributing to his professional relationships.
  • Mudge: Met by Adam during his time at BBN, part of his influential network.
  • Weld Pond: Met by Adam at BBN, contributing to his professional connections.
  • Prerit Garg: Contributor to threat modeling methodologies.
  • Lance Cottrell: Influenced Adam's work on anonymized networks at Zero Knowledge Systems.
  • Paul Syverson: Co-inventor of onion routing. His work influenced the development of anonymized network systems like Tor and Zero Knowledge Systems.
  • Steve Christie: Involved in the development of the CVE system.
  • Dave Mann: Collaborated with Adam on creating the CVE system.
  • Andre Fresh: Worked with Adam on developing the CVE system.
  • Tony Sager: Helped secure funding for the CVE system through collaboration with MITRE.
  • Stephen Savage: Involved in ransomware detection research, mentioned in relation to cyber public health.
Organizations
  • CVE (Common Vulnerabilities and Exposures): A standardized system for identifying and categorizing cybersecurity vulnerabilities. Co-created by Adam Shostack to provide a common reference for vulnerabilities across different platforms and organizations.
  • Net Tech
    • Startup focused on developing vulnerability scanners. Adam played a pivotal role in this successful startup, contributing to the creation of security tools.
  • Zero Knowledge Systems: Startup aimed at creating anonymized network solutions similar to Tor. Adam joined this company to work on privacy-focused technologies.
  • MITRE: Not-for-profit organization that manages various federally funded research and development centers. Collaborated with Adam to develop and support the CVE system.
  • Secure ID: Company that produced authentication tokens. Adam conducted security and privacy reviews of their products early in his career.
  • BBN (Bolt Beranek and Newman Inc.) Technology company known for its work on ARPANET and early internet infrastructure. Adam worked here and met key figures like Mudge and Weld Pond.
  • DEF CON: One of the world's largest and most notable hacker conventions. Adam attended DEF CON, sharing experiences and networking with other security professionals.
  • 2600: Hacker community magazine and associated meetings. Part of the hacker culture Adam was involved with during his early career.
  • ShmooCon: Annual East Coast hacker convention. Adam attended and interacted with the hacker community here.
  • CISA (Cybersecurity and Infrastructure Security Agency): U.S. federal agency responsible for cybersecurity and infrastructure protection. Mentioned in the context of cybersecurity research and vulnerability management.
Products and Tools
  • CVE System (Common Vulnerabilities and Exposures): A standardized system for identifying and cataloging cybersecurity vulnerabilities. Co-created by Adam Shostack to provide a common reference across the cybersecurity industry.
  • Hacker Shield: Vulnerability scanner developed by Adam's company. Used by organizations to identify and remediate security vulnerabilities.
  • Stride: A mnemonic framework for threat modeling (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Developed by Prerit Garg and others to help structure threat analysis.
  • Tor: An anonymity network that directs internet traffic through a free, worldwide, volunteer overlay network. Influenced the development of Zero Knowledge Systems' anonymized network products.
  • Mixmaster: Asynchronous email router designed for anonymizing email traffic. Developed by Lance Cottrell, influencing Adam's work on privacy-focused networking.
  • Log4j: Java-based logging utility with significant vulnerabilities exploited in cybersecurity attacks. Discussed by Adam in the context of vulnerability management and public health approaches to cybersecurity.
  • Health Belief Model: A psychological model that explains and predicts health behaviors by focusing on attitudes and beliefs of individuals.  Applied by Adam and his team to develop cyber public health methodologies.
  • Gopher Server: Early internet protocol for distributed document search and retrieval. Part of the pre-Mosaic internet environment Adam worked in.
  • Archie Servers: Early internet tool for indexing FTP archives, enabling easier access to files. Mentioned as part of the early internet infrastructure Adam interacted with.
  • Usenet: Early distributed discussion system (newsgroups) for sharing information. Part of the communication platforms Adam utilized during his early career.

Books
  • "Smashing the Stack for Fun and Profit" by Aleph One: Influential paper on buffer overflow vulnerabilities, published in 1996.
  • Threat Modeling by Adam Shostack: Comprehensive guide on threat modeling practices for designing secure systems. Authored by Adam to make threat modeling accessible to a wider audience.
  • "Designing for Security" by Adam Shostack: Book focused on integrating security principles into system design.
    • Role: Authored by Adam to educate engineers on incorporating security from the outset.
  • "Threats: What Every Engineer Should Learn from Star Wars" by Adam Shostack: Creative exploration of threat modeling concepts using analogies from Star Wars. Authored by Adam to make threat modeling engaging and relatable.
  • "Catch Me If You Can" by Frank Abagnale: Autobiographical book detailing Frank Abagnale's life as a con artist. Influenced Adam's childhood interest in security and deception techniques.
  • "Leading Change" by John P. Kotter: Book on the processes involved in implementing successful organizational change. Recommended by Adam for insights into effective leadership and change management.
  • "Good Strategy, Bad Strategy" by Richard Rumelt : Book distinguishing effective strategies from ineffective ones in business contexts. Recommended by Adam for developing robust business strategies.
  • "Human Centered Security" by Heidi Trust: Book focusing on the intersection of usability and security in system design. Foreword written by Adam, recommended as a valuable resource.

Creators and Guests

Chris Magistrado
Host
Chris Magistrado
Host of @HackerToFounderOwner of @TopClearedRecSecurity Researcher. Defcon is fun. CCCamp is a trip.
X LinkedIn Instagram Website Link
Ep. 16 - The Birth of the CVE System, created by Adam Shostack

headphones Listen Anywhere

More Options »
Broadcast by