The U.S. government’s cybersecurity agency CISA on Monday confirmed the addition of Peiter ‘Mudge’ Zatko to its roster of prominent voices preaching the gospel of security-by-design and secure-by-default development principles.
Zatko, most recently the CISO at Twitter who blew the whistle on the social media giant’s security shortcomings, is joining the agency in a part-time capacity to work on the “security and resilience by design” pillar of the Biden administration’s National Cybersecurity Strategy.
A statement from CISA boss Jen Easterly confirmed Mudge’s addition as Senior Technical Advisor to work on shaping a culture of security-by-design everywhere.
“Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country,” Easterly said. Zatko’s hiring was first reported by the Washington Post.
Zatko is a famous hacker from the L0pht/cDc collectives who is credited for some of the earliest research work around buffer overflow vulnerabilities. He previously served as a DARPA program manager and created the Cyber Fast Track program that provided resources to hackers and hacker spaces.
Zatko served as Twitter’s security boss for two years before filing a whistleblower complaint to Congress describing “extreme, egregious deficiencies” in Twitter’s handling of user information and multiple violations of SEC and FTC regulations.
In addition to Zatko, CISA recently hired former Yahoo CISO Bob Lord and researcher Jack Cable to evangelize the security-by-design pillar of the National Cybersecurity Strategy and CISA’s own Strategic Plan.
The CISA security-by-design plan calls for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes.
“Secure-by-design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure,” according to the CISA document. “Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”
In addition, CISA is pushing a “Secure-by-Default” principle that ensures that products are resilient against prevalent exploitation techniques out of the box without additional charge.
“These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls,” the agency said.
Related: CISA Pushes Secure-by-design, Secure-by-default Principles
Related: Whistleblower: China, India Had Agents Working for Twitter
Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter
Related: ‘Mudge’ Named Head of Security at Twitter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
- HiddenLayer Raises Hefty $50M Round for AI Security Tech
- Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages
- Extradited Russian Hacker Behind ‘NLBrute’ Malware Pleads Guilty
Latest News
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk
- Firefox 118 Patches High-Severity Vulnerabilities
- Stolen GitHub Credentials Used to Push Fake Dependabot Commits
- Google Open Sources Binary File Comparison Tool BinDiff
- macOS 14 Sonoma Patches 60 Vulnerabilities
