Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

CISO Strategy

CISA Hires ‘Mudge’ to Work on Security-by-Design Principles

Peiter ‘Mudge’ Zatko joins the US government’s cybersecurity agency to preach the gospel of security-by-design and secure-by-default development principles.

CISA

The U.S. government’s cybersecurity agency CISA on Monday confirmed the addition of Peiter ‘Mudge’ Zatko to its roster of prominent voices preaching the gospel of security-by-design and secure-by-default development principles.

Zatko, most recently the CISO at Twitter who blew the whistle on the social media giant’s security shortcomings, is joining the agency in a part-time capacity to work on the “security and resilience by design” pillar of the Biden administration’s National Cybersecurity Strategy.

A statement from CISA boss Jen Easterly confirmed Mudge’s addition as Senior Technical Advisor to work on shaping a culture of security-by-design everywhere.

“Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country,” Easterly said. Zatko’s hiring was first reported by the Washington Post.

Zatko is a famous hacker from the L0pht/cDc collectives who is credited for some of the earliest research work around buffer overflow vulnerabilities.  He previously served as a DARPA program manager and created the Cyber Fast Track program that provided resources to hackers and hacker spaces.

Zatko served as Twitter’s security boss for two years before filing a whistleblower complaint to Congress describing “extreme, egregious deficiencies” in Twitter’s handling of user information and multiple violations of SEC and FTC regulations.

In addition to Zatko, CISA recently hired former Yahoo CISO Bob Lord and researcher Jack Cable to evangelize the security-by-design pillar of the National Cybersecurity Strategy and CISA’s own Strategic Plan.

The CISA security-by-design plan calls for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes. 

Advertisement. Scroll to continue reading.

“Secure-by-design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure,” according to the CISA document. “Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”

In addition, CISA is pushing a “Secure-by-Default” principle that ensures that products are resilient against prevalent exploitation techniques out of the box without additional charge. 

“These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls,” the agency said.

Related: CISA Pushes Secure-by-design, Secure-by-default Principles

Related: Whistleblower: China, India Had Agents Working for Twitter

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: ‘Mudge’ Named Head of Security at Twitter

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.