Connect with us

Hi, what are you looking for?


CISO Strategy

CISA Hires ‘Mudge’ to Work on Security-by-Design Principles

Peiter ‘Mudge’ Zatko joins the US government’s cybersecurity agency to preach the gospel of security-by-design and secure-by-default development principles.

Election security needs more protections

The U.S. government’s cybersecurity agency CISA on Monday confirmed the addition of Peiter ‘Mudge’ Zatko to its roster of prominent voices preaching the gospel of security-by-design and secure-by-default development principles.

Zatko, most recently the CISO at Twitter who blew the whistle on the social media giant’s security shortcomings, is joining the agency in a part-time capacity to work on the “security and resilience by design” pillar of the Biden administration’s National Cybersecurity Strategy.

A statement from CISA boss Jen Easterly confirmed Mudge’s addition as Senior Technical Advisor to work on shaping a culture of security-by-design everywhere.

“Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country,” Easterly said. Zatko’s hiring was first reported by the Washington Post.

Zatko is a famous hacker from the L0pht/cDc collectives who is credited for some of the earliest research work around buffer overflow vulnerabilities.  He previously served as a DARPA program manager and created the Cyber Fast Track program that provided resources to hackers and hacker spaces.

Zatko served as Twitter’s security boss for two years before filing a whistleblower complaint to Congress describing “extreme, egregious deficiencies” in Twitter’s handling of user information and multiple violations of SEC and FTC regulations.

In addition to Zatko, CISA recently hired former Yahoo CISO Bob Lord and researcher Jack Cable to evangelize the security-by-design pillar of the National Cybersecurity Strategy and CISA’s own Strategic Plan.

Advertisement. Scroll to continue reading.

The CISA security-by-design plan calls for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes. 

“Secure-by-design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure,” according to the CISA document. “Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”

In addition, CISA is pushing a “Secure-by-Default” principle that ensures that products are resilient against prevalent exploitation techniques out of the box without additional charge. 

“These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls,” the agency said.

Related: CISA Pushes Secure-by-design, Secure-by-default Principles

Related: Whistleblower: China, India Had Agents Working for Twitter

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: ‘Mudge’ Named Head of Security at Twitter

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek examines the role of the virtual CISO in a conversation with Chris Bedel and Greg Schaffer.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

CISO Conversations

SecurityWeek talks to Chief Information Security Officers from, FreedomPay, and Tassat about their role and experience as CISOs.