Sign up to save your podcasts
Or
Share Ep. 16 - The Birth of the CVE System, created by Adam Shostack
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ep. 16 - The Birth of the CVE System, created by Adam Shostack
Who created the CVE system? That's Adam! In this insightful episode of "Hackers to Founders," host Chris REal0day Magistrado welcomes Adam Shostack, a renowned cybersecurity expert and co-creator of the Common Vulnerabilities and Exposures (CVE) system. Adam recounts his journey from a curious and geeky childhood, engaging in activities like D&D and building with Legos, to his influential career in cybersecurity. He delves into his early experiences at Brigham and Women's Hospital, where he first encountered the importance of security and privacy in medical systems. Adam shares his entrepreneurial ventures, including his pivotal roles in startups like Net Tech and Zero Knowledge Systems, highlighting the challenges and rewards of building security-focused businesses during the nascent stages of the cybersecurity industry. His passion for threat modeling is evident as he discusses his work at Microsoft, where he developed user-friendly threat modeling tools and authored influential books to make security practices more accessible.
Beyond his technical achievements, Adam emphasizes the significance of education, training, and mentorship in advancing cybersecurity. He explains his transition from product development to focusing on training and creating scalable educational programs, ensuring that essential security skills are widely disseminated. Adam also explores his collaboration with Cyber Green to establish cyber public health, aiming to apply public health methodologies to measure and mitigate cyber impacts effectively. Throughout the conversation, Adam underscores the importance of diversity in fostering innovative solutions and the need for adaptable strategies in an ever-evolving threat landscape. His dedication to making cybersecurity more inclusive and his visionary approach to integrating interdisciplinary techniques position him as a key thought leader committed to enhancing global security practices.
People
- Adam Shostack: Renowned cybersecurity expert, co-creator of the Common Vulnerabilities and Exposures (CVE) system, author of several influential books on threat modeling and security design.
- Frank Abagnale: Subject of the book "Catch Me If You Can," which influenced Adam's childhood interest in security and deception techniques.
- Leonardo DiCaprio: Actor who portrayed Frank Abagnale in the movie adaptation of "Catch Me If You Can."
- Mike Howard: Worked alongside Adam on the Secure Development Lifecycle team.
- Steve Lipner: Collaborated with Adam on threat modeling initiatives.
- Rob Kinnaki: Worked with Adam on the cyber public health project, contributing to the development of new cybersecurity disciplines.
- Tara Wheeler: Partnered with Adam in establishing cyber public health methodologies.
- Heidi Trust: Recommended by Adam as a notable figure intersecting usability and security.
- Gene Spafford: Part of Adam's professional network, contributing to cybersecurity discourse.
- Steve Belvin: Known to Adam, part of his network of cybersecurity professionals.
- Bruce Schneier: Part of Adam's extensive network within the cybersecurity community.
- Marcus Ranham: Known to Adam, contributing to his professional relationships.
- Mudge: Met by Adam during his time at BBN, part of his influential network.
- Weld Pond: Met by Adam at BBN, contributing to his professional connections.
- Prerit Garg: Contributor to threat modeling methodologies.
- Lance Cottrell: Influenced Adam's work on anonymized networks at Zero Knowledge Systems.
- Paul Syverson: Co-inventor of onion routing. His work influenced the development of anonymized network systems like Tor and Zero Knowledge Systems.
- Steve Christie: Involved in the development of the CVE system.
- Dave Mann: Collaborated with Adam on creating the CVE system.
- Andre Fresh: Worked with Adam on developing the CVE system.
- Tony Sager: Helped secure funding for the CVE system through collaboration with MITRE.
- Stephen Savage: Involved in ransomware detection research, mentioned in relation to cyber public health.
Organizations
- CVE (Common Vulnerabilities and Exposures): A standardized system for identifying and categorizing cybersecurity vulnerabilities. Co-created by Adam Shostack to provide a common reference for vulnerabilities across different platforms and organizations.
- Net Tech
- Startup focused on developing vulnerability scanners. Adam played a pivotal role in this successful startup, contributing to the creation of security tools.
- Zero Knowledge Systems: Startup aimed at creating anonymized network solutions similar to Tor. Adam joined this company to work on privacy-focused technologies.
- MITRE: Not-for-profit organization that manages various federally funded research and development centers. Collaborated with Adam to develop and support the CVE system.
- Secure ID: Company that produced authentication tokens. Adam conducted security and privacy reviews of their products early in his career.
- BBN (Bolt Beranek and Newman Inc.) Technology company known for its work on ARPANET and early internet infrastructure. Adam worked here and met key figures like Mudge and Weld Pond.
- DEF CON: One of the world's largest and most notable hacker conventions. Adam attended DEF CON, sharing experiences and networking with other security professionals.
- 2600: Hacker community magazine and associated meetings. Part of the hacker culture Adam was involved with during his early career.
- ShmooCon: Annual East Coast hacker convention. Adam attended and interacted with the hacker community here.
- CISA (Cybersecurity and Infrastructure Security Agency): U.S. federal agency responsible for cybersecurity and infrastructure protection. Mentioned in the context of cybersecurity research and vulnerability management.
Products and Tools
- CVE System (Common Vulnerabilities and Exposures): A standardized system for identifying and cataloging cybersecurity vulnerabilities. Co-created by Adam Shostack to provide a common reference across the cybersecurity industry.
- Hacker Shield: Vulnerability scanner developed by Adam's company. Used by organizations to identify and remediate security vulnerabilities.
- Stride: A mnemonic framework for threat modeling (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Developed by Prerit Garg and others to help structure threat analysis.
- Tor: An anonymity network that directs internet traffic through a free, worldwide, volunteer overlay network. Influenced the development of Zero Knowledge Systems' anonymized network products.
- Mixmaster: Asynchronous email router designed for anonymizing email traffic. Developed by Lance Cottrell, influencing Adam's work on privacy-focused networking.
- Log4j: Java-based logging utility with significant vulnerabilities exploited in cybersecurity attacks. Discussed by Adam in the context of vulnerability management and public health approaches to cybersecurity.
View all episodes
By Chris MagistradoWho created the CVE system? That's Adam! In this insightful episode of "Hackers to Founders," host Chris REal0day Magistrado welcomes Adam Shostack, a renowned cybersecurity expert and co-creator of the Common Vulnerabilities and Exposures (CVE) system. Adam recounts his journey from a curious and geeky childhood, engaging in activities like D&D and building with Legos, to his influential career in cybersecurity. He delves into his early experiences at Brigham and Women's Hospital, where he first encountered the importance of security and privacy in medical systems. Adam shares his entrepreneurial ventures, including his pivotal roles in startups like Net Tech and Zero Knowledge Systems, highlighting the challenges and rewards of building security-focused businesses during the nascent stages of the cybersecurity industry. His passion for threat modeling is evident as he discusses his work at Microsoft, where he developed user-friendly threat modeling tools and authored influential books to make security practices more accessible.
Beyond his technical achievements, Adam emphasizes the significance of education, training, and mentorship in advancing cybersecurity. He explains his transition from product development to focusing on training and creating scalable educational programs, ensuring that essential security skills are widely disseminated. Adam also explores his collaboration with Cyber Green to establish cyber public health, aiming to apply public health methodologies to measure and mitigate cyber impacts effectively. Throughout the conversation, Adam underscores the importance of diversity in fostering innovative solutions and the need for adaptable strategies in an ever-evolving threat landscape. His dedication to making cybersecurity more inclusive and his visionary approach to integrating interdisciplinary techniques position him as a key thought leader committed to enhancing global security practices.
People
- Adam Shostack: Renowned cybersecurity expert, co-creator of the Common Vulnerabilities and Exposures (CVE) system, author of several influential books on threat modeling and security design.
- Frank Abagnale: Subject of the book "Catch Me If You Can," which influenced Adam's childhood interest in security and deception techniques.
- Leonardo DiCaprio: Actor who portrayed Frank Abagnale in the movie adaptation of "Catch Me If You Can."
- Mike Howard: Worked alongside Adam on the Secure Development Lifecycle team.
- Steve Lipner: Collaborated with Adam on threat modeling initiatives.
- Rob Kinnaki: Worked with Adam on the cyber public health project, contributing to the development of new cybersecurity disciplines.
- Tara Wheeler: Partnered with Adam in establishing cyber public health methodologies.
- Heidi Trust: Recommended by Adam as a notable figure intersecting usability and security.
- Gene Spafford: Part of Adam's professional network, contributing to cybersecurity discourse.
- Steve Belvin: Known to Adam, part of his network of cybersecurity professionals.
- Bruce Schneier: Part of Adam's extensive network within the cybersecurity community.
- Marcus Ranham: Known to Adam, contributing to his professional relationships.
- Mudge: Met by Adam during his time at BBN, part of his influential network.
- Weld Pond: Met by Adam at BBN, contributing to his professional connections.
- Prerit Garg: Contributor to threat modeling methodologies.
- Lance Cottrell: Influenced Adam's work on anonymized networks at Zero Knowledge Systems.
- Paul Syverson: Co-inventor of onion routing. His work influenced the development of anonymized network systems like Tor and Zero Knowledge Systems.
- Steve Christie: Involved in the development of the CVE system.
- Dave Mann: Collaborated with Adam on creating the CVE system.
- Andre Fresh: Worked with Adam on developing the CVE system.
- Tony Sager: Helped secure funding for the CVE system through collaboration with MITRE.
- Stephen Savage: Involved in ransomware detection research, mentioned in relation to cyber public health.
Organizations
- CVE (Common Vulnerabilities and Exposures): A standardized system for identifying and categorizing cybersecurity vulnerabilities. Co-created by Adam Shostack to provide a common reference for vulnerabilities across different platforms and organizations.
- Net Tech
- Startup focused on developing vulnerability scanners. Adam played a pivotal role in this successful startup, contributing to the creation of security tools.
- Zero Knowledge Systems: Startup aimed at creating anonymized network solutions similar to Tor. Adam joined this company to work on privacy-focused technologies.
- MITRE: Not-for-profit organization that manages various federally funded research and development centers. Collaborated with Adam to develop and support the CVE system.
- Secure ID: Company that produced authentication tokens. Adam conducted security and privacy reviews of their products early in his career.
- BBN (Bolt Beranek and Newman Inc.) Technology company known for its work on ARPANET and early internet infrastructure. Adam worked here and met key figures like Mudge and Weld Pond.
- DEF CON: One of the world's largest and most notable hacker conventions. Adam attended DEF CON, sharing experiences and networking with other security professionals.
- 2600: Hacker community magazine and associated meetings. Part of the hacker culture Adam was involved with during his early career.
- ShmooCon: Annual East Coast hacker convention. Adam attended and interacted with the hacker community here.
- CISA (Cybersecurity and Infrastructure Security Agency): U.S. federal agency responsible for cybersecurity and infrastructure protection. Mentioned in the context of cybersecurity research and vulnerability management.
Products and Tools
- CVE System (Common Vulnerabilities and Exposures): A standardized system for identifying and cataloging cybersecurity vulnerabilities. Co-created by Adam Shostack to provide a common reference across the cybersecurity industry.
- Hacker Shield: Vulnerability scanner developed by Adam's company. Used by organizations to identify and remediate security vulnerabilities.
- Stride: A mnemonic framework for threat modeling (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Developed by Prerit Garg and others to help structure threat analysis.
- Tor: An anonymity network that directs internet traffic through a free, worldwide, volunteer overlay network. Influenced the development of Zero Knowledge Systems' anonymized network products.
- Mixmaster: Asynchronous email router designed for anonymizing email traffic. Developed by Lance Cottrell, influencing Adam's work on privacy-focused networking.
- Log4j: Java-based logging utility with significant vulnerabilities exploited in cybersecurity attacks. Discussed by Adam in the context of vulnerability management and public health approaches to cybersecurity.