You may not have heard of cybersecurity expert and programmer Chris Sullo or Nikto, the open-source vulnerability scanner he created.
But you’ve almost certainly been protected by them. Sullo created Nikto as a free tool to make web servers more secure, and over the past two decades, the software has been used millions of times by people and organizations all over the globe.
And Sullo’s incredible story illustrates how one person with strong principles and a simple dream can truly change the world.
Chris Sullo at a Glance
- Chris Sullo went to school for English but made a career out of penetration testing and cybersecurity analysis in the late ’90s.
- In 2000, he created CIRT.net and the Default Password Database, and the following year, he released a free, open-source vulnerability scanner called Nikto.
- Nikto made it easier than ever for anybody to secure their web servers, and within two years it became one of the most popular — and powerful — cybersecurity tools, free or paid.
- In 2004, Sullo helped create the Open Source Vulnerability Database (OSVDB), a free, community-focused reference tool for all manner of vulnerabilities.
- To this day, Sullo has been developing Nikto while working for a variety of companies and pursuing other ventures, including founding the RVAsec cybersecurity conference in 2011.
The Life of Chris Sullo
When Chris Sullo started college at Southern Connecticut State University in 1991, he wasn’t planning on pursuing a career in cybersecurity.
Studious and bright, he majored in English Language and Literature, graduating from the school’s Honors College in 1995. But by this time, he’d developed an interest in programming and cybersecurity, and he took a job as a security engineer at Capital One after graduating.
At Capital One, Sullo was responsible for penetration testing the bank’s Unix and web systems. While hunting down vulnerabilities and devising tougher security measures, he realized a sobering fact: millions of small businesses and ordinary internet users were vulnerable to the same exploits he was fixing, but those people had no access to the tools and knowledge he possessed.
In 2000, Sullo decided to do something about this inequity. He created CIRT.net, naming it after the acronym for “cyber incident response team,” the industry term for cybersecurity professionals.
CIRT.net’s original purpose was to house Sullo’s Default Password Database, an exhaustive list of computer hardware and software manufacturers along with the default usernames and passwords used on their devices.
But that was far from the only part of Sullo’s plan to bring cybersecurity to the masses.
Stay One Step Ahead of Cyber Threats
The Creation of Nikto
In 2001, Sullo began working on a new project: a vulnerability scanner for web servers that could automatically detect dangerous files, outdated programs, server configuration problems, and other security holes.
He wasn’t the first person to devise such a program, but after researching other options, he noticed a glaring blind spot in the current offerings. Existing vulnerability scanners had fancy features and flashy GUIs, but were designed with large enterprise customers in mind.
This specialized target audience made vulnerability scanners prohibitively expensive for small organizations and private individuals, who also largely lacked the expertise to perform manual vulnerability checks. And this in turn left them wide open to cyberattacks.
Sullo wanted to fill this gap. As a lone developer, he didn’t have the time or resources to make something that looked pretty, but he knew he could create a powerful vulnerability scanner with a command-line interface and solid documentation to help people learn to use it.
And he knew from his involvement in the open-source software community that by releasing it for free, he’d be able to attract a massive userbase, get feedback and coding assistance, and truly make a difference in others’ lives.
Sullo spent 2001 crafting and refining his vulnerability scanner. He decided to name his creation Nikto, after an iconic line from the 1951 film The Day the Earth Stood Still: “Klaatu Barada Nikto,” a command used by the film’s human protagonist to stop an alien robot from destroying the world.
Nikto 1.00 Beta was released on December 27, 2001, under an open-source license: anyone could download and use the software for free, and other programmers were welcome to contribute to its codebase or use it to jumpstart their own projects.
The program was an instant hit, garnering the attention of both the open-source community and the broader cybersecurity industry. It proved so popular that feature requests and bug reports began flowing in almost immediately.
Sullo spent the final days of 2001 preparing bug fixes for version 1.01, which was released on New Year’s Eve. And though he didn’t fully realize it at the time, his rise to prominence was only just beginning.
Throughout 2002, Sullo’s schedule was packed to the brim.
During the day, he continued working his job at Capital One. And at night, he worked on Nikto: testing new features, adding compatibility for different servers, fixing bugs, providing technical assistance to users, and deploying regular updates.
In addition, he was in the process of bringing a new brainchild to life.
At the Blackhat and DEF CON cybersecurity conferences, Sullo networked with other open-source-minded security experts. The cohort began discussing the need for a free, accessible, comprehensive, unbiased database of vulnerabilities in the spirit of Sullo’s Default Password Database.
But with hundreds of thousands of vulnerabilities out there — and the brainstormers’ other commitments — this ambitious project took time to come to fruition.
Over the next two years, many of the original team members departed, but Sullo remained committed. And despite not yet being launched, the project had many supporters in the community, some of whom stepped in to volunteer their time and skills.
On March 31, 2004, the Open Source Vulnerability Database (OSVDB) made its public debut. The following year, Sullo cofounded a nonprofit organization dedicated to managing the database: the Open Security Foundation (OSF).
The World Embraces Nikto
By 2003, Nikto was one of the most popular open-source cybersecurity tools ever released — and among the most powerful vulnerability scanners regardless of license. That year, it was ranked #16 on Nmap creator Fyodor’s Top Security Tools Survey.
The following year, it was honored by the SANS Institute, an infosec education and certification organization, which described Nikto as “one of the more comprehensive CGI (Common Gateway Interface) scanning tools” available and included it in 2004’s prestigious “Top 20” list.
And in 2006, Nikto rose to #12 on the Top Security Tools Survey.
2006 was a big year for the OSVDB as well. Google, recognizing the project’s importance, asked Sullo to become a mentor for the company’s Summer of Code program, in which promising young coders would be given the opportunity to work on OSVDB and learn from Sullo’s expertise.
Sullo returned to the Summer of Code program in 2007 and released the long-awaited Nikto 2.0 that November. The new version contained features that had been in development for several years, including options for fine-tuning tests, new report types, and a knowledge base to help users maintain scan records.
But even more big changes were on the horizon for Sullo.
Sullo Branches Out
In January 2008, Sullo stepped down from his role at OSF, left his job at Capital One, and handed Nikto’s reins over to another programmer, David Lodge. He’d been offered — and accepted — a position as a researcher at HP, where he would be devoted full-time to working on a web app scanner, SPI Dynamics’ WebInspect.
Nikto’s development continued under Lodge until October 2009, when Sullo left HP to lead the attack and penetration testing team at Focal Point Data Risk — and return to the Nikto project.
During Sullo’s absence, Nikto had attracted tens of thousands of new users and been named one of Security-Database.com’s Best IT Security Tools for 2009.
In 2011, Sullo embarked on yet another new ventre: the RVAsec cybersecurity conference, which he co-founded with his former Capital One and OSF colleague Jake Kouns. Held annually in Richmond, Virginia, RVAsec was the Mid-Atlantic region’s first high-profile infosec conference, emphasizing both international expert speakers and local talent.
And in 2019, Sullo left Focal Point to return to an old haunt.
He became Capital One’s lead penetration tester, a position he remained in until August 2021, when he switched gears once again — and, in a way, came full circle. His new role: Head of Innovation at ProjectDiscovery, an open-source software company specializing in simple, accessible, community-focused vulnerability scanners.
Today, Sullo is perhaps the world’s leading expert on vulnerability scanners. Whether he’s working on the professional tools developed by ProjectDiscovery or the free-for-all passion project Nikto, he remains dedicated to helping the world become safer, stronger, and more informed.
Chris Sullo: Vanguard of Vulnerability Scanners
Back in 2000, Chris Sullo recognized that true cybersecurity can only exist when everyone is empowered to protect themselves.
By creating Nikto and the OSVDB, he did just that — and proved that free, open-source tools can be just as robust, functional, and effective as their paid, proprietary equivalents.
And while the internet will never be invulnerable to attack, it’s safe to say that without Sullo’s skills and commitment, the web would be nowhere near as secure as it is today.
Nikto Web Vulnerability Scanner (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional