Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

Responsible-ish Disclosure

May 8, 2008 3

Yesterday, Dave Lewis over at LiquidMatrix Security Digest cried foul at Core Security for releasing too much detail about a recent DoS vulnerability they had discovered. His specific gripe was that they provided an IDA Pro excerpt that showed where the vulnerability was triggered. The excerpt is short, so I'll even copy/paste it here: .text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet... READ MORE

Dilbert Does Canonicalization

May 5, 2008

I was checking out the "new and improved" Dilbert website a few minutes ago, checking out some of the new features and lamenting the overzealous use of Flash. One new feature is called "Mashups." Naturally, you'd assume that this was some fancy Web 2.0 API that one might use to create a "killer app" combining Google Maps, Twitter, traffic delays, police reports, and Dilbert comics, all neatly... READ MORE

WordPress 2.5 Cookie Forging Explained

April 25, 2008  | 6

WordPress 2.5.1 came out recently. It includes a critical security fix for a cookie integrity bug that would allow an attacker to impersonate other users, including WordPress admins, by manipulating the contents of an HTTP cookie. Whenever I read about a vulnerability predicated on the user identity being embedded into a client-side token (as opposed to a pseudorandom session identifier), I like... READ MORE

Obama XSS Silliness

April 22, 2008

Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There's no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows: I wish the media wouldn't refer to this as "hacking Obama's website" because it's not... READ MORE

Not a CISSP

April 18, 2008  | 44

One of my favorite pieces of swag from RSA was this "Not a CISSP" button that was pinned onto me by none other than Sinan Eren as I was chatting with Justine Aitel at the Immunity booth. Actually, there should have been a prize awarded just for finding the Immunity booth -- they were subletting another vendor's space for a few hours at a time, so one minute they'd be there and the next they were... READ MORE

WAF Better Than Code Review? Not Really.

April 15, 2008

I was just reading an article discussing the timeframe for upcoming revisions to the PCI-DSS. Nothing quite so exciting as reading about a compliance roadmap, right? This article reminded us about PCI Section 6.6 becoming mandatory in June 2008, with additional guidance and clarification coming in May (hey, a whole month to prepare!). As a refresher, 6.6 says that web applications must be... READ MORE

New Attack Class: XSNADOR

April 1, 2008

Recently making the rounds is this hack against the Facebook Moods application, currently installed by over 84,000 users. By manipulating the fb_sig_user parameter, it’s possible to alter the mood of any user who has the application enabled. Though this is just another manifestation of an authorization bypass issue, the security community should coin a new buzzword to describe these types of... READ MORE

Squirreling Backdoors Into Distribution Points

December 19, 2007

So it seems that SquirrelMail 1.4.11 and 1.4.12 were recently backdoored. Similar to some high-profile backdoors in the past, this was done by modifying the distribution tarball on rather than infiltrating the source code repository [1]. In this case, the backdoor was detected when a user noticed that the MD5 published on SquirrelMail's website didn't match the calculated MD5 from the SourceForge... READ MORE

Thought Exercise: Automated Vulnerability Creation

November 15, 2007 3

A few of us were hanging out in the Veracode kitchen the other day and got to discussing the idea of programmatically injecting vulnerabilities into software. This is essentially the opposite of the problem that most security vendors, including ourselves, are trying to solve -- that is, detecting vulnerabilities. Clearly there's not much business value in making software less safe, though you... READ MORE

PCI Extends Its Reach to Application Security

September 20, 2007

Earlier this week, I attended the first PCI Community Meeting in Toronto, a gathering organized by the PCI Security Standards Council to bring QSAs, ASVs, and other PCI stakeholders together in one room with the PCI Council. Let's be honest here -- in the security industry, discussing regulatory compliance is about as dull as it gets. On the other hand, compliance is also a major catalyst,... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu