Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

BlackHat 2007 Materials

August 28, 2007

Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled "Static Detection of Application Backdoors." Here are the slide deck and the accompanying whitepaper: Static Detection of Application Backdoors (slides) Static Detection of Application Backdoors (whitepaper) Also, as a proof-of-concept, we had demonstrated using IDA Pro's... READ MORE

Cenzic Taking SPI to Court

August 21, 2007  | 6

RSnake blogged on this first but I can't help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they're getting litigious. The abstract from the patent reads as follows: A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure... READ MORE

Skype and Critical Mass

August 20, 2007

There's been a lot of blogging over the weekend about the 36-hour Skype outage that occurred starting last Thursday. From Skype's official explanation, it wasn't a security-related event -- in other words, Skype wasn't hacked. We have no reason to believe otherwise. However, security and availability are often discussed in the same breath, and lots of people will be speculating about the chain of... READ MORE

File Format Vulnerabilities On the Rise

May 31, 2007

Software flaws have become serious vulnerabilties for companies today, as the security measures have become much better along the perimeter. And it's not just the flaws in enterprise and ISV code -- even code written by major antivirus companies can be at risk. F-Secure just posted a couple security bulletins around vulnerabilities in their antivirus products. Of particular interest is a buffer... READ MORE

IOS FTP Vulnerabilities: Backdoor or Honest Mistake?

May 13, 2007 3

Network World recently published an article entitled Cisco says FTP feature in IOS is a hacker backdoor. The opening paragraph reads as follows: Cisco says a flaw in the FTP server utility in its IOS router/switch software could be used as a backdoor by attackers. Do you see the discrepancy? The opening statement is inconsistent with the title of the article. Are they saying that the flaw could... READ MORE

It Couldn't Happen To Us!

May 9, 2007

[Allow me to introduce Mike VanEmmerik. Mike is one of our engineers, who works closely with Christien Rioux and others on Veracode's analysis engine. Those of you who follow the decompilation community probably recognize his name. We'll have a full bio posted for him soon, and he will be a regular contributor to this blog.] It Couldn't Happen To Us! by Mike VanEmmerik Surely this was what was... READ MORE

Just In, From the "Finish What You Started" Department

May 4, 2007

I never actually posted the rest of my notes from CanSecWest. At this point, I'd be leaning towards leaving it at that, but since I've had a couple requests to finish up, I'll oblige, providing I can still remember the salient points. So without further ado, CanSecWest Day 3: Andrea Barisani and Daniele Bianco from Inverse Path gave an informative and entertaining presentation on Unusual Car... READ MORE

Raise Your Hand If You Use iTunes

April 26, 2007  | 4

Because if you do, you've probably installed QuickTime without realizing it. Why is this relevant? Well, if you've been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it'll happily oblige, but... READ MORE

CanSecWest Day Two Highlights

April 23, 2007

Slowly but surely, I'm catching up on my blogging backlog. As I posted before, Day 2 of CanSecWest was a long day, with presentations running from 9am to 9pm. Here are some of the highlights: Barnaby Jack's talk, Exploiting Embedded Systems - The Sequel!, was mostly the same as last year's talk with a couple notable exceptions. Last year, he exploited a UPnP stack overflow in the DI-524, while... READ MORE

OSX Security Apologists, Read Carefully

April 22, 2007

I'll post my thoughts from Days 2 and 3 of CanSecWest pretty soon. Thursday was a marathon 12 hours of talks followed by a Microsoft party, and Friday I went straight from the con to the airport to catch the red-eye back to Boston, so I just haven't gotten around to it. Before I do that, though, let's talk about the "Pwn To Own" contest, which turned out to be interesting.... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu