Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

CanSecWest Day One Highlights

April 19, 2007  | 4

Thought I would post a few thoughts on today's talks: For some reason I expected more out of Jose Nazario's talk on Reverse Engineering Malicious Javascript. Basically, it could be summarized as follows: Use command-line Javascript interpreters such as njs to figure out what obfuscated Javascript does without having to execute the malicious code in the context of a web browser. Near the end, he... READ MORE

Landed in Vancouver

April 17, 2007

As you may have guessed, I'm out in Vancouver the rest of the week attending CanSecWest. Looking forward to catching up with old friends and former colleagues and meeting more of you lurkers! I am always overly paranoid about getting owned by 0day at these conferences. My work laptop won't run Linux cleanly without rebuilding the kernel, and since I don't have time for that stuff anymore, I'm... READ MORE

Take WASC Data With a Grain of Salt

April 10, 2007 3

The Web Application Security Consortium (WASC) just published statistics on the prevalence of various web application vulnerabilities. The list was compiled from 31,373 automated assessments performed during 2006 by four contributing companies, with the methodology around data collection described as follows: The scans include a combination of raw scan results and results that have been manually... READ MORE

Public Perception of Application Risk

March 23, 2007

There has been a lot of buzz recently about the possibility of Xbox Live being hacked. People are taking over accounts, locking out the original owners, and racking up charges. Message boards were in a panic, speculating about what the gaping security hole was and how it was exploited. As it turns out, the whole thing boils down to a social engineering attack (or pre-texting, for those who like... READ MORE

Vulnerability Disclosure Evolves

March 13, 2007

Jeremiah recently posted about the Microsoft Security Response Center inviting security researchers to disclose vulnerabilities discovered in a Microsoft "online web property," which is to say, anything in the microsoft.com domain (or msn.com, live.com, etc.). Immediately, people started trying to profit from the idea, suggesting that Microsoft agree in advance to a "reward system" whereby they... READ MORE

Better Criteria for Selecting Pen Test Consultants

February 27, 2007  | Research 3

An article was forwarded to me today, entitled Avoid Wasting Money on Penetration Testing. While the core message is on target (i.e. be sure you know what you are getting before you sign on the dotted line), the suggestions for how to achieve this are misleading. Let's examine the "5 steps to choosing a supplier" outlined in the article: Ask if their consultants have passed an... READ MORE

Implications of the Google Desktop Hack

February 23, 2007

Watchfire just released a whitepaper on Overtaking Google Desktop which is a thought-provoking read. It essentially exploits the mechanism by which Google Desktop hooks the browser in order to inject links to the local Google Desktop instance when the user performs a typical online Google search. There are a couple of gating factors to making this attack viable -- the initial attack vector... READ MORE

Stupid Solaris Tricks, and a Brief Retrospective

February 12, 2007 3

An annoyingly stupid vulnerability in the stock Solaris 10/11 telnet daemon, courtesy of Full Disclosure (more details in this PDF, but it's NSFW): Pass "-f[user]" as the "-l" option to telnet, and presto, you bypass the entire authentication process and are logged in as the user of your choice! Works for the root user too, as long as the server is configured to allow remote root logins. [email protected] READ MORE

Heading to RSA

February 4, 2007

Like many of the people who will eventually read this, I'm packing my bags and heading to San Francisco tonight for the RSA Conference. For those of you also attending, please stop by our booth (#2612) and say hello. We'll be giving demos of our service platform and discussing how our software-as-a-service delivery model will help solve application security problems that tool-based approaches... READ MORE

How to Pick Up Malware at the Airport

February 3, 2007  | 4

A few weeks ago I was waiting for a flight in the JetBlue terminal of JFK. JetBlue offers free Wi-Fi to its customers, which is a nice touch. I powered up my laptop and this is what I saw: If I'm your typical non-security-minded traveler, which of these networks am I most likely to connect to? I would guess that the majority of people will select one of the two with Jet Blue in the SSID, or... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu