Chris Wysopal

Chris Wysopal, co-founder and CTO of CA Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At CA Veracode, Mr. Wysopal is responsible for the security analysis capabilities of CA Veracode technology.
Posts by Chris Wysopal

Coming to a computer near you, SQL: The Sequel

August 8, 2014  | Research

It might sound like a bad movie, but it’s playing out in real life – despite what seems like endless hacks using SQL injections, SQLi related breaches keep turning up like a bad penny. GI-Joe.jpg Most recently, Hold Security reported that they discovered a breach by Russian Hacker Ring. While details of this series of breaches are still surfacing, it is time for... READ MORE

Cloud or Not - Third-Party Software Adds Unnecessary Risk

June 13, 2014  | Research

cloud-security-concerns-300x223_2.jpg Don't be misled regarding the security implications of cloud-based software.   There’s been some discussion regarding the Cloud Could Triple Odds of $20M Data Breach research findings by Ponemon – so I thought I would weigh in on this issue. Risky software, regardless of deployment method, is what is adding unnecessary... READ MORE

Improving Software Security Through Vendor Transparency

June 12, 2014  | Research

chris-wysopal-fs-isac-vendor-security_2.jpg Chris Wysopal moderates a panel discussion at the FS-ISAC & Bits Annual Summit 2014   According to Gartner, enterprises are getting better at defending traditional network perimeters, so attackers are now targeting the software supply chain. This has made third-party software – including commercial and outsourced... READ MORE

Benefits of Binary Static Analysis

May 19, 2014  | Research

we-heart-binaries_2.jpg 1. Coverage, both within applications you build and within your entire application portfolio One of the primary benefits of binary static analysis is that it allows you to inspect all the code in your application. Mobile apps especially have binary components, but web apps, legacy back office and desktop apps do too. You don’t want to only analyze the... READ MORE

Cybercriminals Aimed at Supply Chain to Reach Their True “Target”

February 5, 2014  | Research

So far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-... READ MORE

Third-party application vulnerabilities more concerning than NSA "backdoors"

September 20, 2013

Last week the New York Times broke a story regarding the ability of the NSA to foil basic privacy safeguards. What seemed to catch the most attention from other media outlets, as well as political and technology pundits was the fact the NSA had asked some software vendors to insert backdoors into their code so that the NSA can easily “hack” into systems running these applications. The coercion of... READ MORE

Why was the Syrian Electronic Army able to hack the Washington Post?

August 16, 2013 3

Putting political motivations aside, why were the Washington Post, CNN.com, Time and others recently hacked? Simply put, they extended their trust perimeter to include a third party component without vetting its security properly. Extending trust is necessary in the business world but in the immortal words of Ronald Reagan, to maintain security we must "trust but verify". Attackers look to... READ MORE

What Happens When Companies Don’t Give Web App Security the Attention it Deserves

July 26, 2013  | Research 3

I recently blogged about Web-based threats finally getting the respect they deserve?, but a recent New York Times article reminds us what happens when companies don’t pay enough attention to this crucial area of security. The article, titled “Wall Street’s Exposure to Hacking Laid Bare” describes not only the damage done by the five men involved in a seven year hacking... READ MORE

Government Has Power to Improve Security With Incentives

July 23, 2013

Back when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to... READ MORE

Do We Want Military Secrets or Civilian Information Sharing?

June 25, 2013  | Research 4

Last month I gave a keynote at RVAsec in Richmond, VA on the topic of “The Future of Government Info Sharing”. The slides for my talk are available online. UPDATE: Video of keynote now available. The inspiration for my talk was the confluence of the DHS announcing their Enhanced Cybersecurity Services and the lack of information available about the root causes of major data breaches.... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu