Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Improving Software Security Through Vendor Transparency

June 12, 2014  | Research

chris-wysopal-fs-isac-vendor-security_2.jpg Chris Wysopal moderates a panel discussion at the FS-ISAC & Bits Annual Summit 2014   According to Gartner, enterprises are getting better at defending traditional network perimeters, so attackers are now targeting the software supply chain. This has made third-party software – including commercial and outsourced... READ MORE

Benefits of Binary Static Analysis

May 19, 2014  | Research

we-heart-binaries_2.jpg 1. Coverage, both within applications you build and within your entire application portfolio One of the primary benefits of binary static analysis is that it allows you to inspect all the code in your application. Mobile apps especially have binary components, but web apps, legacy back office and desktop apps do too. You don’t want to only analyze the... READ MORE

Cybercriminals Aimed at Supply Chain to Reach Their True “Target”

February 5, 2014  | Research

So far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-... READ MORE

Third-party application vulnerabilities more concerning than NSA "backdoors"

September 20, 2013

Last week the New York Times broke a story regarding the ability of the NSA to foil basic privacy safeguards. What seemed to catch the most attention from other media outlets, as well as political and technology pundits was the fact the NSA had asked some software vendors to insert backdoors into their code so that the NSA can easily “hack” into systems running these applications. The coercion of... READ MORE

Why was the Syrian Electronic Army able to hack the Washington Post?

August 16, 2013 3

Putting political motivations aside, why were the Washington Post,, Time and others recently hacked? Simply put, they extended their trust perimeter to include a third party component without vetting its security properly. Extending trust is necessary in the business world but in the immortal words of Ronald Reagan, to maintain security we must "trust but verify". Attackers look to... READ MORE

What Happens When Companies Don’t Give Web App Security the Attention it Deserves

July 26, 2013  | Research 3

I recently blogged about Web-based threats finally getting the respect they deserve?, but a recent New York Times article reminds us what happens when companies don’t pay enough attention to this crucial area of security. The article, titled “Wall Street’s Exposure to Hacking Laid Bare” describes not only the damage done by the five men involved in a seven year hacking... READ MORE

Government Has Power to Improve Security With Incentives

July 23, 2013

Back when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to... READ MORE

Do We Want Military Secrets or Civilian Information Sharing?

June 25, 2013  | Research 4

Last month I gave a keynote at RVAsec in Richmond, VA on the topic of “The Future of Government Info Sharing”. The slides for my talk are available online. UPDATE: Video of keynote now available. The inspiration for my talk was the confluence of the DHS announcing their Enhanced Cybersecurity Services and the lack of information available about the root causes of major data breaches.... READ MORE

Microsoft Rolls Out A Bug Bounty Program With A New Twist

June 19, 2013

2010 was a big year for vendor bug bounty programs. Google announced its program in January with a bounty of $1,337 for high severity security bugs in its Chrome browser. Then in July Mozilla sextupled its bounty to $3000 and the Google program went from “Leet” to “Elite” with an increase of its bounty to $3,133.70. Sensing a trend and a feeling that vendor bug bounties “had arrived” the Veracode... READ MORE

Developers need more training programs like SAFECode

May 14, 2013

A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible. Programmers aren’t security experts, and perhaps they shouldn’t be. But when 70% of applications failing to company with enterprise security standards (data from Veracode SoSS vol 5), it is clear more attention needs to be... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu