Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

State of Software Security Report Launched Today!

December 7, 2011

Since our last report, the risks associated with vulnerable software deployed in enterprise environments have been highlighted in the news on nearly a weekly basis. The majority of reported breaches that exposed customer data or intellectual property were caused by attackers exploiting weaknesses in web applications or desktop software. We have also witnessed the rise of new attacker categories:... READ MORE

Putting Trust in Software Code

November 15, 2011

Seven years ago when we were first embarking on the mission of making static analysis useable, scalable, and able to operate without access to source code, automated static binary analysis was a new concept. There were human operated disassemblers, but the ability to do large scale, highly repeatable static binary analysis was an unknown. At Veracode we have demonstrated that this is now possible... READ MORE

Common Hazards That Cause Home Fires

September 12, 2011

Today I have a guest commentary on the changes in security landscape since 2001 in Threatpost. So as I look back over the last 10 years I don’t see much of a change in the vulnerability-scape, if you will, but in the threat landscape. New classes of attackers have gone mainstream and global. They are sophisticated and effective. But our defenses have barely gotten better. There has been an... READ MORE

Musings on Custer's Last Stand

August 31, 2011  | 8

Let’s not mince words: this rambling diatribe from Oracle’s CSO is aimed directly at Veracode. No need for a cutesy acronym; we're the only company with true static binary analysis technology, delivered as a service. Now that we’ve got that out of the way, let’s try to cut through the rhetoric (in just over a thousand words, to boot). The recurring theme in her... READ MORE

THE Security Problem is Scale

July 8, 2011  | 5

Rich Mogull talks about real world IT security challenges today in his column, "Simple Isn't Simple" in Dark Reading. I agree 100%. One of the Rich's points is security has to scale or it doesn't solve the real world problem. In most cases we know how to solve a security problem for a single instance of that problem; one SQL injection flaw in one app, for instance. The... READ MORE

Buffer Overflows in SCADA ActiveX Controls Put Critical Infrastructure at Risk

May 12, 2011

Following the industrial control system attack of Iran’s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems. The results are unsettling. Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities... READ MORE

A Financial Model for Application Security Debt

March 4, 2011  | 4

Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money. Recap Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate... READ MORE

2011 Becomes the Year of Mobile Malware

March 2, 2011

Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place: Little to no vetting of apps for malicious behavior before being made available from app stores Android kernel code with known privilege... READ MORE

Application Security Debt and Application Interest Rates

February 25, 2011  | Research 3

Technical Debt Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this: Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite... The danger occurs... READ MORE

Veracode Recognized as a Leader in the Magic Quadrant for Static Application Security Testing

December 15, 2010  | Research

The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company. To get our service... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu