Skip to main content

Chris Kirsch

Chris Kirsch works on the products team at Veracode and has 20 years of experience in security, particularly in the areas of application security testing, security assessments, incident response, and cryptography. Previously, he managed Metasploit and incident response solutions at Rapid7 and held similar positions at Thales e-Security and PGP Corporation. He is the winner of the Social Engineering CTF Black Badge competition at DEF CON 25.

Posts by Chris Kirsch
  • Evaluating and Selecting AppSec Vendors to Fit Your Business Needs

    Application security (AppSec) has seen quite an uptick over the last 10 years, with no signs of slowing down. When your organization is ready to tackle the challenge of building a strong AppSec program, you may find yourself wondering where to plug in various tools and solutions – and even where to start with comparing AppSec vendors. How can you properly evaluate the marketplace and select the… READ MORE

Stay up to date on Application Security

  • Live from AWS re:Inforce: Learnings from Security Enablement for DevOps at AT&T

    This week, AWS ran its inaugural security conference AWS re:Inforce in Boston. There were several interesting talks at the conference, and I found John Maski’s presentation, “Integrating AppSec in your DevSecOps on AWS,” contained great practical advice. Maski worked for AT&T for 32 years, with his most current role being Director, Production Resiliency & DevSecOps Enablement. He recently… READ MORE

  • Live From Gartner Security & Risk Mgmt Summit: Starting an AppSec Program, Part 2

    This is part two of a two-part blog series on a presentation by Hooper Kincannon, Cyber Security Engineer at Unum Group, on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. In this presentation, Hooper provided a great blueprint for starting a DevSecOps program. In part one, I summarized how Hooper got buy-in… READ MORE

  • Live From Gartner Security & Risk Mgmt Summit: Starting a Web Application Security Program

    Bootstrapping an application security program is hard. Technology is only one part of the equation. You need to inventory your applications, get stakeholders on board, and then execute on the holy trinity of people, process, and technology. That’s why I was excited to see Hooper Kincannon, Cyber Security Engineer at Unum Group, present on “Secure from the Start: A Case Study on Software Security… READ MORE

  • Live From Gartner Security & Risk Mgmt Summit: How to Approach Container Security

    Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast. That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in… READ MORE

  • Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

    “We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area.… READ MORE

  • Live From Gartner Security & Risk Mgmt Summit: Running Midsize Enterprise Security

    Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week. 57 Percent of Midsize Enterprises Don’t Have a CISO Gartner… READ MORE

  • How a Single Phone Call Can Compromise Your Company

    I’d read about social engineering for a few years before I first stepped into the Social Engineering Village at DEF CON 20. But I didn’t grasp the power of this type of attack until I watched a live call during which employees of major companies simply offered up all the information needed to breach their systems – no technology required. I was hooked. In case you’re not familiar with social… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.