Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Software development is ever-evolving, and with that demand for innovation and scale comes the need to ensure software is secure. Many enterprise organizations have invested in AppSec to help them identify security flaws throughout the development process. However, within higher education, secure coding skills are often not part of computer science or software engineering curriculums. At Tufts… READ MORE ›
Stay up to date on Application Security
When I studied computer science in college, the curriculum wasn’t designed to teach all the different programming languages with the goal of becoming as “multi-lingual” as possible. Instead we focused on conceptual areas -- data structures, machine structures, algorithms, etc. The languages with which you chose to illustrate those concepts were secondary to the concepts themselves. I believe most… READ MORE ›
- "We Don't Sell It? Then It's Not Important"July 6, 2011
[UPDATE: Since there seems to be some confusion, the "We" in the title of this post is NOT "Veracode". The expression is a generic one intended to illustrate the attitude exhibited by many companies who like to downplay the value and/or effectiveness of technologies that they themselves do not sell. I can't believe I am having to explain this.] Fair warning, this is a bit of a rant. Back in my… READ MORE ›
As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload. In the realm of… READ MORE ›
- HTML5 Security in a NutshellMay 17, 2010
Lots of people have been asking us for opinions on HTML5 security lately. Chris and I discussed the potential attack vectors with the Veracode research team, most notably Brandon Creighton and Isaac Dawson. Here's some of what we came up with. Keep in mind that the HTML5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn’t assume any of this… READ MORE ›
- Is Your BlackBerry App Spying on You?February 7, 2010
[UPDATE, 2/10/2010: We've written a follow-up blog post to address some of the questions and misconceptions we've been seeing.]Tyler Shields gave a presentation earlier today at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an… READ MORE ›
- But That's Impossible!May 19, 2009
In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them… READ MORE ›
- How To Protect Your Users From Password TheftJanuary 26, 2009
Monster.com recently disclosed yet another major breach that compromised the personal data of over 1.3 million users. This is not unlike the previous breach in August 2007, though the attack vector was likely different. From a notice on their website (emphasis mine): We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs… READ MORE ›
- How Boring Flaws Become InterestingJanuary 20, 2009
One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to aggressively reduce false positives, thereby enabling our customers to more efficiently triage their… READ MORE ›
Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation -- the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42" plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security… READ MORE ›
Application Security Tool Kit
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
No thanks, back to the article please.