Skip to main content

Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Posts by Chris Eng
  • Delivering Unhappiness
    January 16, 2012
    Delivering Unhappiness

    You've probably read by now that online retailer Zappos suffered a security breach affecting over 24 million customers. As a Zappos customer, I received the email last night alerting me about the breach. I got a nearly identical email from their sister company,, as well. This is a clear sign that I buy too many shoes. What's interesting to me about this breach is that Zappos is renowned… READ MORE

Stay up to date on Application Security

  • Vulnerability Response Done Right

    Here's a feel good story to start the new year. Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. Nothing special about that; we detect thousands of these things every week. But as we discussed this particular finding, we noticed that the layout of the website looked... familiar. As it turned out, the… READ MORE

  • State of Software Security, Volume 4

    Today we're releasing Volume 4 of our semi-annual State of Software Security report. This edition incorporates data from 9,910 application builds (twice as many as last time) analyzed via our cloud-based platform over the past 18 months. In this edition, we also discuss how the threat landscape has evolved during 2011 and how we've adapted our analysis and evaluation criteria to account for those… READ MORE

  • Stay Cool, Nobody is Calling Your Baby Ugly

    Let me start by saying I have a great deal of respect for Dinis Cruz. He's tremendously passionate about application security and has made numerous contributions to the community through his involvement with OWASP. We even sat on a panel together recently. But I was taken aback by a presentation he gave at OWASP AppSec Brazil entitled Making Security Invisible by Becoming the Developer's Best… READ MORE

  • "We Don't Sell It? Then It's Not Important"

    [UPDATE: Since there seems to be some confusion, the "We" in the title of this post is NOT "Veracode". The expression is a generic one intended to illustrate the attitude exhibited by many companies who like to downplay the value and/or effectiveness of technologies that they themselves do not sell. I can't believe I am having to explain this.] Fair warning, this is a bit of a rant. Back in my… READ MORE

  • State of Software Security, Volume 3

    It's here! Data junkies rejoice! Today we're proud to release the third volume of our semi-annual State of Software Security report. This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months. After lots of number crunching and a fair amount of head scratching, we've unearthed some intriguing findings that reflect the progress (or lack… READ MORE

  • Please Jump Off the APT Bandwagon

    One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat (APT) bandwagon, handwaving wildly and claiming disingenuously that their product -- or "solution" to be even more self-aggrandizing -- would protect against APTs. That, combined with the RSA SecurID breach last week and a recent article by Bill… READ MORE

  • 2011 Security Blogger Awards
    February 22, 2011
    2011 Security Blogger Awards

    The 3rd Annual Social Security Blogger Awards were announced last week during the RSA Conference in San Francisco. Veracode received two awards, one for Best Corporate Blog and the other for Best Security Blog Post of the Year. Here is a list of all the nominees and the award winners. It's always an honor to be recognized by peers, so on behalf of all the Veracode bloggers, thank you for reading… READ MORE

  • Free XSS Scanning for the Masses

    We're very excited here at Veracode to announce the availability of our new FREE service to detect cross-site scripting (XSS) in your web application. This is a significant milestone for our company and for the security industry, and we encourage everyone from small ISVs to major enterprises to give us a try. Hopefully this will be one of the first steps in the long road to eliminating XSS; after… READ MORE

  • Whitepaper: A Dose of Reality on Automated Static-Dynamic Hybrid Analysis

    As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload. In the realm of… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.