Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

Vulnerability Response Done Right

January 5, 2012 3

Here's a feel good story to start the new year. Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. Nothing special about that; we detect thousands of these things every week. But as we discussed this particular finding, we noticed that the layout of the website looked... familiar. As it turned out, the... READ MORE

State of Software Security, Volume 4

December 7, 2011

Today we're releasing Volume 4 of our semi-annual State of Software Security report. This edition incorporates data from 9,910 application builds (twice as many as last time) analyzed via our cloud-based platform over the past 18 months. In this edition, we also discuss how the threat landscape has evolved during 2011 and how we've adapted our analysis and evaluation criteria to account for those... READ MORE

Stay Cool, Nobody is Calling Your Baby Ugly

October 21, 2011

Let me start by saying I have a great deal of respect for Dinis Cruz. He's tremendously passionate about application security and has made numerous contributions to the community through his involvement with OWASP. We even sat on a panel together recently. But I was taken aback by a presentation he gave at OWASP AppSec Brazil entitled Making Security Invisible by Becoming the Developer's Best... READ MORE

"We Don't Sell It? Then It's Not Important"

July 6, 2011  | 5

[UPDATE: Since there seems to be some confusion, the "We" in the title of this post is NOT "Veracode". The expression is a generic one intended to illustrate the attitude exhibited by many companies who like to downplay the value and/or effectiveness of technologies that they themselves do not sell. I can't believe I am having to explain this.] Fair warning, this is a bit... READ MORE

State of Software Security, Volume 3

April 19, 2011 3

It's here! Data junkies rejoice! Today we're proud to release the third volume of our semi-annual State of Software Security report. This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months. After lots of number crunching and a fair amount of head scratching, we've unearthed some intriguing findings that reflect the progress (or lack... READ MORE

Please Jump Off the APT Bandwagon

March 25, 2011  | 4

One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat (APT) bandwagon, handwaving wildly and claiming disingenuously that their product -- or "solution" to be even more self-aggrandizing -- would protect against APTs. That, combined with the RSA SecurID breach last week and a recent article by... READ MORE

2011 Security Blogger Awards

February 22, 2011

The 3rd Annual Social Security Blogger Awards were announced last week during the RSA Conference in San Francisco. Veracode received two awards, one for Best Corporate Blog and the other for Best Security Blog Post of the Year. Here is a list of all the nominees and the award winners. It's always an honor to be recognized by peers, so on behalf of all the Veracode bloggers, thank you for reading... READ MORE

Free XSS Scanning for the Masses

January 31, 2011

We're very excited here at Veracode to announce the availability of our new FREE service to detect cross-site scripting (XSS) in your web application. This is a significant milestone for our company and for the security industry, and we encourage everyone from small ISVs to major enterprises to give us a try. Hopefully this will be one of the first steps in the long road to eliminating XSS; after... READ MORE

Whitepaper: A Dose of Reality on Automated Static-Dynamic Hybrid Analysis

December 7, 2010

As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload. In the realm of... READ MORE

How to Become an Information Security Thought Leader

December 3, 2010  | 6

I created this video for an internal Veracode video contest. It's intended to poke fun at the abundance of "thought leaders" we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it's meant to satirize any particular person -- sorry to disappoint, it's just a composite. Enjoy! READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu