Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

Squashing Ants: The Dynamics of XSS Remediation

September 27, 2010  | 11

Is anyone else getting tired of hearing excuses from customers -- and worse yet, the security community itself -- about how hard it is to fix cross-site scripting (XSS) vulnerabilities? Oh, come on. Fixing XSS is like squashing ants, but some would have you believe it's more like slaying dragons. I haven't felt inspired to write a blog post in a while, but every once in a while, 140 characters... READ MORE

HTML5 Security in a Nutshell

May 17, 2010  | 10

Lots of people have been asking us for opinions on HTML5 security lately. Chris and I discussed the potential attack vectors with the Veracode research team, most notably Brandon Creighton and Isaac Dawson. Here's some of what we came up with. Keep in mind that the HTML5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn’t assume any of this... READ MORE

Veracode at RSA 2010

February 26, 2010

Here's a quick post to let you know all the places to get your Veracode fix at RSA Conference 2010. On the Expo floor, we'll be in booth 729. I'll be at the booth for a few hours on Tuesday and Wednesday. Stop by if you'd like to talk about our service offerings, get a quick demo, or just say hello. On Monday morning at 9:25am, Ashish Larivee will be giving a presentation, Metrics for Insights... READ MORE

In Which We Dispel Misconceptions

February 10, 2010 3

Some of the media coverage to date has described Tyler Shields' proof-of-concept spyware as a "BlackBerry hack", much to our chagrin. In this blog post, we'd like to clarify some of the misconceptions that have surfaced both in the media and in the BlackBerry user community. Feel free to post additional questions in the comments section and we'll do our best to respond. Q: This isn't a real hack... READ MORE

Is Your BlackBerry App Spying on You?

February 7, 2010  | 6

[UPDATE, 2/10/2010: We've written a follow-up blog post to address some of the questions and misconceptions we've been seeing.] Tyler Shields gave a presentation earlier today at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an... READ MORE

An Ounce of Prevention is Worth a Pound of Cure

November 20, 2009  | 8

A conversation on Twitter this morning started out like this: @dinozaizovi: Finding vulnerabilities without exploiting them is like putting on a dress when you have nowhere to go. This clever analogy spurred a discussion about the importance of proving exploitability as a prerequisite to fixing bugs. While I agree that nothing is more convincing than a working exploit, there will... READ MORE

BlackHat Picks 2009

July 23, 2009

It's time for the yearly BlackHat picks. Without further ado, here's where you'll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes -- there is no way I will actually make it to all of these, but as of now, this is what's caught my interest: Day 1 John McDonald & Chris Valasek: Practical Windows XP/2003 Heap Exploitation Andrea Barisani... READ MORE

BlackBerry Spyware Dissected

July 15, 2009  | 12

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more. We're not sure why the software was delivered in both .jar and .cod form. The .cod file is a RIM proprietary... READ MORE

Even Government Censors Demand Secure Software

June 15, 2009

As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to "protect" viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, researchers at the University... READ MORE

But That's Impossible!

May 19, 2009  | 25

In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu