Skip to main content

Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Posts by Chris Eng
  • How to Become an Information Security Thought Leader

    I created this video for an internal Veracode video contest. It's intended to poke fun at the abundance of "thought leaders" we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it's meant to satirize any particular person -- sorry to disappoint, it's just a composite. Enjoy! READ MORE

Stay up to date on Application Security

  • Squashing Ants: The Dynamics of XSS Remediation

    Is anyone else getting tired of hearing excuses from customers -- and worse yet, the security community itself -- about how hard it is to fix cross-site scripting (XSS) vulnerabilities? Oh, come on. Fixing XSS is like squashing ants, but some would have you believe it's more like slaying dragons. I haven't felt inspired to write a blog post in a while, but every once in a while, 140 characters… READ MORE

  • HTML5 Security in a Nutshell

    Lots of people have been asking us for opinions on HTML5 security lately. Chris and I discussed the potential attack vectors with the Veracode research team, most notably Brandon Creighton and Isaac Dawson. Here's some of what we came up with. Keep in mind that the HTML5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn’t assume any of this… READ MORE

  • Veracode at RSA 2010
    February 26, 2010
    Veracode at RSA 2010

    Here's a quick post to let you know all the places to get your Veracode fix at RSA Conference 2010. On the Expo floor, we'll be in booth 729. I'll be at the booth for a few hours on Tuesday and Wednesday. Stop by if you'd like to talk about our service offerings, get a quick demo, or just say hello. On Monday morning at 9:25am, Ashish Larivee will be giving a presentation, Metrics for Insights on… READ MORE

  • In Which We Dispel Misconceptions

    Some of the media coverage to date has described Tyler Shields' proof-of-concept spyware as a "BlackBerry hack", much to our chagrin. In this blog post, we'd like to clarify some of the misconceptions that have surfaced both in the media and in the BlackBerry user community. Feel free to post additional questions in the comments section and we'll do our best to respond. Q: This isn't a real hack… READ MORE

  • Is Your BlackBerry App Spying on You?

    [UPDATE, 2/10/2010: We've written a follow-up blog post to address some of the questions and misconceptions we've been seeing.] Tyler Shields gave a presentation earlier today at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an… READ MORE

  •  An Ounce of Prevention is Worth a Pound of Cure

    A conversation on Twitter this morning started out like this: @dinozaizovi: Finding vulnerabilities without exploiting them is like putting on a dress when you have nowhere to go. This clever analogy spurred a discussion about the importance of proving exploitability as a prerequisite to fixing bugs. While I agree that nothing is more convincing than a working exploit, there will… READ MORE

  • BlackHat Picks 2009
    July 23, 2009
    BlackHat Picks 2009

    It's time for the yearly BlackHat picks. Without further ado, here's where you'll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes -- there is no way I will actually make it to all of these, but as of now, this is what's caught my interest: Day 1 John McDonald & Chris Valasek: Practical Windows XP/2003 Heap Exploitation Andrea Barisani… READ MORE

  • BlackBerry Spyware Dissected

    Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more. We're not sure why the software was delivered in both .jar and .cod form. The .cod file is a RIM proprietary format… READ MORE

  • Even Government Censors Demand Secure Software

    As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to "protect" viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, researchers at the University… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.