Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

Best Practice: Consider External Data Feeds Untrusted

May 4, 2009 3

If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here's... READ MORE

Decoding the Verizon DBIR 2009 Cover

April 27, 2009  | 9

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact that I didn't get my solution in early enough to win the cash prize -- but so far, I haven't seen anybody write up... READ MORE

Panel: Source Code vs. Binary Code Analysis

April 20, 2009

If you're at RSA this week, be sure to check out this panel discussion, featuring Veracode's Chris Wysopal along with Jerry Archer, Mary Ann Davidson, and Brian Chess. Abstract as follows: The growth of Web 2.0 has highlighted two significant trends in application security. First, as the network has hardened, attacks against applications have dramatically increased. Second, an explosion in use of... READ MORE

Failing to Check Error Conditions Could Get You Sued

March 30, 2009

The Ontario Lottery and Gaming Corp. is in a bit of hot water after refusing to pay a $42.9 million jackpot: According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million. When the machine's winning lights and sounds were activated, an OLG floor attendant initially told Kusznirewicz... READ MORE

How To Protect Your Users From Password Theft

January 26, 2009  | 11 recently disclosed yet another major breach that compromised the personal data of over 1.3 million users. This is not unlike the previous breach in August 2007, though the attack vector was likely different. From a notice on their website (emphasis mine): We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs... READ MORE

How Boring Flaws Become Interesting

January 20, 2009  | 7

One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to aggressively reduce false positives, thereby enabling our customers to more efficiently triage their... READ MORE

Tallying Twitter's Application Security Best Practice Violations

January 7, 2009 3

If you were paying attention the last few days, you've probably read about the wave of attacks launched against the popular Twitter service. It started over the weekend, with a series of phishing attacks sent to unsuspecting Twittizens via Direct Message. Then, on Monday morning, Fox News announced Bill O'Riley (sic) was gay, CNN anchor Rick Sanchez tweeted that he was high on crack, and the... READ MORE

Credit Cards Failing Open

October 30, 2008  | 11

Most consumers are aware that when you close a credit card account, it's not really closed. For "convenience" reasons, recurring subscription charges such as your cable bill will continue to be approved. You can kind of see where the credit card companies are coming from, but it's a pretty weak argument. The cable company just needs to notify me that the credit card on file is no longer valid,... READ MORE

(ISC)2's Newest Cash Cow: The CSSLP Certification

September 29, 2008  | Research 23

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation -- the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42" plasma TV to be raffled, the  Executive Director of (ISC)2  outlined this new certification designed to appeal to... READ MORE

Speculation on Palin E-mail Hack

September 17, 2008  | 8

Assuming the mailbox hack is not an elaborate ruse, how did they do it? Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen: As you can see, you need to know the user's birthday, country of residence, and postal code. Not difficult information to dig up in Palin's case. After you enter this information correctly, you are... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu