Skip to main content

Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Posts by Chris Eng
  • Best Practice: Consider External Data Feeds Untrusted

    If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here's… READ MORE

Stay up to date on Application Security

  • Decoding the Verizon DBIR 2009 Cover

    As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact that I didn't get my solution in early enough to win the cash prize -- but so far, I haven't seen anybody write up… READ MORE

  • Panel: Source Code vs. Binary Code Analysis

    If you're at RSA this week, be sure to check out this panel discussion, featuring Veracode's Chris Wysopal along with Jerry Archer, Mary Ann Davidson, and Brian Chess. Abstract as follows: The growth of Web 2.0 has highlighted two significant trends in application security. First, as the network has hardened, attacks against applications have dramatically increased. Second, an explosion in use of… READ MORE

  • Failing to Check Error Conditions Could Get You Sued

    The Ontario Lottery and Gaming Corp. is in a bit of hot water after refusing to pay a $42.9 million jackpot: According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million. When the machine's winning lights and sounds were activated, an OLG floor attendant initially told Kusznirewicz… READ MORE

  • How To Protect Your Users From Password Theft recently disclosed yet another major breach that compromised the personal data of over 1.3 million users. This is not unlike the previous breach in August 2007, though the attack vector was likely different. From a notice on their website (emphasis mine): We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs… READ MORE

  • How Boring Flaws Become Interesting

    One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to aggressively reduce false positives, thereby enabling our customers to more efficiently triage their… READ MORE

  • Tallying Twitter's Application Security Best Practice Violations

    If you were paying attention the last few days, you've probably read about the wave of attacks launched against the popular Twitter service. It started over the weekend, with a series of phishing attacks sent to unsuspecting Twittizens via Direct Message. Then, on Monday morning, Fox News announced Bill O'Riley (sic) was gay, CNN anchor Rick Sanchez tweeted that he was high on crack, and the… READ MORE

  • Credit Cards Failing Open
    October 30, 2008
    Credit Cards Failing Open

    Most consumers are aware that when you close a credit card account, it's not really closed. For "convenience" reasons, recurring subscription charges such as your cable bill will continue to be approved. You can kind of see where the credit card companies are coming from, but it's a pretty weak argument. The cable company just needs to notify me that the credit card on file is no longer valid,… READ MORE

  • (ISC)2's Newest Cash Cow: The CSSLP Certification

    Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation -- the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42" plasma TV to be raffled, the  Executive Director of (ISC)2  outlined this new certification designed to appeal to… READ MORE

  • Speculation on Palin E-mail Hack

    Assuming the mailbox hack is not an elaborate ruse, how did they do it? Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen: As you can see, you need to know the user's birthday, country of residence, and postal code. Not difficult information to dig up in Palin's case. After you enter this information correctly, you are… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.