Skip to main content

Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Posts by Chris Eng
  • Why bother setting up dedicated websites to host malicious content when you can just infect trusted sites like BusinessWeek? This is becoming something of a trend, as evidenced by the mass SQL Injection attacks from a few months ago. The idea is simple -- find SQL Injection vulnerabilities in high-traffic, trusted websites where the site's content is dynamically fetched from a database (i.e. just… READ MORE

Stay up to date on Application Security

  • Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary: The lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A… READ MORE

  • BlackHat Recap
    August 12, 2008

    Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentation My favorite talk, as expected, was the Sotirov/Dowd talk on "How To Impress Girls With Browser Memory Protection Bypasses". The attack is a conceptually simple, yet completely reliable technique for… READ MORE

  • BlackHat Picks, Day 2
    August 4, 2008

    Here's the rest of my list: 10:00-11:00 FX, Developments in Cisco IOS Forensics. 11:15-12:30 Oliver Friedrichs, Threats to the 2008 Presidential Election (and more). 13:45-15:00 Option 1: Scott Stender, Concurrency Attacks in Web Applications. Option 2: Travis Goodspeed, Side-channel Timing Attacks on MSP430 Microcontroller Firmware. 15:15-16:30 Option 1: Alexander Sotirov and Mark Dowd, How To… READ MORE

  • BlackHat Picks, Day 1
    July 28, 2008

    Well, it's almost BlackHat time. Here are my picks so far for Day 1. As you can see, I still haven't narrowed it down completely. 11:15-12:30 Option 1: Dan Kaminsky, "DNS Goodness". On one hand, the DNS vulnerability is already public; on the other hand, the talk will probably still be interesting even if the 0day hype is missing. Option 2: Nate Lawson, "Highway to Hell: Hacking Toll Systems". My… READ MORE

  • By now, you probably know that details of the DNS vulnerability have leaked. Halvar Flake speculated on DailyDave and the momentum built from there, despite the fact that his guess was short on a few key details. I don't need to rehash the full technical details here; by now, they are easy enough to find with a couple Google searches. When Slashdot picks up the story, it's hardly a secret any… READ MORE

  • Despite what various commenters around the blogosphere think (I've read a few but can't find the links now), Dan Kaminsky's online "Check My Dns" utility doesn't: Poison anybody's DNS cache Expose how the actual exploit works   What it does is check whether your ISP's DNS server is patched. Plain and simple. It looks for one thing -- source port randomization. This does not give away the… READ MORE

  • The security community is cynical. So much so, that most of the chatter that's taken place over the past 24-36 hours has suggested that Kaminsky's DNS vulnerability was little more than a publicity stunt and that his BlackHat presentation would be an over-hyped rehash of prior art. Granted, one has to suspend disbelief to even consider that something monumental would be discovered in DNS -- that'… READ MORE

  • Rich Mogull's executive overview of Dan Kaminsky's latest DNS vulnerability fluffed a few feathers yesterday: The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses. The typical response I heard was "what do you mean, it can't… READ MORE

  • I'm finally getting around to finishing my post on minimizing attack surfaces. Here's Part 1, in case you missed it. First, a quick clarification. I noticed that some of the readers who commented on that first post wanted to talk about improving security through the use of various development methodologies or coding frameworks. Those are interesting tangents (and ones that I may write about in… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.