Skip to main content

Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Posts by Chris Eng
  • The Government's Top Hackers?

    Popular Mechanics recently published an article about the NSA Red Team, which caught my interest, having been a part of that organization for a short stint back in early 2000. The article does a decent job of describing the Red Team's charter, which is essentially to attack DOD targets in an attempt to simulate real adversaries, not unlike a consultant running a pen test against a corporation… READ MORE

Stay up to date on Application Security

  • DWR 2.0.5 Fixes XSS Vulnerability

    DWR 2.0.5 addresses an XSS vulnerability that is likely to be exploitable in most 2.0.4 installations. If your web application uses DWR's Ajax implementation, download and install this update now! As an aside, I've been a fan of DWR for a while now, not only because of its ease of integration but also because it was the first Ajax framework to offer built-in CSRF protection. You could tell that… READ MORE

  • Why Do I Attend BlackHat?

    This post is a response to Alan Shimel's Topic of Interest #2 for the Security Bloggers Network. So what motivates me to attend BlackHat? The #1 reason for me is networking -- meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends… READ MORE

  • Scrawlr: Are We Being Too Greedy?

    HP released a new tool called Scrawlr yesterday that can be used to identify certain types of SQL Injection vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of late. Scrawlr quickly came under fire on the Web Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out… READ MORE

  • Minimizing the Attack Surface, Part 1

    What was the first thing you learned about network security? There's a good chance it had something to do with port scanning. After scanning a few boxes, you realized that modern operating systems have a lot of open ports by default, meaning a lot of services. Some had an obvious purpose, like telnet on tcp/23 or ftp fon tcp/21. Others left you wondering, what the heck is listening on tcp/515… READ MORE

  • Art vs. Science
    June 20, 2008
    Art vs. Science

    I was just reading Dre's post, R.I.P. CISSP, over at the tssci security blog, in which he predicts the upcoming OWASP People Certification Project will be the next big thing. This paragraph is quoted from James McGovern's blog (James is the project leader): As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business… READ MORE

  • Someone Should Have Told Them How Switches Work

    From the Burlington Free Press, a story about a local hacking competition set up as a spectator event. Their competition, tantalizingly called a "digital combat exercise," was supposed to give onlookers a rare opportunity to watch a computer hacking job in progress, complete with play-by-play. It didn't work out that way, though, thanks to -- what else? -- some sort of technical glitch that… READ MORE

  • Trip Report: PH-Neutral

    I spent the weekend in Berlin attending a conference called PH-Neutral, run primarily by the Phenoelit crew. This was the first European security conference I've attended and I found it quite different from any North American security gathering I've been to, such as BlackHat, CanSecWest, SOURCE Boston, BlueHat, or RSA. Everything was far more casual and laid back, which is something I had heard… READ MORE

  • Responsible-ish Disclosure

    Yesterday, Dave Lewis over at LiquidMatrix Security Digest cried foul at Core Security for releasing too much detail about a recent DoS vulnerability they had discovered. His specific gripe was that they provided an IDA Pro excerpt that showed where the vulnerability was triggered. The excerpt is short, so I'll even copy/paste it here: .text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet… READ MORE

  • Dilbert Does Canonicalization

    I was checking out the "new and improved" Dilbert website a few minutes ago, checking out some of the new features and lamenting the overzealous use of Flash. One new feature is called "Mashups." Naturally, you'd assume that this was some fancy Web 2.0 API that one might use to create a "killer app" combining Google Maps, Twitter, traffic delays, police reports, and Dilbert comics, all neatly… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.