Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
Posts by Chris Eng

Minimizing the Attack Surface, Part 2

July 7, 2008

I'm finally getting around to finishing my post on minimizing attack surfaces. Here's Part 1, in case you missed it. First, a quick clarification. I noticed that some of the readers who commented on that first post wanted to talk about improving security through the use of various development methodologies or coding frameworks. Those are interesting tangents (and ones that I may write about in... READ MORE

The Government's Top Hackers?

July 1, 2008 3

Popular Mechanics recently published an article about the NSA Red Team, which caught my interest, having been a part of that organization for a short stint back in early 2000. The article does a decent job of describing the Red Team's charter, which is essentially to attack DOD targets in an attempt to simulate real adversaries, not unlike a consultant running a pen test against a corporation... READ MORE

DWR 2.0.5 Fixes XSS Vulnerability

June 29, 2008

DWR 2.0.5 addresses an XSS vulnerability that is likely to be exploitable in most 2.0.4 installations. If your web application uses DWR's Ajax implementation, download and install this update now! As an aside, I've been a fan of DWR for a while now, not only because of its ease of integration but also because it was the first Ajax framework to offer built-in CSRF protection. You could tell that... READ MORE

Why Do I Attend BlackHat?

June 26, 2008

This post is a response to Alan Shimel's Topic of Interest #2 for the Security Bloggers Network. So what motivates me to attend BlackHat? The #1 reason for me is networking -- meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends... READ MORE

Scrawlr: Are We Being Too Greedy?

June 25, 2008  | 8

HP released a new tool called Scrawlr yesterday that can be used to identify certain types of SQL Injection vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of late. Scrawlr quickly came under fire on the Web Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out... READ MORE

Minimizing the Attack Surface, Part 1

June 24, 2008  | 4

What was the first thing you learned about network security? There's a good chance it had something to do with port scanning. After scanning a few boxes, you realized that modern operating systems have a lot of open ports by default, meaning a lot of services. Some had an obvious purpose, like telnet on tcp/23 or ftp fon tcp/21. Others left you wondering, what the heck is listening on tcp/515... READ MORE

Art vs. Science

June 20, 2008  | 6

I was just reading Dre's post, R.I.P. CISSP, over at the tssci security blog, in which he predicts the upcoming OWASP People Certification Project will be the next big thing. This paragraph is quoted from James McGovern's blog (James is the project leader): As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business... READ MORE

Someone Should Have Told Them How Switches Work

June 17, 2008

From the Burlington Free Press, a story about a local hacking competition set up as a spectator event. Their competition, tantalizingly called a "digital combat exercise," was supposed to give onlookers a rare opportunity to watch a computer hacking job in progress, complete with play-by-play. It didn't work out that way, though, thanks to -- what else? -- some sort of technical glitch that... READ MORE

Trip Report: PH-Neutral

May 28, 2008

I spent the weekend in Berlin attending a conference called PH-Neutral, run primarily by the Phenoelit crew. This was the first European security conference I've attended and I found it quite different from any North American security gathering I've been to, such as BlackHat, CanSecWest, SOURCE Boston, BlueHat, or RSA. Everything was far more casual and laid back, which is something I had heard... READ MORE

Responsible-ish Disclosure

May 8, 2008 3

Yesterday, Dave Lewis over at LiquidMatrix Security Digest cried foul at Core Security for releasing too much detail about a recent DoS vulnerability they had discovered. His specific gripe was that they provided an IDA Pro excerpt that showed where the vulnerability was triggered. The excerpt is short, so I'll even copy/paste it here: .text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu