Skip to main content

Chris Eng

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Posts by Chris Eng
  • Skype and Critical Mass
    August 20, 2007

    There's been a lot of blogging over the weekend about the 36-hour Skype outage that occurred starting last Thursday. From Skype's official explanation, it wasn't a security-related event -- in other words, Skype wasn't hacked. We have no reason to believe otherwise. However, security and availability are often discussed in the same breath, and lots of people will be speculating about the chain of… READ MORE

Stay up to date on Application Security

  • Software flaws have become serious vulnerabilties for companies today, as the security measures have become much better along the perimeter. And it's not just the flaws in enterprise and ISV code -- even code written by major antivirus companies can be at risk. F-Secure just posted a couple security bulletins around vulnerabilities in their antivirus products. Of particular interest is a buffer… READ MORE

  • Network World recently published an article entitled Cisco says FTP feature in IOS is a hacker backdoor. The opening paragraph reads as follows: Cisco says a flaw in the FTP server utility in its IOS router/switch software could be used as a backdoor by attackers. Do you see the discrepancy? The opening statement is inconsistent with the title of the article. Are they saying that the flaw could… READ MORE

  • [Allow me to introduce Mike VanEmmerik. Mike is one of our engineers, who works closely with Christien Rioux and others on Veracode's analysis engine. Those of you who follow the decompilation community probably recognize his name. We'll have a full bio posted for him soon, and he will be a regular contributor to this blog.] It Couldn't Happen To Us! by Mike VanEmmerik Surely this was what was… READ MORE

  • I never actually posted the rest of my notes from CanSecWest. At this point, I'd be leaning towards leaving it at that, but since I've had a couple requests to finish up, I'll oblige, providing I can still remember the salient points. So without further ado, CanSecWest Day 3: Andrea Barisani and Daniele Bianco from Inverse Path gave an informative and entertaining presentation on Unusual Car… READ MORE

  • Because if you do, you've probably installed QuickTime without realizing it. Why is this relevant? Well, if you've been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it'll happily oblige, but… READ MORE

  • Slowly but surely, I'm catching up on my blogging backlog. As I posted before, Day 2 of CanSecWest was a long day, with presentations running from 9am to 9pm. Here are some of the highlights: Barnaby Jack's talk, Exploiting Embedded Systems - The Sequel!, was mostly the same as last year's talk with a couple notable exceptions. Last year, he exploited a UPnP stack overflow in the DI-524, while… READ MORE

  • I'll post my thoughts from Days 2 and 3 of CanSecWest pretty soon. Thursday was a marathon 12 hours of talks followed by a Microsoft party, and Friday I went straight from the con to the airport to catch the red-eye back to Boston, so I just haven't gotten around to it. Before I do that, though, let's talk about the "Pwn To Own" contest, which turned out to be interesting.… READ MORE

  • Thought I would post a few thoughts on today's talks: For some reason I expected more out of Jose Nazario's talk on Reverse Engineering Malicious Javascript. Basically, it could be summarized as follows: Use command-line Javascript interpreters such as njs to figure out what obfuscated Javascript does without having to execute the malicious code in the context of a web browser. Near the end, he… READ MORE

  • Landed in Vancouver
    April 17, 2007

    As you may have guessed, I'm out in Vancouver the rest of the week attending CanSecWest. Looking forward to catching up with old friends and former colleagues and meeting more of you lurkers! I am always overly paranoid about getting owned by 0day at these conferences. My work laptop won't run Linux cleanly without rebuilding the kernel, and since I don't have time for that stuff anymore, I'm… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.