Chris Wysopal

Chris Wysopal, co-founder and CTO of CA Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At CA Veracode, Mr. Wysopal is responsible for the security analysis capabilities of CA Veracode technology.
Posts by Chris Wysopal

Microsoft Rolls Out A Bug Bounty Program With A New Twist

June 19, 2013

2010 was a big year for vendor bug bounty programs. Google announced its program in January with a bounty of $1,337 for high severity security bugs in its Chrome browser. Then in July Mozilla sextupled its bounty to $3000 and the Google program went from “Leet” to “Elite” with an increase of its bounty to $3,133.70. Sensing a trend and a feeling that vendor bug bounties “had arrived” the CA... READ MORE

Developers need more training programs like SAFECode

May 14, 2013

A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible. Programmers aren’t security experts, and perhaps they shouldn’t be. But when 70% of applications failing to company with enterprise security standards (data from CA Veracode SoSS vol 5), it is clear more attention needs to... READ MORE

Web-based threats finally getting the respect they deserve?

April 23, 2013  | Research

The recently released Microsoft Security Intelligence Report shows that web-based propagation vectors have surpassed traditional malware propagation vectors as the largest threats to distributed network environments. While I agree with Microsoft’s assessment of the threat landscape, I don’t think this is anything new; it is just the current state of a long-running trend. Back in 2008... READ MORE

Stolen Data Headers from the Federal Reserve Hack

February 6, 2013  | Research 8

Just another day at the office. Anonymous hacked into a Federal Reserve computer. Wait, what? Don’t worry, the attackers did not make off with any money, as far as we can tell, or disrupt any critical functions. What did they get? Just the details of 4000 bank executives. The data has been posted to pastebin and hosted on several compromised sites including other government sites. Someone... READ MORE

Security Debt and Vulnerability Supply Chains

November 16, 2012

When we were kicking around ideas for a new SoSS supplement, I thought the vendor testing angle could be interesting. We had just launched our VAST program so the topic made our marketing folks happy, but also because I think the supply chain analogy can be an interesting lens to view the security industry. We can think about the software supply chain as the vulnerability supply chain. In a sense... READ MORE

Never Attribute to Malice, but Always Verify

October 15, 2012

When I read the New York Time BITS article “The Dangers of Allowing an Adversary Access to a Network” by John Markoff, I thought the fear of trojaned vendor products is misplaced. The much bigger problem is vulnerable products. To cyber security experts, a serious vulnerability is indistinguishable from a backdoor as both allow an adversary to take control of a system or device. Yet the U.S.... READ MORE

Moving From Poisoning the Ocean to Poisoning the Watering Hole

September 26, 2012

RSA has published, "THE VOHO CAMPAIGN: AN IN DEPTH ANALYSIS" which describes an APT style campaign against several targets. The campaign used malicious content on several websites dubbed "watering holes" in order to compromise the campaign target's client machines. Injecting malicious content into vulnerable websites that will then become a drive-by client attack to a website visitor is old news... READ MORE

Announcing New eBook - Mobile Security For The Rest Of Us

June 11, 2012

document.write(unescape("%3Ca href='mailto:?subject=" + document.title + "&body=" + document.URL + "' style='width: 22px;'%3E%3C/a%3E")); document.write(unescape("%3Ca href='" + document.URL + "' target='_blank' style='width: 22px;'%3E%3C/a%3E")); document.write(unescape("%3Ca href=" + document.URL + "... READ MORE

Verizon Data Breach Investigative Report 2012 -- Application Security Specific Highlights

March 22, 2012

Verizon just released its 2012 Data Breach Investigative Report which contains findings contributed by global agencies such as the U.S. Secret Service, the Dutch High Tech Crime Unit, the Irish Reporting and Information Service, the Australian Federal Police and the London Metropolitan Police. I thought it would be good to put together a quick summary covering application security specific... READ MORE

Demystifying Binary Static Analysis

March 12, 2012

Last Wednesday I was honored to be able to present a talk on Binary Static Analysis to an Intro to Security class at Tufts University. The instructor, Ming Chow, approached me to speak to his class as he likes to bring in security practioners who are delivering security to their customers. There does seem to be some mystery still to static binary analysis even though CA Veracode has been... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu