Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Demystifying Binary Static Analysis

March 12, 2012

Last Wednesday I was honored to be able to present a talk on Binary Static Analysis to an Intro to Security class at Tufts University. The instructor, Ming Chow, approached me to speak to his class as he likes to bring in security practioners who are delivering security to their customers. There does seem to be some mystery still to static binary analysis even though Veracode has been delivering... READ MORE

FBI Gets Bitten by Operational Security

February 7, 2012

At corporations and government offices around the world a security failure happens every day. Employees forward confidential calendar events and messages to personal calendars and personal email accounts. This may make their jobs easier but it can put their companies at risk. A recent security incident involving the FBI can teach us something about corporate security. Excerpts in italics from... READ MORE

ICS-CERT Warns of Backdoors in Standard Network Module

December 14, 2011

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found. Backdoors in industrial control systems These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar... READ MORE

State of Software Security Report Launched Today!

December 7, 2011

Since our last report, the risks associated with vulnerable software deployed in enterprise environments have been highlighted in the news on nearly a weekly basis. The majority of reported breaches that exposed customer data or intellectual property were caused by attackers exploiting weaknesses in web applications or desktop software. We have also witnessed the rise of new attacker categories:... READ MORE

Putting Trust in Software Code

November 15, 2011

Seven years ago when we were first embarking on the mission of making static analysis useable, scalable, and able to operate without access to source code, automated static binary analysis was a new concept. There were human operated disassemblers, but the ability to do large scale, highly repeatable static binary analysis was an unknown. At Veracode we have demonstrated that this is now possible... READ MORE

Common Hazards That Cause Home Fires

September 12, 2011

Today I have a guest commentary on the changes in security landscape since 2001 in Threatpost. So as I look back over the last 10 years I don’t see much of a change in the vulnerability-scape, if you will, but in the threat landscape. New classes of attackers have gone mainstream and global. They are sophisticated and effective. But our defenses have barely gotten better. There has been an... READ MORE

Musings on Custer's Last Stand

August 31, 2011  | 8

Let’s not mince words: this rambling diatribe from Oracle’s CSO is aimed directly at Veracode. No need for a cutesy acronym; we're the only company with true static binary analysis technology, delivered as a service. Now that we’ve got that out of the way, let’s try to cut through the rhetoric (in just over a thousand words, to boot). The recurring theme in her manifesto is the notion that... READ MORE

THE Security Problem is Scale

July 8, 2011  | 5

Rich Mogull talks about real world IT security challenges today in his column, "Simple Isn't Simple" in Dark Reading. I agree 100%. One of the Rich's points is security has to scale or it doesn't solve the real world problem. In most cases we know how to solve a security problem for a single instance of that problem; one SQL injection flaw in one app, for instance. The... READ MORE

Buffer Overflows in SCADA ActiveX Controls Put Critical Infrastructure at Risk

May 12, 2011

Following the industrial control system attack of Iran’s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems. The results are unsettling. Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities... READ MORE

A Financial Model for Application Security Debt

March 4, 2011  | 4

Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money. Recap Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.