Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Mobile App Top 10 List

December 13, 2010  | Research

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent. Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose... READ MORE

Veracode Research Team Gives 5 Predictions for 2011

December 8, 2010  | Research

As we close out a security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true. 1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer Sandboxing can prevent the exploitation of coding errors by preventing code running... READ MORE

More Vulnerabilities Discovered in Siemens Software

September 27, 2010  | Research

When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by... READ MORE

The Sparsely Attended Sept 12, 2001 Hearing: "How Secure Is Our Critical Infrastructure?"

September 22, 2010  | Research

A little over a week ago it was the 9th anniversary of the 9-11 attack against the US. The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, "How Secure is Our Critical Infrastructure?" The hearing went on but no one outside of DC was able to get there in time. The following is the written... READ MORE

Deadly Combo: Zero Day Application Vulnerability + OS Vulnerability = Attacker Win

July 22, 2010  | Research 7

The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application's data. The vulnerabilities are used in stages: Stage 1: Use a Windows OS vulnerability for... READ MORE

Website Vulnerability Research and Disclosure

June 14, 2010  | Research 5

Vulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer... READ MORE

Which Tastes Better for Security, Java or .NET?

June 1, 2010  | Research

In his blog, Gartner analyst Neil MacDonald asks the question, "Is .NET More Secure Than Java?". Veracode provided data to help answer this question from our "State of Software Security Report" which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead. ...the vulnerability density (average flaws per MB of code scanned... READ MORE

MC Frontalot Releases "Zero Day"

April 6, 2010  | Research

"Zero Day" the album that is. Wired has a review. You can read the full lyrics on Frontalot's site. Here is a snippet: Press play, prepare as history is made: "largest hack in one day," all the headlines will say. All out of time, hear the chime from the buzzer. Found this bug on my own, no need for a fuzzer. "It's already too late," spreading as we planned... READ MORE

Mobile App Security

February 3, 2010

Neil MacDonald at Gartner asks the question, "Why Don’t Mobile Application Stores Require Security Testing?" I couldn't agree more that we may be missing an opportunity to bring whitelisting to these new important mobile platforms. We need to leave the "detect and revoke" mentality of the PC world behind as we move to new platforms. Attackers are able to game the PC antivirus model by... READ MORE

Google Admitting Compromise Good News

January 13, 2010

I applaud Google for coming forward and letting the world know about how they were attacked and what the attackers were after. Secrecy only helps the offense. Most of the time we only hear about attacks when there is public evidence such as a defaced web page, screen shots sourced from the attacker, or there is a prosecution. Since the vast majority of attackers are quiet and not prosecuted the... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu