Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Buffer Overflows in SCADA ActiveX Controls Put Critical Infrastructure at Risk

May 12, 2011

Following the industrial control system attack of Iran’s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems. The results are unsettling. Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities... READ MORE

A Financial Model for Application Security Debt

March 4, 2011  | 4

Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money. Recap Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate... READ MORE

2011 Becomes the Year of Mobile Malware

March 2, 2011

Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place: Little to no vetting of apps for malicious behavior before being made available from app stores Android kernel code with known privilege... READ MORE

Application Security Debt and Application Interest Rates

February 25, 2011  | Research 3

Technical Debt Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this: Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite... The danger occurs... READ MORE

Veracode Recognized as a Leader in the Magic Quadrant for Static Application Security Testing

December 15, 2010  | Research

The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company. To get our service... READ MORE

Mobile App Top 10 List

December 13, 2010  | Research

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent. Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose... READ MORE

Veracode Research Team Gives 5 Predictions for 2011

December 8, 2010  | Research

As we close out a security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true. 1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer Sandboxing can prevent the exploitation of coding errors by preventing code running... READ MORE

More Vulnerabilities Discovered in Siemens Software

September 27, 2010  | Research

When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by... READ MORE

The Sparsely Attended Sept 12, 2001 Hearing: "How Secure Is Our Critical Infrastructure?"

September 22, 2010  | Research

A little over a week ago it was the 9th anniversary of the 9-11 attack against the US. The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, "How Secure is Our Critical Infrastructure?" The hearing went on but no one outside of DC was able to get there in time. The following is the written... READ MORE

Deadly Combo: Zero Day Application Vulnerability + OS Vulnerability = Attacker Win

July 22, 2010  | Research 7

The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application's data. The vulnerabilities are used in stages: Stage 1: Use a Windows OS vulnerability for... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu