Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

We Need To Learn More About the RBS Worldpay ATM Attack

November 11, 2009

The size and scope of the RBS Worldpay ATM heist are unprecedented. The perpetrators stole $9M in a matter of hours from 2100 ATMs worldwide. An indictment was handed down on Nov 10, 2009. I am always on the lookout for indictments and trials related to computer crime because this is often the only time the details of the attacker's techniques and victim's vulnerabilities are released publically... READ MORE

White Box Better Than Black Box

October 21, 2009

The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so this can only be used as a trend. Static is better than dynamic in 5... READ MORE

From the 10 Years Ago Today Department

October 2, 2009

From the L0pht Archives: Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC 9.30.1999 The lack of client side security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the authentication used for "secure" web transactions to allow an attacker to... READ MORE

Stealing PII is So 2007 -- They Want Your Endpoint

October 1, 2009

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online... READ MORE

Connection Between Identity Theft and Cyberwarfare

August 17, 2009

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year. “Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information... READ MORE

Bytecode Analysis Is Not The Same As Binary Analysis

July 27, 2009 3

Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java VM or the .NET CLR. As more companies with software security testing technology wade into the "no... READ MORE

Nation State Cyberwarfare Reality Check

July 8, 2009  | 4

Let's take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn't going away. We have a horribly insecure software ecosystem that let's the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then... READ MORE

Mystery of Donkey Kong Kill Level Solved

June 17, 2009

It was an integer overflow. I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you have seen King of Kong you would know that one of the challenges of getting a high score is getting as many possible points before a software glitch causes... READ MORE

Vulnerability in Virtualization App Wipes Out 100,000 Sites

June 9, 2009 3

Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs. I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their... READ MORE

Obama to Pick New Cyber Czar

May 28, 2009

It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke's position under President Clinton. This position will be critical for organizing the government's fragmented information security efforts, both for the government sector and the country's infrastructure, which is... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu