Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Website Vulnerability Research and Disclosure

June 14, 2010  | Research 5

Vulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer... READ MORE

Which Tastes Better for Security, Java or .NET?

June 1, 2010  | Research

In his blog, Gartner analyst Neil MacDonald asks the question, "Is .NET More Secure Than Java?". Veracode provided data to help answer this question from our "State of Software Security Report" which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead. ...the vulnerability density (average flaws per MB of code scanned... READ MORE

MC Frontalot Releases "Zero Day"

April 6, 2010  | Research

"Zero Day" the album that is. Wired has a review. You can read the full lyrics on Frontalot's site. Here is a snippet: Press play, prepare as history is made: "largest hack in one day," all the headlines will say. All out of time, hear the chime from the buzzer. Found this bug on my own, no need for a fuzzer. "It's already too late," spreading as we planned... READ MORE

Mobile App Security

February 3, 2010

Neil MacDonald at Gartner asks the question, "Why Don’t Mobile Application Stores Require Security Testing?" I couldn't agree more that we may be missing an opportunity to bring whitelisting to these new important mobile platforms. We need to leave the "detect and revoke" mentality of the PC world behind as we move to new platforms. Attackers are able to game the PC antivirus model by... READ MORE

Google Admitting Compromise Good News

January 13, 2010

I applaud Google for coming forward and letting the world know about how they were attacked and what the attackers were after. Secrecy only helps the offense. Most of the time we only hear about attacks when there is public evidence such as a defaced web page, screen shots sourced from the attacker, or there is a prosecution. Since the vast majority of attackers are quiet and not prosecuted the... READ MORE

We Need To Learn More About the RBS Worldpay ATM Attack

November 11, 2009

The size and scope of the RBS Worldpay ATM heist are unprecedented. The perpetrators stole $9M in a matter of hours from 2100 ATMs worldwide. An indictment was handed down on Nov 10, 2009. I am always on the lookout for indictments and trials related to computer crime because this is often the only time the details of the attacker's techniques and victim's vulnerabilities are released publically... READ MORE

White Box Better Than Black Box

October 21, 2009

The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box testing overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so this can only be used as a trend. Static is better than... READ MORE

From the 10 Years Ago Today Department

October 2, 2009

From the L0pht Archives: Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC 9.30.1999 The lack of client side security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the authentication used for "secure" web transactions to allow an attacker to... READ MORE

Stealing PII is So 2007 -- They Want Your Endpoint

October 1, 2009

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online... READ MORE

Connection Between Identity Theft and Cyberwarfare

August 17, 2009

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year. “Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu