Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

SOURCE Boston Conference Was a Blast

March 16, 2009

I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me: Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime... READ MORE

10th Anniversary of the Cyberspace Underwriters Laboratories

January 13, 2009

It was 10 years ago this week that Tan from the L0pht wrote Cyberspace Underwriters Laboratories to describe a vision of third party testing and certification of computer hardware and software. Tan's vision got one step closer this week when CWE and SANS issued the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Finally there is consensus about what the worst software security flaws are.... READ MORE

CWE/SANS Top 25 Most Dangerous Programming Errors

January 12, 2009 3

Today is a very exciting day for software security. The CWE/SANS Top 25 Most Dangerous Programming Errors is being released. I was one of the 41 contributors to the Top 25 Errors. The list of possible programming errors that can end up causing a vulnerability in an application is immense. The MITRE Common Weakness Enumeration (CWE) has grown to 700 entries. They are all valid programming errors... READ MORE

Major Break in MD5 Signed X.509 Certificates

December 30, 2008

Jacob Appelbaum and Alexander Sotirov just gave a presentation at the Chaos Communications Congress in Germany. They have implemented a practical MD5 collision attack on x.509 certificates. All major browsers accept MD5 signatures on certs even though it has been shown to have the collision problem for almost 2 years now. If you can generate your own X.509 certificates you can perform perfect... READ MORE

News Report on Non Vulnerability in Windows Vista

November 20, 2008

Are editors so excited to use the headline "Vulnerability in Windows Vista" in their SEO URLs that they will have their reporters write a story on a non-issue? IDG News has published a news report titled, "Researchers find vulnerability in Windows Vista". The report says: An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run... READ MORE

Credit for Researchers

November 13, 2008

Computer security researchers are much like scientific researchers in several ways. We build on the research of those who come before us, we sometimes rediscover the same things independently, and other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer's approach and implement research discovered by others and not credit them as it'... READ MORE

US Government Detects Attacks on Obama and McCain Computers

November 7, 2008

Now that the presidential race is over Newsweek is reporting that the US Government, through the FBI and Secret Service, notified the Obama and McCain campaigns that their computers had been compromised and sensitive documents copied. ...the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team... READ MORE

We’ve Reached the Application Security Tipping Point

November 4, 2008 3

It’s been a long road since the early 90s when people first started public sharing of vulnerability information. Back then there were flat LANs, no network filters, and world writeable NFS mounts hanging out on the Internet. But with the spread of vulnerability information it all started to change. The first major shift in exploit targets was the move from network vulnerabilities to system... READ MORE

A Security Lesson From the Joe the Plumber Snooper

October 25, 2008

First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management. The Columbia Dispatch is reporting that a state employee with access to a "test account" has been accessing Joe the Plumber's government records: "We're... READ MORE

Learning From Sarah Palin's Yahoo Mail Compromise

September 18, 2008

The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a "secret question" concerning personal information only and don't tie back to another email account or a text message. Another account or cell phone number is something "out of band" from a direct transaction with the online service. It becomes 2-factor... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu