Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Nation State Cyberwarfare Reality Check

July 8, 2009  | 4

Let's take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn't going away. We have a horribly insecure software ecosystem that let's the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then... READ MORE

Mystery of Donkey Kong Kill Level Solved

June 17, 2009

It was an integer overflow. I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you have seen King of Kong you would know that one of the challenges of getting a high score is getting as many possible points before a software glitch causes... READ MORE

Vulnerability in Virtualization App Wipes Out 100,000 Sites

June 9, 2009 3

Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs. I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their... READ MORE

Obama to Pick New Cyber Czar

May 28, 2009

It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke's position under President Clinton. This position will be critical for organizing the government's fragmented information security efforts, both for the government sector and the country's infrastructure, which is... READ MORE

SOURCE Boston Conference Was a Blast

March 16, 2009

I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me: Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime... READ MORE

10th Anniversary of the Cyberspace Underwriters Laboratories

January 13, 2009

It was 10 years ago this week that Tan from the L0pht wrote Cyberspace Underwriters Laboratories to describe a vision of third party testing and certification of computer hardware and software. Tan's vision got one step closer this week when CWE and SANS issued the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Finally there is consensus about what the worst software security flaws are.... READ MORE

CWE/SANS Top 25 Most Dangerous Programming Errors

January 12, 2009 3

Today is a very exciting day for software security. The CWE/SANS Top 25 Most Dangerous Programming Errors is being released. I was one of the 41 contributors to the Top 25 Errors. The list of possible programming errors that can end up causing a vulnerability in an application is immense. The MITRE Common Weakness Enumeration (CWE) has grown to 700 entries. They are all valid programming errors... READ MORE

Major Break in MD5 Signed X.509 Certificates

December 30, 2008

Jacob Appelbaum and Alexander Sotirov just gave a presentation at the Chaos Communications Congress in Germany. They have implemented a practical MD5 collision attack on x.509 certificates. All major browsers accept MD5 signatures on certs even though it has been shown to have the collision problem for almost 2 years now. If you can generate your own X.509 certificates you can perform perfect... READ MORE

News Report on Non Vulnerability in Windows Vista

November 20, 2008

Are editors so excited to use the headline "Vulnerability in Windows Vista" in their SEO URLs that they will have their reporters write a story on a non-issue? IDG News has published a news report titled, "Researchers find vulnerability in Windows Vista". The report says: An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run... READ MORE

Credit for Researchers

November 13, 2008

Computer security researchers are much like scientific researchers in several ways. We build on the research of those who come before us, we sometimes rediscover the same things independently, and other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer's approach and implement research discovered by others and not credit them as it'... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu