Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Verizon Business Has a New Report on Data Breaches

June 12, 2008

The Verizon Business data breach report is by far the most comprehensive and detailed report on data breaches I have seen. It is great to see the break down of what is the root cause of these expensive and significant computer security failures. While it is interesting to see counts of malware infected computers from Symantec and vulnerability counts from CVE, this report gets to the actual... READ MORE

Are Your Digital Devices Certified Pre-0wned?

March 17, 2008  | 7

I took part in the L0pht Reunion Panel at the Source Boston conference in Cambridge, MA last Friday. It was a lot of fun to get back together with the "band" and pontificate with no holds barred about the latest security threats, just like we did in the old days. One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, "What scares you the most these... READ MORE

Backdoor in G-Archiver

March 11, 2008

Here is another data point that simple backdoors are being placed into free applications. A programmer, Dustin Brooks, was inspecting a free Gmail backup utility, called G-Archiver, with Reflector and noticed that not only did it have the authors Gmail credentials baked in, but is was sending the Gmail credentials of every user of the program to the author. This is an example of an unintended... READ MORE

Airport Security?

February 18, 2008

Who Are the Information Security Experts?

February 13, 2008

Recently an executive at HP claimed that his company now employs 9 out of the top 11 security people due to HP's acquisition of SPI Dynamics: "Nine out of the world's top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it's not immediately clear who ranked those top 11." - Mark Potts, CTO of Software, Hewlett-Packard Now eWeek has... READ MORE

What If All Vulnerabilities Had This Disclosure Timeline?

February 6, 2008  | 6

There is an heap overflow vulnerability in RealPlayer 11 build It allows for code execution when RealPlayer opens a malicious song file. Timeline Dec 16, 2007: Gleg customers notified of vulnerability and given exploit code Jan 1, 2008: Public disclosure (no details) with online demonstration Feb 6, 2008: Vulnerability still not patched It's not your typical disclosure time line.... READ MORE

New Unit of Reviewed Code Quality

February 5, 2008  | 4

Now I can finally tell my non-technical friends and family what Veracode does. We offer a globally accessible, on-demand automated version of WTF reporting. However since our technology is automated we report quality in kiloWTF/sec. READ MORE

Binary Analysis Seminar At UC Berkeley

February 1, 2008

On February 14th, Dawn Song of UC Berkeley held a seminar on binary analysis: TRUST Seminar: BitBlaze: a Binary-centric Approach to Computer Security. This seminar was open to the public. Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be... READ MORE

Unencrypted/Unauthenticated Wireless Control Systems Are a Very Bad Idea

January 11, 2008

A Polish teenager derailed a tram after building his own remote control to hack the control system. Best quote: "Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit." READ MORE

Overcoming Bias: The Affect Heuristic

January 3, 2008

This article on the affect heuristic was posted to the Security Metrics mailing list (highly recommended). I think it is important for people who are reporting on the potential risks of a system to understand this psychological phenomenon. It shouldn't be dismissed as simply people are irrational and don't understand statistics. People believe that benefit and risk are intertwined. They think a... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu