Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.
Posts by Chris Wysopal

Binary Analysis Seminar At UC Berkeley

February 1, 2008

On February 14th, Dawn Song of UC Berkeley held a seminar on binary analysis: TRUST Seminar: BitBlaze: a Binary-centric Approach to Computer Security. This seminar was open to the public. Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be... READ MORE

Unencrypted/Unauthenticated Wireless Control Systems Are a Very Bad Idea

January 11, 2008

A Polish teenager derailed a tram after building his own remote control to hack the control system. Best quote: "Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit." READ MORE

Overcoming Bias: The Affect Heuristic

January 3, 2008

This article on the affect heuristic was posted to the Security Metrics mailing list (highly recommended). I think it is important for people who are reporting on the potential risks of a system to understand this psychological phenomenon. It shouldn't be dismissed as simply people are irrational and don't understand statistics. People believe that benefit and risk are intertwined. They think a... READ MORE

Boston/Cambridge InfoSecurity Events

December 18, 2007

Software Security Weaknesses - Avoiding and Testing Bob Martin is giving a talk tonight at the Boston Software Process Improvement Network (SPIN) meeting on "Software Security Weaknesses - Avoiding and Testing". The meeting is at MITRE in Bedford in the basement conference center of M-Building (the one next to the parking garage). Pizza and discussions at 6pm, talk at 7:10pm. Its open to anyone.... READ MORE

Risk vs Vulnerability

December 18, 2007

George Ou has an interesting analysis of Microsoft OS vs Apple OS vulnerability counts. Anything comparing the security of these two companies becomes controversial. I think that any analysis of vulnerability counts should include a paragraph on risk vs. vulnerabilities to diffuse the Mac fanboys. I might be able to leave my backdoor safely unlocked (a vulnerability) in the suburbs of Boston in... READ MORE

Veracode Makes 10 IT Security Companies to Watch

October 16, 2007

Network World has named Veracode to their 10 IT Security Companies to Watch. Sim Simeonov has some commentary on this is his blog. READ MORE

External Code in the Software Development Process

October 16, 2007

Recently I got a message from Kelley Jackson Higgins of Dark Reading. She was looking for some comments on Fortify Software's new paper on "Cross Build Injection" or "XBI". I had read the paper and, while I think the issues are real, the way they are framed they miss the big picture. So I figured I would partake in a little "XPI", that's "Cross Publicity Injection", and take this opportunity to... READ MORE

Exploits of a Mom

October 10, 2007

XKCD has a funny web security theme today: READ MORE

Friday Hacker Brainstorming

October 5, 2007

Sometimes when you are deep in the forest looking at one branch of one tree, trying to reduce false negative rates for detecting a specific class of software vulnerability, it is useful to step back and look at the forest of what is going on in criminal hacking. Today we were throwing some ideas around the office about hacking techniques we had seen reported. This got the discussion flowing... READ MORE

Security Policy Without Enforcement Doesn't Work

September 13, 2007

One of my first "real" jobs in security back in the 90's was working as an IT security engineer for a government contractor and internet backbone provider. One of our tasks was finding people who bridged the internal network with the internet. We found one guy who had been running his own ecommerce business on our external network. He showed up on our scans because he had 2 network interfaces on... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu