Skip to main content

Dan Murphy

Dan Murphy has more than 20 years of experience working in computer security, and is currently the software architect for Veracode’s dynamic analysis business line. Dan has had a life-long interest in secure (and insecure!) software, sparked by explorations of bulletin boards as a pre-teen, and an early job as a teenager securing networks and servers at an Internet Service Provider. Prior to joining Veracode, Dan was part of the leadership team that spun out mobile security startup Blue Cedar from Mocana, a San Francisco-based cybersecurity firm. For many years before that he worked at Cisco Systems and Nortel Networks in the deep-inspection firewall and Virtual Private Network (VPN) spaces…

Posts by Dan Murphy
  • Will Websites Be the Next Target of Ransomware Attacks?

    Recent research by Wordfence indicates that Wordpress might be the next big ransomware target. Wordfence found that certain Wordpress plugins exhibit malicious behaviour in the form of ransomware against the host website. Typically, these plugins will encrypt the data on the website, thereby rendering it non-functional, and then attempt to extort payment from the owner in order to decrypt the… READ MORE

Stay up to date on Application Security

  • Security: Make a Commitment to Working With Development

    The days of security and development working side by side in separate silos are over. With the DevOps-induced security “shift left,” security testing now falls in the realm of the developer, and leaves security in more of an enabling, rather than enforcing, role. And this new role requires a new understanding of developer priorities and processes. The security function cannot be effective in a… READ MORE

  • Best Practices for the Adoption of Open Source Software

    In a previous blog post, I discussed the differing perspectives security and development teams have about the use of open source components. Taking these perspectives into account, what is the best way to enable the use of open source components in your organization? Forbidding their use entirely is not a viable option and, in fact, would be detrimental to both developers and the organization as… READ MORE

  • Development and Security Have Different Perspectives on Open Source Components

    Open source components are a blessing and a curse. From a developer’s perspective, they’re a no-cost way to speed the development process. But they can be a curse security-wise. Many open source components contain vulnerabilities that put the organization at risk of getting breached and failing compliance audits. In fact, recent Veracode research looked at all the Java applications we scanned in… READ MORE

  • Lessons Learned Building an Application Security Team

    In 2012, I joined a large investment bank in London to start and grow its application security programme from the ground up. My initial focus was on the selection of the best tool for the job; namely, a static code analysis scanner that could be deployed easily, and scale widely. Within a few months, I had access to the Veracode Application Security Platform, and I was ready to start scanning my… READ MORE

  • A Few of My Lessons Learned Building an AppSec Program

    I recently joined Veracode after spending five years building an application security program from the ground up at a global investment bank. This experience gives me a unique perspective on the struggles and hurdles our customers are facing, and puts me in a position to share my lessons learned and provide helpful information and advice for those starting or managing a growing application… READ MORE

  • Managing Flaw Review with a Large Multi-Vendor Application

    The previous blog post in this series discussed strategies for the large-scale deployment of the Veracode static code analysis tool across a large enterprise, focusing on strategies and techniques for ensuring rapid adoption within individual development teams typically responsible for self-contained homogenous applications. However, in a large enterprise, there are applications that are… READ MORE

  • How to Run a Successful Proof of Value for an Application Security Programme

    So you’ve got upper management buy-in for your application security proof of value and are ready to start scanning applications: how do you make sure your proof of value (PoV) is a success and that you demonstrate the need to progress to a full-scale program? This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation.… READ MORE

  • Strategies for Rapid Adoption of a Security Programme Within a Large Enterprise

    A large-scale deployment of the Veracode static code analysis platform across a large enterprise presents a number of unique challenges, such as understanding your application estate, prioritising your applications for scanning, and communicating with your application owners. This blog post provides some guidance based on my experience at delivering several hundred scanned applications in a 14-… READ MORE

  • Our Latest Research: Some AppSec Programs Are Dramatically Reducing Risk – How Are They Doing It?

    We recently passed the 2 trillion mark for lines of code scanned. 2 trillion! That’s a lot of code, and a lot of scanning, and a lot of intelligence about what vulnerabilities are lurking where and the best ways to manage them. Our State of Software Security (SoSS) reports leverage this goldmine of data to highlight lessons learned, best practices, trends and insights for anyone starting or… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.