Skip to main content

Mark Curphey

Mark Curphey, Vice President, Strategy Mark Curphey is the Vice President of Strategy at Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks. Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program…

Posts by Mark Curphey
  • The Open Source Conundrum
    November 15, 2018
    The Open Source Conundrum

    If you’ve read or watched the news at all in the last five years, you know that securing software is challenging. And in today’s world, developers are shouldering a big part of this challenge. Here lies the conundrum. Developers are in the best position to secure code, but security is often not one of their priorities. With the shift to DevOps in recent years, development is all about speed of… READ MORE

Stay up to date on Application Security

  • Developer Tooling: A New Hope

    With all the doom and gloom surrounding the endless stream of data breaches, it’s sometimes easy to feel pessimistic about the future state of the AppSec industry. I should know, being British, my default psyche is that the glass is always half empty, not half full. But for me, AppSec is different. I have been in the AppSec business for almost 20 years and have never felt as optimistic that we… READ MORE

  • Three Easy Steps to DevSecOps

    There's a lot being discussed these days about secure DevOps. What does it mean to do continuous integration and deployment in a secure way? Is it about securing the pipeline itself? Or, is there more to it than that? We have your back. There are just three basic steps to DevSecOps. 1) Build security in This is perhaps the biggest leap in getting to secure DevOps pipelines but by far the most… READ MORE

  • Crypto Mining Ransomware is Here

    It has been an exciting week. On Monday Jet Anderson and Asankhaya Sharma posted a proof-of-concept piece for a crypto-mining ransomware embedded in a web application. Not a day later we saw it reported that a similar attack was used on a wifi access point at a coffee shop in Australia. The wifi attack simply made the users wait while it silently mined bitcoin. Bitcoin mining malware is no longer… READ MORE

  • Are We Eating From the Dirty Fork?

    Earlier this week, SourceClear researchers wrote a technical analysis showing how they used our Security Graph Language (SGL) to uncover 23 vulnerabilities in GlassFish Open Source Edition. And while I’m certainly proud of our ability to find vulnerabilities that no one else sees, there is a much bigger issue here affecting how we think about and manage open source. Are We Eating From the Dirty… READ MORE

  • The Seven Deadly Sins of Open-Source Libraries

    There are at least seven types of open-source library vulnerabilities that we should all be extremely concerned about. Before describing them it is worth reiterating that simply linking to a vulnerable library in your project doesn’t mean your application will have a vulnerability. That's FUD. You will only have a vulnerability if you are using the vulnerable methods of the vulnerable library in… READ MORE

  • The Equifax Hack: What all companies need to know and do to prevent it from happening to them

    The Facts - On September 7th Equifax announced that hackers breached their systems. According to their information site the breach occurred in mid-May and became known to Equifax on July 29th. In the days following the announcement, Equifax's stock fell over 13%, a congressional hearing was ordered and a class-action lawsuit formed for the people affected. Fortune describes the hack as "...the… READ MORE

  • After The Equifax Hack We Examined the Latest Apache Struts Code

    In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at At the time of analysis the code was last updated on Sept 6th at 11:28 am in this commit, updating the pom.xml file to upgrade the Log4J library. We… READ MORE

  • SGL: Mapping the open-source genome for fun and profit

    For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability database in the form of textual descriptions. If accepted (after some basic validation) the report is re… READ MORE

  • Why Continuous Security is the Next Application Security Movement

    Today we launched a new company web site and have changed the way we talk about what we do. This is important because we believe that application security is in the midst of a transformational change. The old model of security was slow, contentious and typically applied as a series of quick fixes at the end of a development cycle or even after shipping. Even in the past this approach was more of… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.