Mark Curphey

Mark Curphey

Mark Curphey, Vice President, Strategy Mark Curphey is the Vice President of Strategy at Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks. Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program…

Stay up to date on Application Security

Posts by Mark Curphey
  • Developer Tooling: A New Hope
    November 1, 2018 | By Mark Curphey

    With all the doom and gloom surrounding the endless stream of data breaches, it’s sometimes easy to feel pessimistic about the future state of the AppSec industry. I should know, being British, my default psyche is that the glass is always half empty, not half full. But for me, AppSec is different…

    Read Article
     
  • Three Easy Steps to DevSecOps
    January 8, 2018 | By Mark Curphey

    There's a lot being discussed these days about secure DevOps. What does it mean to do continuous integration and deployment in a secure way? Is it about securing the pipeline itself? Or, is there more to it than that? We have your back. There are just three basic steps to DevSecOps. 1) Build…

    Read Article
     
  • Are We Eating From the Dirty Fork?
    October 19, 2017 | By Mark Curphey

    Earlier this week, SourceClear researchers wrote a technical analysis showing how they used our Security Graph Language (SGL) to uncover 23 vulnerabilities in GlassFish Open Source Edition. And while I’m certainly proud of our ability to find vulnerabilities that no one else sees, there is a much…

    Read Article
     
  • After The Equifax Hack We Examined the…
    September 11, 2017 | By Mark Curphey

    In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at https://github.com/apache/struts. At the time of analysis the code was last…

    Read Article
     
  • SGL: Mapping the open-source genome for…
    August 30, 2017 | By Mark Curphey

    For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability…

    Read Article
     
  • The Six Types of Open-Source Library…
    March 22, 2016 | By Mark Curphey

    There are at least six types of open-source library vulnerabilities that we should all be concerned about. Before describing them it is worth reiterating that simply linking to a vulnerable library in your project doesn’t mean your application will have a vulnerability. You will only have a…

    Read Article
     

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

Subscribe Now!