Podcast appearances and mentions of chris eng

What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible. Segment Resources: https://www.veracode.com/state-of-software-security-report   Learn how hackers are exploiting the trust that mobile app owners place in their customers. Hackers are increasingly modifying app code, posing as trusted customers, and infiltrating IT infrastructure. This segment is sponsored by Verimatrix. Visit https://securityweekly.com/verimatrixrsac to learn more about them!   Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications. Findings from our latest report "Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities" illustrate the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent. Mend.io technology detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed. We'll share why as long as open source means open, the door will be left open to bad actors, so it's especially critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and can not be taken lightly. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw241 

What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible. Segment Resources: https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw241 

What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible. Segment Resources: https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw241 

Threat group with novel malware operates in Southeast Asia. Data theft extortion on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector. Chris Eng from Veracode shares findings of their Annual Report on the State of Application Security. Johannes Ullrich from SANS Institute discusses scams after the failure of Silicon Valley Bank. And BreachForums seems to be under new management.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/54 Selected reading. NAPLISTENER: more bad dreams from developers of SIESTAGRAPH (Elastic Blog)  Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise (Palo Alto Network) Ransomware and extortion trends. (CyberWire) Cisco Cybersecurity Readiness Index (Cisco) A look at resilience: companies' ability to fight off cyberattacks. (CyberWire) Putin to staffers: throw out your iPhones over security (Register) Black Basta, Killnet, LockBit groups targeting healthcare in force (SC Media) After BreachForums arrest, new site administrator says the platform will live on (Record) 

Chris Eng, chief research officer at Veracode, joins Dennis Fisher to discuss the company's new State of Software Security report, whether we're getting better at fixing bugs, and the fragility of open source projects an the software supply chain. 

Chris Eng of Veracode joins Dennis Fisher to talk about the company's new State of Software Security report and what's driving the increase in enterprises scanning their apps for vulnerabilities. 

The majority of applications contain at least one security flaw and fixing those flaws typically takes months. Automating scanning and scanning via API can help development teams fix faster by a pretty wide margin. Veracode’s Chris Eng and Cyentia’s Jay Jacobs explore what’s driving the volume of code flaws, what factors influence fix rates, how organizations with higher fix rates are tackling the problem successfully, and automation as a best practice for DevSecOps and an action developers can take to "nurture" their apps to better security. Presenters: Chris Eng, Chief Research Officer, Veracode Jay Jacobs, Co-Founder and Chief Data Scientist, Cyentia Institute Kacy Zurkus, Content Strategist, RSA Conference

Chris Eng, chief research officer at Veracode, explains to Tonya Hall which are the roots of the infosec problem. Learn more about your ad choices. Visit megaphone.fm/adchoices

Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property. Former President Trump’s last Executive Order addresses foreign exploitation of Infrastructure-as-a-Service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/12

Chris Eng joins David, Ben and Jay to talk about Volume 11 of Veracode's State of Software Security. But rather than focusing on the various statistics, they focused on time-to-fix and how the various attributes of the development teams, applications and development environments affect the remediation timelines. https://www.veracode.com/state-of-software-security-report

Kristen and Catherine sat down for a chat with former Imagineer Chris Eng, who we lovingly nicknamed the Ben Wyatt of Disneyland! We talked in depth about the building of Batuu, the development and financial side of the parks and company, gushed over his beautiful name tag plaque, and generally felt feelings about how much we love Disney. This one’s good for the head and the heart.

TechSpective Podcast Episode 050 “Every company is a software company.” That is the quote that kicks off the Executive Summary page of the latest State of Software Security Report from Veracode. This is Volume 11 of the report, with a focus on looking ahead to identify how developers can continue to make applications better and [...] The post Chris Eng Talks about the State of Software Security Report appeared first on TechSpective.

Chris Eng, chief research officer with Veracode, warns that the deluge of in-person shoppers during the pandemic has pushed restaurants, boutique shops and other retailers to utilize new online software ecommerce platforms - but they aren't prepared for implementing the correct security measures for these platforms.

This week, live from RSAC 2020, we interview Chris Eng, Chief Research Officer at Veracode! Chris provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020! In the RSAC Application Security News, 6 of the 10 vendors at Innovation Sandbox are application security companies, F5 Empowers Customers with End-to-End App Security, Checkmarx Simplifies Automation of Application Security Testing for Modern Development and DevOps Environments, and more RSA Conference News!   Show Notes: https://wiki.securityweekly.com/ASWEpisode97 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, live from RSAC 2020, we interview Chris Eng, Chief Research Officer at Veracode! Chris provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020! In the RSAC Application Security News, 6 of the 10 vendors at Innovation Sandbox are application security companies, F5 Empowers Customers with End-to-End App Security, Checkmarx Simplifies Automation of Application Security Testing for Modern Development and DevOps Environments, and more RSA Conference News!   Show Notes: https://wiki.securityweekly.com/ASWEpisode97 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Chris Eng, Chief Research Officer at Veracode, provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode97

Chris Eng, Chief Research Officer at Veracode, provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode97

The average number of days to fix software flaws was at 59 days in the first Veracode State of Software report from ten years ago. Today, it's jumped to 171 days in the latest 2019 report. While typical median fix times haven't gotten worse in 10 years – they have remained about the same - security debt is getting much deeper. In this episode of a Hard Look at Software Security, Chris Eng, Vice President of Research with Veracode, will discuss relevance of the findings on median time to remediate flaws - and where organizations may stand when it comes to their own security debt. Listeners will learn about: Why security debt is getting much deeper If fixes are based on flaw severity or exploitablilty Why the source of an application affects fix speed of remediation Produced by IDG Communications, Inc., in association with Veracode.

Application security is top of mind now more than ever. For more than a decade, Veracode examined increasing amounts of code as it passes through their source code vulnerability scanning service. During this period, automation is increasingly prevalent, making it easier to run scans more frequently and regularly. But has automation helped?. Is the software we create more secure? We gain key insights about this in Veracode's The State of Software Security Report X (10th edition). Chris Eng, Chief Research Officer at Veracode, joins us on DevOps Chats. We talk about many insights uncovered in the latest report, such as 50% of applications are accruing security debt over time, the regularity of scanning correlates to vulnerability fix times, and that scanning frequency directly impacts security debt. There is a wealth of information in the report, and you can get a jump on the key findings on this podcast episode with Chris. Download the full report at https://www.veracode.com/state-of-software-security-report.

In this episode we discuss the latest findings on flaw fix rates in enterprises. Chris Eng, Vice President of Research, Veracode, offers perspective on what figures in the State of Software Security report reveal about the troubling amount of time it takes to address the majority of vulnerabilities. Listeners will learn about: • Average enterprise fix rates at one week and one month • Why enterprises still struggle with vulnerable open source components in software • What business can can do to mitigate risks associated with open source flaws

In the first episode of the series, we are joined by Chris Eng, Vice President of Research at Veracode. We'll detail highlights of the Veracode State of Software Security Volume 9 report and discuss what the findings reveal in terms of the progress companies are making with fixing flaws. How are factors like flaw severity, business criticality of applications, and exploitability of the flaws impacting how companies view vulnerabilities? We'll also examine information about industry performance, differences by region, third-party component risks, and vulnerability trends to give security and development teams a holistic view of the state of software security.

Chris Eng joins Wade and Jay to talk about the Veracode State of Software Security Volume 9 (http://veracode.com/soss). The trio cover DevSecOps and how Survival Analysis helps us to understand secure software development.

Chris Eng has been shepherding the State of Software Security for a long time now. This new volume 9 of the survey is one of the best. I had a chance to sit down with Chris and discuss some of the highlights and interesting findings in this years report. Don't miss this chat and be sure to download the report from the Veracode site.

Chris Eng tells us why profit maximisation doesn't have to be at odds with ethical beliefs.

Chris Eng tells us why profit maximisation doesn't have to be at odds with ethical beliefs.

The O’Reilly Security Podcast: Vulnerabilities in assembled software and the need for immediate developer feedback.In this episode, I talk with Chris Eng, vice president of research at Veracode, a software security-as-a-service business. We discuss Veracode’s research on application security across a broad spectrum of industries, the challenges of securing modern “assembled” software, and making it easier for developers to bake in security from the get-go.Here are some highlights: Software security: Some assembly required No one is writing software from scratch these days. Now, building software is more like assembling software from ingredients. You pull together a library for this, a library for that, and then, by the way, your shiny new piece of software inherits all the security holes in those libraries. As the product matures over time, people start to lose track of what went into it, nobody keeps an inventory of those libraries, and people don't upgrade libraries if they don't have a good reason to functionally. So, if you sit there and watch your product over time, it will get more and more vulnerable as additional vulnerabilities are discovered in the libraries that you used. Developer-friendly security In an ideal world, you want to be able to give immediate feedback to a developer as soon as you spot an issue. Because then you can fix it in the moment. You don't have to go back and figure out, “What was that thing I was working on three days ago? Let me try to get back into that headspace and, you know, figure it out.” Now you want to get as close as you can to when the code was written. That's what we're working toward. That's what, I think, the industry will start working toward: finding ways to give immediate feedback, in addition to the deeper analysis that you would do on a nightly basis, or weekly, or whatever makes sense for the organization. Not all doom and gloom Last year, 2015, across [Veracode’s] customer base, we detected about 10 million flaws, and we measured that seven million of those were fixed over the course of the year. So people are getting better. We have a tendency, as an industry and as a profession, to focus on all the things going wrong. That's our job; we have to be good at that. But things are getting better overall. And that's a good message.

The O’Reilly Security Podcast: Vulnerabilities in assembled software and the need for immediate developer feedback.In this episode, I talk with Chris Eng, vice president of research at Veracode, a software security-as-a-service business. We discuss Veracode’s research on application security across a broad spectrum of industries, the challenges of securing modern “assembled” software, and making it easier for developers to bake in security from the get-go.Here are some highlights: Software security: Some assembly required No one is writing software from scratch these days. Now, building software is more like assembling software from ingredients. You pull together a library for this, a library for that, and then, by the way, your shiny new piece of software inherits all the security holes in those libraries. As the product matures over time, people start to lose track of what went into it, nobody keeps an inventory of those libraries, and people don't upgrade libraries if they don't have a good reason to functionally. So, if you sit there and watch your product over time, it will get more and more vulnerable as additional vulnerabilities are discovered in the libraries that you used. Developer-friendly security In an ideal world, you want to be able to give immediate feedback to a developer as soon as you spot an issue. Because then you can fix it in the moment. You don't have to go back and figure out, “What was that thing I was working on three days ago? Let me try to get back into that headspace and, you know, figure it out.” Now you want to get as close as you can to when the code was written. That's what we're working toward. That's what, I think, the industry will start working toward: finding ways to give immediate feedback, in addition to the deeper analysis that you would do on a nightly basis, or weekly, or whatever makes sense for the organization. Not all doom and gloom Last year, 2015, across [Veracode’s] customer base, we detected about 10 million flaws, and we measured that seven million of those were fixed over the course of the year. So people are getting better. We have a tendency, as an industry and as a profession, to focus on all the things going wrong. That's our job; we have to be good at that. But things are getting better overall. And that's a good message.

Host Noah Nelson is joined by Chris Eng, founder of Mojo Maps Expedition Co., an LA-based theatrical walking tour group that mashes up history and improv in Venice, the Arts District, and Echo Park. The two dig into Chris' background as a business guy at Walt Disney Imagineering, creating experiences in urban landscapes, and just what the market is for this kind of work.   All that plus the usual News and Notes, brought to you by our friends at Drafty-app.com: the theatrical design tool built by and for theatrical designers.

It's become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman. If you'd like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of "Wait Wait! Don't pwn me!"

On today's segment, we're going to take a different approach from our normal format. I was at the AppSec USA Conference in New York City last week and was asked to chair a panel for the game show "Wait, wait... don't pwn me!". This is the full recording of the session. As you listen, keep in mind, every situation described within the game is true. Let's start first with the introductions of Chris Eng, Josh Corman and Space Rogue.

On this episode of SecuraBit, we talk to Chris Eng and Chris Wysopal from Veracode about SOURCE Boston, as well as Jennifer Leggio about Twitter and more: SOURCE Boston identi.ca and OpenID Facebug Bug leaks birthday data ActiveworxA little more on the DNS fiasco (see past show links on DNS issues).Failbus I'm going to be installing wiki software and recruiting some folks to help us do proper full show notes for each episode.  We're also looking for people to help out with the forums, IRC, and research for technical segments.  If you can contribute in any way we'll make sure you get recognized. Direct link to show here. Remember to hit up the T-Shirt and Sticker page.  Soon I will remove the T-Shirt donate link as I will be shipping the box of T-Shirts to Jay to take with him to Defcon.  Hit us up on the forums, or at irc.freenode.net #securabit.  Thanks for listening!

How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."

"How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.