Podcast appearances and mentions of Chris Wysopal

Mozilla patches Firefox flaw similar to actively exploited Chrome vulnerability. Russia-based RedCurl gang deploys ransomware for the first time. Ukraine's railway operator recovers from cyberattack. India cracks down on Google's billing monopoly. Morphing Meerkat's phishing kit abuses DNS mail exchange records. 300,000 attacks in three weeks. Our guest is Chris Wysopal, Founder and Chief Security Evangelist of Veracode, who sits down with Dave to discuss the increase in the average fix time for security flaws. And Liz Stokes joins with another Fun Fact Friday.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Chris Wysopal, Founder and Chief Security Evangelist of Veracode, discussing increase in the average fix time for security flaws and percent of organizations that carry critical security debt for longer than a year. Selected Reading After Chrome patches zero-day used to target Russians, Firefox splats similar bug (The Register) Microsoft fixes Remote Desktop issues caused by Windows updates (Bleeping Computer) Firefox fixes flaw similar to Chrome zero-day used against Russian organizations (The Record) RedCurl's Ransomware Debut: A Technical Deep Dive (Bitdefender) Ukraine's state railway restores online ticket sales after major cyberattack (The Record) Google App Store Billing Policy Anti-Competitive, India Court Rules (Bloomberg) Morphing Meerkat PhaaS Platform Spoofs 100+ Brands - Infosecurity Magazine (Infosecurity Magazine) Fresh Grandoreiro Banking Trojan Campaigns Target Latin America, Europe (SecurityWeek) Malware distributed via fake DeepSeek ads on Google (SC Media) GorillaBot Attacks Windows Devices With 300,000+ Attack Commands Across 100+ Countries (Cyber Security News)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this OODAcast, Chris Wysopal shares his insights from decades in cybersecurity, detailing his journey from the early hacking collective "The L0pht" to co-founding Veracode. Wysopal reflects on the evolution of cybersecurity, highlighting his early contributions to vulnerability research and advocating the importance of adversarial thinking in security practices. He emphasizes the transition from traditional vulnerability testing to comprehensive application risk management, recognizing the increased reliance on third-party software and the escalating complexity of securing modern applications. Wysopal also discusses how generative AI technologies are significantly accelerating application development but simultaneously creating substantial security challenges. He stresses that while AI-generated applications multiply rapidly, their vulnerability density remains comparable to human-written code. To manage this growing risk, Wysopal underlines the necessity of integrating automated, AI-driven vulnerability remediation into the software development lifecycle. Looking forward, Wysopal advocates for embedding security deeply within the application creation process, anticipating that AI will eventually assist in producing inherently secure software. However, he also underscores the enduring threat of social engineering attacks, urging enterprises to prioritize comprehensive security awareness programs to bolster their overall cybersecurity posture and resilience. The conversation examines some very interesting correlations between the mindset of the great hackers and the success of great entrepreneurs. Both take a good bit of grit, an ability to focus and be creative and perhaps most importantly: Persistence. Learn more about Chris Wysopal's approaches and the company he founded at Veracode. For insights into reducing your organization's attack surface see: State of Software Security 2025

In episode 41 of The BlueHat Podcast we bring you the BlueHat 2024 day 1 keynote address given by Chris Wysopal, also known as Weld Pond, founder and Chief Security Evangelist at VeraCode, and founding member of the L0pht.     Chris' talk - A Clash of Cultures Comes Together to Change Software Security - recounts the early days of “hacking” and how the industry evolved to embrace vulnerability discovery and coordinated, responsible disclosure.    Chris presentation provides a fascinating reflection on a tumultuous period for Microsoft around 2001, marked by significant vulnerability discoveries, which ultimately led to the establishment of the Organization for Internet Safety and the consultancy AtStake, transforming the security landscape and professionalizing the role of hackers. Watch Chris' BlueHat 2024 Day 1 Keynote here: https://youtu.be/w6SAqT4ZQik    Resources:    View Chris Wysopal on LinkedIn      View Wendy Zenone on LinkedIn    View Nic Fillingham on LinkedIn      Related Microsoft Podcasts:       Microsoft Threat Intelligence Podcast    Afternoon Cyber Tea with Ann Johnson    Uncovering Hidden Risks          Discover and follow other Microsoft podcasts at microsoft.com/podcasts   

Chris is co-founder and CTO of Veracode, an application security powerhouse which was last valued at 2.5 billion in march 2022. The company was founded in 2005 as a code review automation platform, and it has since evolved to be one of the gold standard application security tools. Before founding Veracode, Chris worked as a security researcher and engineer for a decade where he grew frustrated with the manual source code review process. In the episode, we discuss how long it took Chris to believe he had really created something special, the important technical decisions the team made both early on and later in the company's life, and how the DevSecOps movement and new entrants impacted Veracode's market positioning. Veracode: https://www.veracode.com/ Sponsor: https://vulncheck.com/

Chris Wysopal is the Founder and CTO of Veracode, a $2.5 billion software supply chain security company that pioneered the field of application security and was one of the first companies to embrace software as a service. On today's episode, Jon Sakoda speaks with Chris on his early fame as a cybersecurity researcher and the highs and lows of building Veracode across three decades:How a Hacking Group Became Celebrities  [11:50 - 15:35] - Chris was a member of the famous “L0pht” hacker group who became famous for discovering vulnerabilities in Lotus and Microsoft software. Shining a light on the issue ultimately gave the group widespread media attention and internet fame, drawing much needed attention to security issues in commercial software.Launching a Cloud Product in the Desktop Era  [27:55 - 32:50]  - In 2006, Veracode was one of the first companies in the security industry to pioneer “software as a service” which is widely used today. Chris relives the journey of convincing customers of the benefit of leveraging the cloud during the era of client / server code repositories.Surviving and Thriving Through Cycles [38:51 - 40:10] - Veracode has been a wildly successful company, but has had to survive many moments of crisis that might have killed weaker startups. The company had a broken financing in the first financial crisis and has been through numerous cycles through the years.

On this week's episode of The Microsoft Threat Intelligence Podcast, Sherrod DeGrippo is Live from Times Square at Microsoft Secure and is joined by Chris Wysopal, Chip Calhoun, and Torrell Funderburk. Chris (aka Weld Pond) reflects on his experiences with L0pht, the evolution of bug bounty programs and their dominance in the cybersecurity space, highlighting both the benefits and drawbacks. Chip explains how Copilot for Security assists with threat hunting and script analysis, enhancing analysts' capabilities in identifying threats and malicious activities. He also touches on the prevalent threat actor profiles, highlighting the prevalence of e-crime and the potential impact of nation-state actors. Terrell expresses excitement about the advancements in their security program and the ability to detect and respond at scale. He also discusses his transition from software engineering to cybersecurity and encourages others to consider the move due to the foundational similarities between the fields.       In this episode you'll learn:       Complications from vulnerabilities discovered in open-source software  Practical applications of Copilot in incident response and threat intelligence  The importance of curiosity and problem-solving skills when building a security team.     Some questions we ask:       How do you view the role of AI and machine learning in security, and bug bounties?  What do you think is unique about securing critical infrastructure targets?  Will AI influence security practices in organizations and industries going forward?    Resources:   View Chris Wysopal on LinkedIn  View Chip Calhoun on LinkedIn   View Torrell Funderburk on LinkedIn    View Sherrod DeGrippo on LinkedIn   Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks         Discover and follow other Microsoft podcasts at microsoft.com/podcasts     The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

Once claiming to the US Senate that he could ‘take down the internet in 30 minutes', this week's guest gives us insight into the underbelly of the cyberworld. Chris Wysopal, founder and CTO of Veracode, tells us all about his experience as an ethical hacker and how he and his team at L0pht pioneered the way for cybersecurity. From taking an interest in the potential of cyber hacking at the start of the online era, to being a trailblazer in the discovery of IT vulnerability as a whole; Chris and his team were at the forefront of raising cyber risk awareness. Determined to battle the ‘bad guy image' in cybersecurity, the L0pht team were on a mission to showcase the fallibility of big vendors, such as Microsoft, and evidence they need for effective security measures. Now, Chris' colourful past shapes the security-led solutions of Veracode, a platform that detects flaws and vulnerabilities at every stage of the modern software development lifecycle. This interview is a deep dive into the depths of cyber security and is not to be missed!  Timestamps What does Good Leadership means to Chris? (02:20) Pioneering the start of cybersecurity (04:20) Starting a hacker collective (07:18) L0pht's biggest cybersecurity breakthroughs (12:47) Challenging the US Senate with cyber risks  (18:00) Are governments doing enough to prevent cyber-attacks? (22:12) GenAI's role in cybersecurity (32:00) An introduction to Veracode (34:24) Chris' advice to his 21-year-old self (43:24)   

Chris Wysopal and Cris Thomas of the L0pht join Dennis Fisher to talk about the 25-year-anniversary of the group's landmark Senate testimony, what's changed since then, and Cris's new book, How the Hackers Known as L0pht Changed the World. 

Chris Wysopal, CTO and founder of Veracode, joins Dennis Fisher to dive into the new White House National Cybersecurity Strategy and discuss what's missing, how practical the pillars are, and when these ideas may be implemented. 

Chris Wysopal is Co-Founder and Chief Technology Officer at Veracode, which pioneered the concept of using automated static binary analysis to discover vulnerabilities in software. In the 1990's, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. Chris started his career as software engineer that first built commercial software and then migrated to the specialty of testing software for vulnerabilities. He has led highly productive and innovative software development teams and has performed product strategy and product management roles. Chris is a much sought-after expert on cybersecurity. He has been interviewed for most major technology and business publications, including New York Times, The Washington Post, WSJ, Forbes, Fortune, AP, Reuters, Newsweek, Dark Reading, MIT Tech Review, Wired, and many networks, including BBC, CNN, ABC, CBS, CNBC, PBS, Bloomberg, Fox News, and NPR. He has keynoted cybersecurity and technical conferences on 4 continents.Link: Chris Wysopal LinkedInLink: Cult of the Dead Cow by Joseph Menn 

Primitive Bear is snuffling around Ukraine, and Russia may be preparing deepfake video to lend legitimacy to its claims with respect to its neighbor. European ports and other logistical installations are under attack by ransomware, apparently uncoordinated criminal activity. Daniel Prince from Lancaster University on safeguarding IoT in Healthcare. Our guest is Chris Wysopal of Veracode with research on increases in automation and componentization in software development. And a Chinese APT is said to be exploiting a Zimbra webmail cross-site-scripting zero-day, so users beware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/24

Hackers have long been portrayed as the bad guys, but Biella uncovers how the ethical Grey and White Hat hackers created the modern security industry, despite the risk to their careers, and fierce opposition from major tech and software companies who wanted to keep any vulnerabilities in their products hidden from the public eye. She talks with Chris Wysopal, member the high-profile hacker think tank the L0pht, about the struggle for security, and how that fight may have inadvertently damaged a key part of hacker culture in the long term.

ZDNet Security Update: Danny Palmer talks to Veracode's Chris Wysopal about the high demand for cybersecurity staff and what needs to be done to fill the vacancies. Learn more about your ad choices. Visit megaphone.fm/adchoices

In today's session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they'll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they'll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training. In the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more!   Show Notes: https://securityweekly.com/asw176 Segment Resources: Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

In today's session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they'll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they'll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training. In the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more!   Show Notes: https://securityweekly.com/asw176 Segment Resources: Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

In today's session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they'll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they'll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training.   Segment Resources: - Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw176

In today's session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they'll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they'll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training.   Segment Resources: - Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw176

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security. Show Notes Chris Wysopal Veracode l0phtcrack

Shutting Down The Internet in 30 Minutes: Chris Wysopal (WeldPond) [ML B-Side]Advertising Inquiries: https://redcircle.com/brands

Chris Wysopal, a cyber security pionneer and one of L0pht's founding members, talks about the group's 1998 testimony in the Senate, how they used shaming to force cooporations to fix their software, and the (not so fortunate) consequenses of the sale to @stake. The post Shutting Down The Internet in 30 Minutes: Chris Wysopal [ML B-Side] appeared first on Malicious Life.

Chris Wysopal (aka WeldPond), a cyber security pioneer and one of L0pht's founding members, talks about the group's 1998 testimony in the Senate, how they used shaming to force corporations to fix their software, and the (not so fortunate) consequences of the sale to @stake.

Many successful entrepreneurs disrupt industries with innovative ideas, but how many can say their disruption actually helped create and jumpstart a whole industry that is massive. Chris has been involved in the cybersecurity industry since the beginning as a member of the elite hacker think tank in the 90's called the L0pht, which went on to testify before the U.S. Senate about cybersecurity and vulnerabilities of the internet. 20 years later, the cybersecurity industry is only growing by the day with new threats popping up and new technologies being developed to help companies and consumers play defense. Veracode is one of the anchor companies and Chris is one of its co-founders. Veracode is the largest global provider of application security testing (AST) solutions serving more than 2,500 customers worldwide across a wide range of industries. In this episode of our podcast, we cover: * The story of the L0pht, which has the makings for a great Netflix show as it reminds me of the series Halt and Catch Fire. * @ Stake's acquisition of the L0pht and the early days of the cybersecurity industry. * The full story of Veracode in terms of starting the company, scaling to an acquisition, and spinning back out as an independent company. * Advice for technical founders on starting a company. * Lessons learned on scaling. * And so much more. If you like the show, please remember to subscribe and review us on iTunes, Soundcloud, Spotify, Stitcher, or Google Play.

Mario Vuksan, CEO and Co-Founder of ReversingLabs discusses modern digital objects, made up of layers of structured code and data, are central to the exchange or storage of information and are becoming increasingly complex. This interview is sponsored by ReversingLabs. To learn more about them, visit: https://www.reversinglabs.com/ Chris Wysopal, Co-Founder, CTO & CISO of Veracode, discusses how DevSecOps has moved security front and center in modern development. Yet security and development teams are driven by different metrics, making it challenging to align on objectives. The move to microservices-driven architecture and the use of containers and serverless has shifted the dynamics of how developers build, test, and deploy code. This interview is sponsored by Veracode. To learn more about them, visit: https://www.veracode.com/   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw194

This week, first we talk Enterprise News, discussing how Attivo Networks Announces New Integration with IBM Security Resilient, GreatHorn improves email security with better visibility and intelligent protection, Elite Intelligence Ascends to the Cloud With Recorded Future and Microsoft Azure, Thycotic Releases Privileged Access Management Capabilities for the New Reality of Cloud and Remote Work, Datadog has acquired Undefined Labs, a testing and observability company for developer workflows, and more! In our second segment, we air two pre-recorded interviews from Security Weekly Virtual Hacker Summer Camp with Chris Wysopal from Veracode and Mario Vuksan from ReversingLabs! In our final segment, we air two more pre-recorded interviews from Virtual Hacker Summer Camp with Danny Jenkins from ThreatLocker and Stephen Boyer from BitSight!   Show Notes: https://securityweekly.com/esw194   To learn more about BitSight, visit: https://securityweekly.com/bitsight To learn more about ThreatLocker, visit: https://www.securityweekly.com/threatlocker To learn more about ReversingLabs, visit: https://www.reversinglabs.com/ To learn more about Veracode, visit: https://www.veracode.com/   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, first we talk Enterprise News, discussing how Attivo Networks Announces New Integration with IBM Security Resilient, GreatHorn improves email security with better visibility and intelligent protection, Elite Intelligence Ascends to the Cloud With Recorded Future and Microsoft Azure, Thycotic Releases Privileged Access Management Capabilities for the New Reality of Cloud and Remote Work, Datadog has acquired Undefined Labs, a testing and observability company for developer workflows, and more! In our second segment, we air two pre-recorded interviews from Security Weekly Virtual Hacker Summer Camp with Chris Wysopal from Veracode and Mario Vuksan from ReversingLabs! In our final segment, we air two more pre-recorded interviews from Virtual Hacker Summer Camp with Danny Jenkins from ThreatLocker and Stephen Boyer from BitSight!   Show Notes: https://securityweekly.com/esw194   To learn more about BitSight, visit: https://securityweekly.com/bitsight To learn more about ThreatLocker, visit: https://www.securityweekly.com/threatlocker To learn more about ReversingLabs, visit: https://www.reversinglabs.com/ To learn more about Veracode, visit: https://www.veracode.com/   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Mario Vuksan, CEO and Co-Founder of ReversingLabs discusses modern digital objects, made up of layers of structured code and data, are central to the exchange or storage of information and are becoming increasingly complex. This interview is sponsored by ReversingLabs. To learn more about them, visit: https://www.reversinglabs.com/ Chris Wysopal, Co-Founder, CTO & CISO of Veracode, discusses how DevSecOps has moved security front and center in modern development. Yet security and development teams are driven by different metrics, making it challenging to align on objectives. The move to microservices-driven architecture and the use of containers and serverless has shifted the dynamics of how developers build, test, and deploy code. This interview is sponsored by Veracode. To learn more about them, visit: https://www.veracode.com/   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw194

Another key aspect of the security and privacy label project is that the information is also encoded to be machine readable. This way, even if different countries or industries develop their own assessment tools, there's still a way to compare and process all the data. The researchers point out that data from the labels could make it easier to search for products by their privacy and security features, creating the potential for these to be mainstream product considerations rather than niche points that are difficult for consumers to research. Ecommerce websites could even offer filters for privacy and security features like they already do for things like price, weight, or screen size. In this way, consumers could make intentional choices about the products they buy, with digital safety as one of the factors.The researchers say that they've had a lot of private-sector and congressional interest in their label. But so far they've only been able to make example labels based on imaginary products or mock up labels for real products based on public data. The researchers are looking for a manufacturer to pilot the labels in a more serious way, with honest information about the products.There is real momentum toward doing these types of tests. Finland, Singapore, and the United Kingdom are all working on national IoT label programs focused on security. And while some IoT security bills have floated around the US Congress, the National Telecommunications and Information Administration within the Department of Commerce is actively working on a similar type of project for software. The idea is to develop a software "bill of materials" that would help the industry keep track of all the different open source and third-party components that go into one single software program or platform."Standardization I think will help, just like the ingredients label on food educates people about how much sugar or sodium they're consuming," says Chris Wysopal, chief technology officer of the software auditing firm Veracode. "Standardizing a software bill of materials would make it more clear to a consumer what they're getting."The researchers are realistic that for their work to have a long-term impact there would either need to be widespread voluntary adoption of the label by manufacturers or a government mandate to do so. But they say that's why they've designed the label with room for manufacturers to explain their choices to consumers."There may be a really good reason that your thermostat has a microphone, but if the company doesn't tell you, then you're shocked," says Lorrie Cranor, director of Carnegie Mellon's usable privacy and security lab. "If they tell you about the microphone up front and explain why that is, then you might say 'Oh, OK, that makes sense.'"Conventional wisdom says that consumers won't typically pay a premium for privacy and security features. The researchers had preliminary findings, though, that an easy-to-read label might help people better understand potential risks and make them more willing to pay more for strong guarantees. It will take more investigation to expand on that finding, and the easiest way to do extensive testing would be for companies to start adopting security and privacy labels on their IoT products. You likely won't be seeing IoT privacy labels on store shelves anytime soon. But the stakes are high enough that something certainly needs to change.

AppSec awareness has grown in a decade. In Veracode's State of Software Security report, Volume one, most of the conversation was around trying to explain and advocate for application security. Today, far less of that is necessary and more emphasis is put on talking about how to build an effective, mature application security program. In this episode of a Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will discuss positive AppSec signs – and what they mean for security best practices. Listeners will learn more about: Factors influencing the change in application security programs What the State of Software Security report uncovers when it comes to current AppSec efforts Why awareness about AppSec risk has grown, but actual risk reduction still has room for improvement Produced by IDG Communications, Inc., in association with Veracode.

Security debt – which is defined as aging and accumulating flaws in software -- is a lot like credit card debt. You can throw money at the balance, but if you don't stop spending, you're never going to actually get out of debt.  In this episode of A Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will join us to continue our conversation on software scanning with focus on the accumulating security debt in applications caused by persistent flaws in long-term time frames. Listeners will learn more about: Why there is less security debt in organizations that scan their code more than 300 times per year How to know if security debt is meaningful Best practices for incorporating scanning into the process  Produced by IDG Communications, Inc., in association with Veracode.

The city of Pensacola is hit hard by an unspecified cyberattack. Ryuk ransomware decryptors may cause data loss. A new variant of Snatch ransomware evades anti-virus protection. The US Justice Department’s Inspector General has reported on the FBI’s Crossfire Hurricane investigation. Another unsecured database exposes PII. Keep an eye out for Patch Tuesday updates. And it’s prediction season, so CyberScoop lets the bots out. Ben Yelin from UMD CHHS on legislating the right to sue online platforms. Guest is Chris Wysopal from Veracode with findings on security debt from their State of Software Security report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_10.html  Support our show

Chris Wysopal, co-founder and CTO of Veracode, joins Dennis Fisher to dive into the deep end of the application security pool and discuss the company's new State of Software Security report.Read the Decipher coverage of the SOSS report here. Download the full report here.

Chris Wysopal is Co-founder & CTO of Veracode, a data security SaaS company which sold for $950 million USD. He talks about his hacker mindset and the push Symantec gave him to leave and cofound his company

Chris Wysopal, Co-founder & CTO of Veracode, talks about how startups take time and how some founders may look like an overnight success, but usually they've been at it for years. And how to be a successful founder, you need to love what you do.

In this episode: How the development of cybersecurity arose and how that history created a world rife with invasions. Chris Wysopal, CTO and cofounder of Veracode, sat in the first row for the advent of cyber defense. In fact, as the Vulnerability Researcher at the seminal hacker think tank the L0pht, he has worked for decades to demand more secure technology from influential tech companies. In this episode Wysopal shares his work in the early years of cybersecurity, including when he testified in front of the 1998 Senate on computer security. At that time, he urged the adoption of regulations on large companies like Microsoft in order to enforce accountability and the development of thoughtful,safer code that protects consumer privacy. These initial concerns have only grown, as there is still little enforcement against code and firmware that allows for breaches. Business Lab is hosted by Elizabeth Bramson-Boudreau, the CEO and publisher of MIT Technology Review. The show is produced by Collective Next. Music by Merlean, from Epidemic Sound.

Chris Wysopal, Co-founder & CTO of Veracode, talks about how startups take time and how some founders may look like an overnight success, but usually they've been at it for years. And how to be a successful founder, you need to love what you do.

Chris Wysopal is Co-founder & CTO of Veracode, a data security SaaS company which sold for $950 million USD. He talks about his hacker mindset and the push Symantec gave him to leave and cofound his company

In this episode, we learn about changes in application security and the partnership between development and security. Chris Wysopal, Chief Technology Officer and Co-Founder of Veracode, joins us to discuss the synergy between these teams – and what best practices help create a solid devsecops program. Listeners will learn more about: • The factors behind the evolving relationship between development and security • What this change means for secure coding in the future • Action items for creating a security-first culture in the enterprise

The O’Reilly Security Podcast: Shifting secure code responsibility to developers, building secure software quickly, and the importance of changing processes.In this episode of the Security Podcast, I talk with Chris Wysopal, co-founder and CTO of Veracode. We discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help.Here are some highlights: The challenges of securing enduring vs. new software One of the big challenges in securing software is that it’s most often built, maintained, and upgraded over many years. Think of online banking software for a financial services company. They probably started building that 15 years ago, and it's probably gone through two or three major changes, but the tooling and the language and the libraries, and all the things that they're using are all built from the original code. Fitting security into that style of software development presents challenges because they're not used to the newer tool sets and the newer ways of doing things. It's actually sometimes easier to integrate security into a newer software. Even though they're moving faster, it's easier to integrate into some of the newer development toolchains. Changing processes to enable small batch testing and fixing There are parallels between where we are with security now and where performance was at the beginning of the Agile movement. With Agile, the thought was, ‘We're going to go fast, but one of the ways we're going to maintain quality is we're going to require unit tests written by every developer for every piece of functIonality they do, and that these automated unit tests will run on every build and every code change.’ By changing the way you do things, from a manual backend weighted full system test to smaller batch incremental tests of pieces of functionality, you're able to speed up the development process, without sacrificing quality. That's a change in process. To have a high performing application, you didn't necessarily need to spend more time building it. You needed better intelligence—so, APM technology put into production to understand performance issues better and more quickly allowed teams to still go fast and not have performance bottlenecks. With security, we're going to see the same thing. There can be some additional technology put into play, but the other key factor is changing your process. We call this ‘shifting left,’ which means: find the security defect as quickly as possible or as early as possible in the development lifecycle so that it's cheaper and quicker to fix. For example, if a developer writes a cross-site scripting error as they're coding in JavaScript, and they're able to detect that within minutes of creating that flaw, it will likely only require minutes or seconds to fix. Whereas if that flaw is discovered two weeks later by a manual tester, that's going to be then entered into a defect tracking system. It's going to be triaged. It's going to be put into someone's bug queue. With the delay in identification, it will have to be researched in its original context and will slow down development. Now, you're potentially talking hours of time to fix the same flaw. Maybe a scale of 10 or 100 times more time is taken. Shifting left is a way of thinking about, ‘How do I do small batch testing and fixing?’ That's a process change that enables you to keep going fast and be secure. Helping developers identify when they need to call for security help We need to teach developers about application security to enable them to identify when there’s a problem and when they don't know enough to solve it themselves. One of the problems with application security is that developers often don't know enough to recognize when they need to call in an expert. For example, when an architect is building a structure and knows there’s a problem with the engineering of a component, the architect knows to call in a structural engineer to augment their expertise. We need to have the same dynamic with software developers. They're experts in their field, and they need to know a lot about security. They also need to know when they require help with threat modeling or to perform a manual code review on a really critical piece of code, like account recovery mechanism. We need to shift more security expertise into the development organization, but part of that is also helping developers know when to call out to the security team. That's also a way we can help the challenge of hiring security experts, because they're hard to find.

The O’Reilly Security Podcast: Shifting secure code responsibility to developers, building secure software quickly, and the importance of changing processes.In this episode of the Security Podcast, I talk with Chris Wysopal, co-founder and CTO of Veracode. We discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help.Here are some highlights: The challenges of securing enduring vs. new software One of the big challenges in securing software is that it’s most often built, maintained, and upgraded over many years. Think of online banking software for a financial services company. They probably started building that 15 years ago, and it's probably gone through two or three major changes, but the tooling and the language and the libraries, and all the things that they're using are all built from the original code. Fitting security into that style of software development presents challenges because they're not used to the newer tool sets and the newer ways of doing things. It's actually sometimes easier to integrate security into a newer software. Even though they're moving faster, it's easier to integrate into some of the newer development toolchains. Changing processes to enable small batch testing and fixing There are parallels between where we are with security now and where performance was at the beginning of the Agile movement. With Agile, the thought was, ‘We're going to go fast, but one of the ways we're going to maintain quality is we're going to require unit tests written by every developer for every piece of functIonality they do, and that these automated unit tests will run on every build and every code change.’ By changing the way you do things, from a manual backend weighted full system test to smaller batch incremental tests of pieces of functionality, you're able to speed up the development process, without sacrificing quality. That's a change in process. To have a high performing application, you didn't necessarily need to spend more time building it. You needed better intelligence—so, APM technology put into production to understand performance issues better and more quickly allowed teams to still go fast and not have performance bottlenecks. With security, we're going to see the same thing. There can be some additional technology put into play, but the other key factor is changing your process. We call this ‘shifting left,’ which means: find the security defect as quickly as possible or as early as possible in the development lifecycle so that it's cheaper and quicker to fix. For example, if a developer writes a cross-site scripting error as they're coding in JavaScript, and they're able to detect that within minutes of creating that flaw, it will likely only require minutes or seconds to fix. Whereas if that flaw is discovered two weeks later by a manual tester, that's going to be then entered into a defect tracking system. It's going to be triaged. It's going to be put into someone's bug queue. With the delay in identification, it will have to be researched in its original context and will slow down development. Now, you're potentially talking hours of time to fix the same flaw. Maybe a scale of 10 or 100 times more time is taken. Shifting left is a way of thinking about, ‘How do I do small batch testing and fixing?’ That's a process change that enables you to keep going fast and be secure. Helping developers identify when they need to call for security help We need to teach developers about application security to enable them to identify when there’s a problem and when they don't know enough to solve it themselves. One of the problems with application security is that developers often don't know enough to recognize when they need to call in an expert. For example, when an architect is building a structure and knows there’s a problem with the engineering of a component, the architect knows to call in a structural engineer to augment their expertise. We need to have the same dynamic with software developers. They're experts in their field, and they need to know a lot about security. They also need to know when they require help with threat modeling or to perform a manual code review on a really critical piece of code, like account recovery mechanism. We need to shift more security expertise into the development organization, but part of that is also helping developers know when to call out to the security team. That's also a way we can help the challenge of hiring security experts, because they're hard to find.

Chris Wysopal is the co-founder and chief technology officer at Veracode, where he oversees technology strategy and information security. In our conversation, he talks about challenges and career options in the field of security.

Host Kevin Greene and guest Chris Wysopal, Co-Founder and CTO at Veracode, discuss the impact of the legendary group L0pht in many cyber security start-ups. Wysopal also discuss how Veracode is working to help organizations deploy software more securely and faster by getting better tools to the developers early in the software development process.

Veracode's Chris Wysopal on the impact of 1990s hacker group L0pht by FedScoop

In this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR   Steve's Bio (from LinkedIn - https://www.linkedin.com/in/steve-christey-coley-66aa1826): Editor / Technical Lead for the Common Vulnerabilities and Exposures (CVE) project; Technical Lead for the Common Weakness Enumeration (CWE); co-author of the "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002; participant in Common Vulnerability Scoring System (CVSS) and NIST's Static Analysis Tool Exposition (SATE). My primary interests include secure software development and testing, understanding the strengths and limitations of automated code analysis tools, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Specialties: Vulnerability research, vulnerability management, software security.

Chris Wysopal a.k.a Weld Pond, chief technology officer of application security firm Veracode, joins The Cybersecurity Podcast to discuss the suspected cyberattack on the Ukrainian power grid, ways to increase transparency about cybersecurity expertise at publicly-traded companies, and why the L0pht hacking collective he once belonged to didn't want to shut down the Internet back in the 1990s just to prove to senators it could. Also joining New America's Peter Singer and Passcode's Sara Sorcher is Chris Young, general manager of Intel Security. They talk about the unconventional cyberthreats emerging from the booming Internet of Things, the challenges posed by ransomware, and his ideas for a future Cyber National Guard.

There's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are. Resources: OWASP Benchmark Project https://www.owasp.org/index.php/Benchmark Why it's Insane to Trust Static Analysis http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274? No One Technology is a Silver Bullet https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet

In this episode:L0phtcrack is back! Chris's lab, Compliance is not security, Patch management, OpenVAS, FBI sniffles, Don't tase me bro...

In this episode:L0phtcrack is back! Chris's lab, Compliance is not security, Patch management, OpenVAS, FBI sniffles, Don't tase me bro...

This week we interview Christien Rioux and Chris Wysopal about the upcoming release of l0phtcrack 6. Hosts: Anthony Gartner - http://www.anthonygartner.com - @anthonygartner Chris Gerling - http://www.chrisgerling.com - @hak5chris Christopher Mills - http://www.packetsense.net - @thechrisam Jason Mueller - @securabit_jay Guests: Christien Rioux - @dildog Chris Wysopal - @cwysopal Links: l0phtcrack - http://www.l0phtcrack.com/ Adobe Product Security Incident Response Team (PSIRT) - http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html Finjan finds botnet of 1.9m infected computers  - http://news.zdnet.co.uk/security/0,1000000189,39643173,00.htm

On this episode of SecuraBit, we talk to Chris Eng and Chris Wysopal from Veracode about SOURCE Boston, as well as Jennifer Leggio about Twitter and more: SOURCE Boston identi.ca and OpenID Facebug Bug leaks birthday data ActiveworxA little more on the DNS fiasco (see past show links on DNS issues).Failbus I'm going to be installing wiki software and recruiting some folks to help us do proper full show notes for each episode.  We're also looking for people to help out with the forums, IRC, and research for technical segments.  If you can contribute in any way we'll make sure you get recognized. Direct link to show here. Remember to hit up the T-Shirt and Sticker page.  Soon I will remove the T-Shirt donate link as I will be shipping the box of T-Shirts to Jay to take with him to Defcon.  Hit us up on the forums, or at irc.freenode.net #securabit.  Thanks for listening!

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.

Shutting Down The Internet in 30 Minutes: Chris Wysopal (WeldPond) [ML B-Side]Advertising Inquiries: https://redcircle.com/brands