Chris Wysopal



Dennis Fisher talks with Chris Wysopal of Veracode about his journey from a teenage BBS user to member of the L0pht to respected security researcher. Known as Weld Pond since his days at the L0pht, Chris also discussed his time at @stake and how the L0pht’s road trip to DC to testify before Congress almost went very wrong.

You only have to glance at the headlines to know that the state of computer application security is bad. But a new report from Veracode makes clear how bad: just 16 percent of almost 10,000 applications tested in the last six months received a passing security grade on their first attempt.

An internal document listing the backdoor accounts for switches manufactured by networking equipment vendor Allied Telesis was circulating online Friday, a day after an internal support page providing instructions on accessing hard coded back door accounts in the company’s products was found to be publicly accessible.

If there’s one thing that scientists and statisticians both hate, its weird data. And that’s what the folks at Verizon were dealing with when they tallied the results of their 2011 Data Breach Report which found a stunning 97% drop in the number of lost records, even as the number of reported breaches rose precipitously.

By Chris WysopalVulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer Experts Face Backlash”.

WASHINGTON–There has been a big push in recent years in the security community toward metrics, and measurements of all types have become a hot topic in certain corners of the industry. But measurement for measurement’s sake is useless-and perhaps even counterproductive–if the security team in an organization doesn’t define its goals and parameters ahead of time, experts say.

By Chris Wysopal, Veracode
Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that lets the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.