OwlTail

Cover image of Chris Eng

Chris Eng

11 Podcast Episodes

Latest 6 Nov 2021 | Updated Daily

Weekly hand curated podcast episodes for learning

Episode artwork

Imagineering with Absent-Minded Professor Chris Eng

Driving to Disneyland

Kristen and Catherine sat down for a chat with former Imagineer Chris Eng, who we lovingly nicknamed the Ben Wyatt of Disneyland! We talked in depth about the building of Batuu, the development and financial side of the parks and company, gushed over his beautiful name tag plaque, and generally felt feelings about how much we love Disney. This one’s good for the head and the heart.

1hr 23mins

15 Nov 2020

Episode artwork

Chris Eng Talks about the State of Software Security Report

Podcasts – TechSpective

TechSpective Podcast Episode 050 “Every company is a software company.” That is the quote that kicks off the Executive Summary page of the latest State of Software Security Report from Veracode. This is Volume 11 of the report, with a focus on looking ahead to identify how developers can continue to make applications better and [...] The post Chris Eng Talks about the State of Software Security Report appeared first on TechSpective.

54mins

30 Oct 2020

Similar People

Episode artwork

Veracode: Chief Research Officer, Chris Eng (Unedited).

Welcome to the ”The CyberHero Adventures: Defenders of the Digital Universe” Show!

This is an interview conducted at RSA 2020. To learn more, visit: Veracode.com

11mins

8 Apr 2020

Episode artwork

Chris Eng Interview - What's New with Veracode - Chris Eng - ASW #97

Paul's Security Weekly TV

Chris Eng, Chief Research Officer at Veracode, provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode97

30mins

25 Feb 2020

Most Popular

Episode artwork

Chris Eng Interview - What's New with Veracode - Chris Eng - ASW #97

Application Security Weekly (Video)

Chris Eng, Chief Research Officer at Veracode, provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode97

30mins

25 Feb 2020

Episode artwork

State of Software Security 9 w/ Chris Eng

DevOps Chat

Chris Eng has been shepherding the State of Software Security for a long time now. This new volume 9 of the survey is one of the best. I had a chance to sit down with Chris and discuss some of the highlights and interesting findings in this years report. Don't miss this chat and be sure to download the report from the Veracode site.

20mins

24 Oct 2018

Episode artwork

Chris Eng on the challenges of improved application security

O'Reilly Security Podcast - O'Reilly Media Podcast

The O’Reilly Security Podcast: Vulnerabilities in assembled software and the need for immediate developer feedback.In this episode, I talk with Chris Eng, vice president of research at Veracode, a software security-as-a-service business. We discuss Veracode’s research on application security across a broad spectrum of industries, the challenges of securing modern “assembled” software, and making it easier for developers to bake in security from the get-go.Here are some highlights: Software security: Some assembly required No one is writing software from scratch these days. Now, building software is more like assembling software from ingredients. You pull together a library for this, a library for that, and then, by the way, your shiny new piece of software inherits all the security holes in those libraries. As the product matures over time, people start to lose track of what went into it, nobody keeps an inventory of those libraries, and people don't upgrade libraries if they don't have a good reason to functionally. So, if you sit there and watch your product over time, it will get more and more vulnerable as additional vulnerabilities are discovered in the libraries that you used. Developer-friendly security In an ideal world, you want to be able to give immediate feedback to a developer as soon as you spot an issue. Because then you can fix it in the moment. You don't have to go back and figure out, “What was that thing I was working on three days ago? Let me try to get back into that headspace and, you know, figure it out.” Now you want to get as close as you can to when the code was written. That's what we're working toward. That's what, I think, the industry will start working toward: finding ways to give immediate feedback, in addition to the deeper analysis that you would do on a nightly basis, or weekly, or whatever makes sense for the organization. Not all doom and gloom Last year, 2015, across [Veracode’s] customer base, we detected about 10 million flaws, and we measured that seven million of those were fixed over the course of the year. So people are getting better. We have a tendency, as an industry and as a profession, to focus on all the things going wrong. That's our job; we have to be good at that. But things are getting better overall. And that's a good message.

29mins

3 Aug 2016

Episode artwork

Chris Eng: Breaking Crypto Without Keys: Analyzing Data in Web Applications

Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference

How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."

1hr

4 Jun 2006

Episode artwork

Chris Eng: Breaking Crypto Without Keys: Analyzing Data in Web Applications

Black Hat Briefings, Las Vegas 2006 [Audio] Presentations from the security conference

"How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."

1hr

4 Jun 2006

Episode artwork

Chris Wysopal & Chris Eng: Static Detection of Application Backdoors

Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.

1hr 11mins

9 Jan 2006

Loading