John Viega

Last updated

John Viega (born February 22, 1974) is an American computer security author, researcher and professional.

Contents

Early life

John Viega earned his BA from the University of Virginia. As an undergraduate, he worked in Randy Pausch's Stage 3 Research Group, as an early contributor to Alice. [1] Viega earned an MS in Computer Science, also from the University of Virginia. [2]

While at the University of Virginia, Viega started a popular mailing list for the Dave Matthews Band. [3] Frustrated by the maintenance costs for a large, active mailing list, he wrote the first version of GNU Mailman, which quickly took off, leading the shift of mailing list management from email commands to the web. [2]

Career

Viega co-authored Building Secure Software [4] (Addison Wesley, 2001), which was the first book to teach developers about writing secure software. He has since co-authored a number of additional books on computer security, including Network Security with OpenSSL [5] (O'Reilly, 2002), the Secure Programming Cookbook [6] (O'Reilly, 2003), Beautiful Security [7] (O'Reilly, 2009), and the 19 Deadly Sins of Software Security [8] (McGraw Hill, 2005)

In 2005, he co-authored the widely used GCM mode of operation for AES, along with David A. McGrew, [9] which was designed to provide both encryption and authentication with one primitive that is both cost-effective in hardware, and unencumbered by parents.

Viega was also a pioneer in static analysis for security vulnerabilities. He was responsible for ITS4, [10] the first static analysis tool for in this class. He co-founded Secure Software, the first commercial vendor for such tools, which also released an open source tool, Rough Auditing Tool for Security (RATS).

At the end of 2005, Viega left Secure Software and joined McAfee, first as Chief Security Architect, and later as CTO, SaaS. Secure Software was bought by Fortify Software just over a year later. [11]

Post-McAfee, he was an executive at SilverSky, a cloud security provider funded by Goldman Sachs and Bessemer Venture Partners, which was acquired by BAE Systems in 2014, [12] where he was Executive Vice President of Products and Engineering.

In 2016, he left to co-found Capsule8 with Dino Dai-Zovi and Brandon Edwards, which was acquired by Sophos in July 2021. [13]

Viega was also the lead author of OWASP's CLASP, [14] a lightweight process for relating software development to security. He is also a former editor-in-chief for the IEEE Security & Privacy Magazine. He has been an adjunct professor at Virginia Tech, and New York University. [15]

Viega is currently the lead developer for the open source software provenance and observability tool, Chalk, as well as the co-founder and CEO of Crash Override. [16]

Related Research Articles

A cypherpunk is any individual advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change. Originally communicating through the Cypherpunks electronic mailing list, informal groups aimed to achieve privacy and security through proactive use of cryptography. Cypherpunks have been engaged in an active movement since at least the late 1980s and early 1990s.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">Internet Information Services</span> Extensible web server software by Microsoft

Microsoft IIS is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions, and is not active by default. A dedicated suite of software called SEO Toolkit is included in the latest version of the manager. This suite has several tools for SEO with features for metatag / web coding optimization, sitemaps / robots.txt configuration, website analysis, crawler setting, SSL server-side configuration and more.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">GNU Mailman</span> Mailing list manager software

GNU Mailman is a computer software application from the GNU Project for managing electronic mailing lists. Mailman is coded primarily in Python and currently maintained by Abhilash Raj. Mailman is free software, licensed under the GNU General Public License.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

In the context of software engineering, software quality refers to two related but distinct notions:

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

<span class="mw-page-title-main">Fortify Software</span> American software company

Fortify Software, later known as Fortify Inc., is a California-based software security vendor, founded in 2003 and acquired by Hewlett-Packard in 2010, Micro Focus in 2017, and OpenText in 2023.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

In cryptography, CWC Mode is an AEAD block cipher mode of operation that provides both encryption and built-in message integrity, similar to CCM and OCB modes. It combines the use of CTR mode for encryption with an efficient polynomial Carter–Wegman MAC and is designed by Tadayoshi Kohno, John Viega and Doug Whiting.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

<span class="mw-page-title-main">Peter H. Gregory</span> American information security advisor

Peter Hart Gregory, CISA, CISSP is an American information security advisor, computer security specialist, and writer. He is the author of several books on computer security and information technology.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Gary McGraw is an American computer scientist, author, and researcher.

Cigital was a software security managed services firm based in Dulles, VA. The services they offered included application security testing, penetration testing, and architecture analysis. Cigital also provided instructor-led security training and products such as SecureAssist, a static analysis tool that acts as an application security spellchecker for developers.

Milton Smith is an American computer security application developer, researcher, and writer. Smith is best known for his role leading Java platform security at Oracle during a period of high-profile security incidents in the fall of 2012. Due to the climate around Java security, in 2013 Smith was invited to present by Black Hat leadership in a closed session under Non-Disclosure Agreement to top industry leaders. In the same year Smith established the first ever full security track at a software developers conference, JavaOne, Oracle's premier conference for Java software developers in San Francisco, California(USA).

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

References

  1. Conway, Matthew (2000). "Alice: Lessons Learned from Building a 3D System For Novices" (PDF). Archived from the original (PDF) on 2001-06-16.
  2. 1 2 Viega, John; Warsaw, Barry; Manheimer, Ken (1998-12-09). Mailman: The Gnu Mailing List Manager. 12th Systems Administration Conference (LISA '98). Boston, Ma.
  3. Brown, Amy; Wilson, Brown (2012-03-30). The Architecture of Open Source Applications, Volume II. Lulu. p. 149. ISBN   978-1105571817.
  4. Viega, John; McGraw, Gary (2001-09-24). Building Secure Software. Addison Wesley. ISBN   978-0321774958.
  5. Viega, John; Messier, Matt; Chandra, Pravir (2002-06-15). Network Security with OpenSSL. O'Reilly Media. ISBN   978-0596002701.
  6. Viega, John; Messier, Matt (2003-08-19). Secure Programming Cookbook for C and C++. O'Reilly Media. ISBN   978-0596003944.
  7. Oram, Andy; Viega, John (2009-07-02). Beautiful Security: Leading Security Experts Explain How They Think. O'Reilly Media. ISBN   978-0596527488.
  8. Howard, Michael; LeBlanc, David; Viega, John (2005-07-26). 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media. ISBN   978-0072260854.
  9. McGrew, David A.; Viega, John (2005). "The Galois/Counter Mode of Operation (GCM)" (PDF). p. 5.
  10. Viega, J.; Bloch, J. T.; Kohno, Y.; McGraw, G. (29 December 2018). ITS4: A Static Vulnerability Scanner for C and C++ Code. IEEE Computer Society. pp. 257–. ISBN   9780769508597 . Retrieved 29 December 2018 via ACM Digital Library.
  11. McMillan, Robert (17 January 2007). "Fortify buys Secure Software". InfoWorld.com. Retrieved 29 December 2018.
  12. Andrew Westney. "BAE Closes $233M Deal For Cybersecurity Co. SilverSky - Law360". Law360.com. Retrieved 29 December 2018.
  13. Sophos Inc. (2021-07-07). "Sophos Acquires Capsule8 to Bring Powerful and Lightweight Linux Server and Cloud Container Security to its Adaptive Cybersecurity Ecosystem..." globenewswire.com (Press release). Retrieved 2023-11-30.
  14. Viega, John (May 2005). "Building Security Requirements with CLASP". Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications. ACM 2005 workshop on Software engineering for secure systems—building trustworthy applications. doi:10.1145/1083200.1083207.
  15. Ankur Shah and Neelima Rustagi (2021-07-29). "Zero To Exit" (Podcast). Retrieved 2023-11-30.
  16. Chris Romeo and Robert Hurlbut (2023-07-29). "The Application Security Podcast" (Podcast). Retrieved 2023-09-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.