John Viega

Last updated

John Viega (born February 22, 1974) is an American computer security author, researcher and professional.

Contents

Early life

John Viega earned his BA from the University of Virginia. As an undergraduate, he worked in Randy Pausch's Stage 3 Research Group, as an early contributor to Alice. [1] Viega earned an MS in Computer Science, also from the University of Virginia. [2]

While at the University of Virginia, Viega started a popular mailing list for the Dave Matthews Band. [3] Frustrated by the maintenance costs for a large, active mailing list, he wrote the first version of GNU Mailman, which quickly took off, leading the shift of mailing list management from email commands to the web. [4]

Career

Viega co-authored Building Secure Software [5] (Addison Wesley, 2001), which was the first book to teach developers about writing secure software. He has since co-authored a number of additional books on computer security, including Network Security with OpenSSL [6] (O'Reilly, 2002), the Secure Programming Cookbook [7] (O'Reilly, 2003), Beautiful Security [8] (O'Reilly, 2009), and the 19 Deadly Sins of Software Security [9] (McGraw Hill, 2005)

In 2005, he co-authored the widely used GCM mode of operation for AES, along with David A. McGrew, [10] which was designed to provide both encryption and authentication with one primitive that is both cost-effective in hardware, and unencumbered by parents.

Viega was also a pioneer in static analysis for security vulnerabilities. He was responsible for ITS4, [11] the first static analsyis tool for in this class. He co-founded Secure Software, the first commercial vendor for such tools, which also released an open source tool, Rough Auditing Tool for Security (RATS).

At the end of 2005, Viega left Secure Software and joined McAfee, first as Chief Security Architect, and later as CTO, SaaS. Secure Software was bought by Fortify Software just over a year later. [12]

Post-McAfee, he was an executive at SilverSky, a cloud security provider funded by Goldman Sachs and Bessemer Venture Partners, which was acquired by BAE Systems in 2014, [13] where he was Executive Vice President of Products and Engineering.

In 2016, he left to co-found Capsule8 with Dino Dai-Zovi and Brandon Edwards, which was acquired by Sophos in July 2021. [14]

Viega was also the lead author of OWASP's CLASP, [15] a lightweight process for relating software development to security. He is also a former editor-in-chief for the IEEE Security & Privacy Magazine. He has been an adjunct professor at Virginia Tech, and New York University. [16]

Viega is currently the lead developer for the open source software provenance and observability tool, Chalk, as well as the co-founder and CEO of Crash Override. [17]

Related Research Articles

A cypherpunk is any individual advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change. Originally communicating through the Cypherpunks electronic mailing list, informal groups aimed to achieve privacy and security through proactive use of cryptography. Cypherpunks have been engaged in an active movement since at least the late 1980s.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">GNU Mailman</span> Mailing list manager software

GNU Mailman is a computer software application from the GNU Project for managing electronic mailing lists. Mailman is coded primarily in Python and currently maintained by Abhilash Raj. Mailman is free software, licensed under the GNU General Public License.

<span class="mw-page-title-main">FSF Free Software Awards</span>

The Free Software Foundation (FSF) grants two annual awards. Since 1998, FSF has granted the award for Advancement of Free Software and since 2005, also the Free Software Award for Projects of Social Benefit.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML, but now they commonly allow embedding of server side applications.

<span class="mw-page-title-main">Richard Stallman</span> American free software activist and GNU Project founder (born 1953)

Richard Matthew Stallman, also known by his initials, rms, is an American free software movement activist and programmer. He campaigns for software to be distributed in such a manner that its users have the freedom to use, study, distribute, and modify that software. Software that ensures these freedoms is termed free software. Stallman launched the GNU Project, founded the Free Software Foundation (FSF) in October 1985, developed the GNU Compiler Collection and GNU Emacs, and wrote all versions of the GNU General Public License.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

<span class="mw-page-title-main">Fortify Software</span> American software company

Fortify Software, later known as Fortify Inc., is a California-based software security vendor, founded in 2003 and acquired by Hewlett-Packard in 2010, Micro Focus in 2017, and OpenText in 2023.

In cryptography, CWC Mode is an AEAD block cipher mode of operation that provides both encryption and built-in message integrity, similar to CCM and OCB modes. It combines the use of CTR mode for encryption with an efficient polynomial Carter–Wegman MAC and is designed by Tadayoshi Kohno, John Viega and Doug Whiting.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

<span class="mw-page-title-main">OpenBSD</span> Operating system

OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. The OpenBSD project emphasizes portability, standardization, correctness, proactive security, and integrated cryptography.

Gary McGraw is an American computer scientist, author, and researcher.

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

<span class="mw-page-title-main">RIOT (operating system)</span> Real-time operating system

RIOT is a small operating system for networked, memory-constrained systems with a focus on low-power wireless Internet of things (IoT) devices. It is open-source software, released under the GNU Lesser General Public License (LGPL).

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

References

  1. Conway, Matthew (2000). "Alice: Lessons Learned from Building a 3D System For Novices" (PDF). Archived from the original (PDF) on 2001-06-16.
  2. Viega, John; Warsaw, Barry; Manheimer, Ken (1998-12-09). Mailman: The Gnu Mailing List Manager. 12th Systems Administration Conference (LISA '98). Boston, Ma.
  3. Brown, Amy; Wilson, Brown (2012-03-30). The Architecture of Open Source Applications, Volume II. Lulu. p. 149. ISBN   978-1105571817.
  4. Viega, John; Warsaw, Barry; Manheimer, Ken (1998-12-09). Mailman: The Gnu Mailing List Manager. 12th Systems Administration Conference (LISA '98). Boston, Ma.
  5. Viega, John; McGraw, Gary (2001-09-24). Building Secure Software. Addison Wesley. ISBN   978-0321774958.
  6. Viega, John; Messier, Matt; Chandra, Pravir (2002-06-15). Network Security with OpenSSL. O'Reilly Media. ISBN   978-0596002701.
  7. Viega, John; Messier, Matt (2003-08-19). Secure Programming Cookbook for C and C++. O'Reilly Media. ISBN   978-0596003944.
  8. Oram, Andy; Viega, John (2009-07-02). Beautiful Security: Leading Security Experts Explain How They Think. O'Reilly Media. ISBN   978-0596527488.
  9. Howard, Michael; LeBlanc, David; Viega, John (2005-07-26). 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media. ISBN   978-0072260854.
  10. McGrew, David A.; Viega, John (2005). "The Galois/Counter Mode of Operation (GCM)" (PDF). p. 5.
  11. Viega, J.; Bloch, J. T.; Kohno, Y.; McGraw, G. (29 December 2018). ITS4: A Static Vulnerability Scanner for C and C++ Code. IEEE Computer Society. pp. 257–. ISBN   9780769508597 . Retrieved 29 December 2018 via ACM Digital Library.
  12. McMillan, Robert (17 January 2007). "Fortify buys Secure Software". InfoWorld.com. Retrieved 29 December 2018.
  13. Andrew Westney. "BAE Closes $233M Deal For Cybersecurity Co. SilverSky - Law360". Law360.com. Retrieved 29 December 2018.
  14. Sophos Inc. (2021-07-07). "Sophos Acquires Capsule8 to Bring Powerful and Lightweight Linux Server and Cloud Container Security to its Adaptive Cybersecurity Ecosystem..." globenewswire.com (Press release). Retrieved 2023-11-30.
  15. Viega, John (May 2005). "Building Security Requirements with CLASP". Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications. ACM 2005 workshop on Software engineering for secure systems—building trustworthy applications. doi:10.1145/1083200.1083207.
  16. Ankur Shah and Neelima Rustagi (2021-07-29). "Zero To Exit" (Podcast). Retrieved 2023-11-30.
  17. Chris Romeo and Robert Hurlbut (2023-07-29). "The Application Security Podcast" (Podcast). Retrieved 2023-09-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.