Three Buddy Problem Chris Eng on lessons learned from the NSA, @Stake, Veracode, and 20 years in cybersecurity
14 snips
Oct 7, 2025 Chris Eng, an experienced application security leader and former Chief Research Officer at Veracode, shares captivating insights from his extensive cybersecurity career, including his beginnings at the NSA and the founding of Veracode. He discusses the evolution of security culture, the challenges of software supply chains, and why companies must focus on programmatic support instead of just tools. Eng emphasizes the importance of meaningful security metrics for leaders and the impact of AI on development, while offering guidance on vetting AI solutions from startups.
AI Snips
Chapters
Transcript
Episode notes
From NSA Scholarship To Red Team
- Chris Eng entered security via an NSA scholarship program that paid for college in exchange for service after graduation.
- He shifted from hardware to software after seeing a stack overflow exploit demo and joining red-team rotations.
Making It Up As The Industry Formed
- At Stake grew fast in the early 2000s with raw talent and no standard methodologies.
- The team built custom tooling and even sold a web proxy because existing tools didn’t exist yet.
Working Inside Microsoft During Trustworthy Computing
- Eng recalls consulting for Microsoft during the Trustworthy Computing push and working on IIS 6.
- The engagement focused on design review and threat modeling and led to a long period with few IIS 6 CVEs.