Biography:John Viega

From HandWiki
John Viega
Alma materUniversity of Virginia
Occupation
  • Computer security specialist
  • author
  • software developer
Known for
  • GNU Mailman
  • GCM mode of operation
  • Building Secure Software

John Viega is an American computer-security specialist, author, and software developer. He is the original author of GNU Mailman, a co-designer of the Galois/Counter Mode (GCM) authenticated encryption mode for block ciphers such as AES, and the lead or co-author of several books on software security, including Building Secure Software (2001) and Network Security with OpenSSL (2002).[1][2][3][4]

Viega studied at the University of Virginia, where he worked in Randy Pausch's Stage 3 Research Group on an early version of the Alice 3D programming environment and wrote the first version of GNU Mailman. His later research focused on static program analysis for security defects, on the design of usable cryptographic primitives, and on lightweight processes for software-security assurance such as OWASP's CLASP.

In industry, Viega co-founded the application-security firm Secure Software, which was acquired by Fortify Software. He served as Chief Security Architect and later CTO for Software-as-a-Service at McAfee, as Executive Vice President at SilverSky during its acquisition by BAE Systems, and as a co-founder of Capsule8, which was acquired by Sophos in 2021. He is co-founder and chief executive of Crash Override and a former editor-in-chief of IEEE Security & Privacy.

Early life and education

Viega earned a BA from the University of Virginia. As an undergraduate he worked in Pausch's Stage 3 Research Group as an early contributor to the Alice 3D programming environment.[5] He went on to take an MS in computer science, also from the University of Virginia.[6]

While at the University of Virginia, Viega ran a popular mailing list for the Dave Matthews Band.[1] Frustrated by the maintenance demands of a large active list, he wrote the first version of GNU Mailman, which contributed to the broader shift of mailing-list management from email-only command interfaces to web-based administration.[6]

Career

Software security and static analysis

Viega worked on static program analysis for security vulnerabilities. He led ITS4, an early static-analysis tool for security defects in C and C++ code.[7] He co-founded Secure Software, a commercial vendor in the same area, which also released the open-source Rough Auditing Tool for Security (RATS).[8]

In 2005, with David A. McGrew of Cisco, Viega co-designed Galois/Counter Mode (GCM), an authenticated encryption mode of operation for block ciphers such as AES. The mode was designed to provide confidentiality and message authentication using a single primitive that is efficient in hardware and unencumbered by patents.[2] GCM was subsequently standardized by NIST in Special Publication 800-38D (2007), Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC,[9] and adopted in TLS,[10] IPsec, and other protocols. GCM-based cipher suites accounted for more than 80 percent of observed TLS connections as of 2024.[11] NIST initiated a process to revise SP 800-38D in 2023.[12]

Viega was the lead author of OWASP's Comprehensive, Lightweight Application Security Process (CLASP), which describes lightweight security activities for software development.[13] He was a former editor-in-chief of IEEE Security & Privacy.[14][15] Popular Science covered Viega's participation in the DEF CON capture-the-flag competition in 2005.[16]

Industry roles

In late 2005, Viega left Secure Software for McAfee, serving first as Chief Security Architect and later as CTO for Software-as-a-Service.[17] Secure Software was acquired by Fortify Software just over a year later.[18]

Following his time at McAfee, Viega was an executive at SilverSky, a cloud-security provider backed by Goldman Sachs and Bessemer Venture Partners; SilverSky was acquired by BAE Systems in 2014, where Viega served as Executive Vice President of Products and Engineering.[19]

In 2016 he co-founded Capsule8 with Dino Dai Zovi and Brandon Edwards.[20] Capsule8, which produced runtime security software for Linux servers and cloud containers, was acquired by Sophos in July 2021.[21]

He is the co-founder and chief executive of Crash Override[22] and lead developer of Chalk, an open-source software-provenance and observability tool.[23]

Books

Viega has co-authored a number of books on software security:

  • Viega, John; McGraw, Gary (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley. ISBN 978-0-321-77495-8. 
  • Viega, John; Messier, Matt; Chandra, Pravir (2002). Network Security with OpenSSL. O'Reilly Media. ISBN 978-0-596-00270-1. 
  • Viega, John; Messier, Matt (2003). Secure Programming Cookbook for C and C++. O'Reilly Media. ISBN 978-0-596-00394-4. 
  • Howard, Michael; LeBlanc, David; Viega, John (2005). 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media. ISBN 978-0-07-226085-4. 
  • Oram, Andy; Viega, John, eds (2009). Beautiful Security: Leading Security Experts Explain How They Think. O'Reilly Media. ISBN 978-0-596-52748-8. 

Selected papers

  • Viega, John; Bloch, J. T.; Kohno, Yoshi; McGraw, Gary (2000). "ITS4: A Static Vulnerability Scanner for C and C++ Code". 16th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society. pp. 257–267. ISBN 978-0-7695-0859-7. https://dl.acm.org/doi/10.5555/784591.784731. 
  • Viega, John; Warsaw, Barry; Manheimer, Ken (December 1998). "Mailman: The GNU Mailing List Manager". 12th USENIX Systems Administration Conference (LISA '98). Boston, MA. https://www.usenix.org/legacy/publications/library/proceedings/lisa98/full_papers/viega/viega_html/viega.html. 
  • Viega, John (May 2005). "Building Security Requirements with CLASP". 2005 ACM Workshop on Software Engineering for Secure Systems—Building Trustworthy Applications. doi:10.1145/1083200.1083207. 
  • McGrew, David A.; Viega, John (2005). The Galois/Counter Mode of Operation (GCM) (PDF) (Technical report). National Institute of Standards and Technology.

See also

References

  1. 1.0 1.1 Brown, Amy; Wilson, Greg, eds (2012). "GNU Mailman". The Architecture of Open Source Applications, Volume II: Structure, Scale, and a Few More Fearless Hacks. Lulu. ISBN 978-1-105-57181-7. https://aosabook.org/en/v2/mailman.html. 
  2. 2.0 2.1 McGrew, David A.; Viega, John (2005). The Galois/Counter Mode of Operation (GCM) (PDF) (Technical report). National Institute of Standards and Technology. p. 5. Retrieved May 15, 2026.
  3. Viega, John; McGraw, Gary (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley. ISBN 978-0-321-77495-8. 
  4. Viega, John; Messier, Matt; Chandra, Pravir (2002). Network Security with OpenSSL. O'Reilly Media. ISBN 978-0-596-00270-1. 
  5. Conway, Matthew (2000). "Alice: Lessons Learned from Building a 3D System for Novices". CHI 2000. https://www.cs.cmu.edu/~jpierce/publications/chialice.pdf. Retrieved May 15, 2026. 
  6. 6.0 6.1 Viega, John; Warsaw, Barry; Manheimer, Ken (December 9, 1998). "Mailman: The GNU Mailing List Manager". 12th USENIX Systems Administration Conference (LISA '98). Boston, MA. https://www.usenix.org/legacy/publications/library/proceedings/lisa98/full_papers/viega/viega_html/viega.html. Retrieved May 15, 2026. 
  7. Viega, John; Bloch, J. T.; Kohno, Yoshi; McGraw, Gary (2000). "ITS4: A Static Vulnerability Scanner for C and C++ Code". 16th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society. pp. 257–267. ISBN 978-0-7695-0859-7. https://dl.acm.org/doi/10.5555/784591.784731. Retrieved May 15, 2026. 
  8. "rats(1) — rats — Trusty Manpages". Ubuntu. https://manpages.ubuntu.com/manpages/trusty/man1/rats.1.html. 
  9. Dworkin, Morris (November 2007). Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (PDF) (Technical report). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-38D. Special Publication 800-38D. Retrieved May 15, 2026.
  10. Salowey, J.; Choudhury, A.; McGrew, D. (August 2008), AES Galois Counter Mode (GCM) Cipher Suites for TLS, doi:10.17487/RFC5288, RFC 5288, https://tools.ietf.org/html/rfc5288 
  11. Sowa, Jakub; Hoang, Bach; Yeluru, Advaith; Qie, Steven; Nikolich, Anita; Iyer, Ravishankar; Cao, Phuong (2024). "Post-Quantum Cryptography Network Instrument". arXiv:2408.00054 [cs.NI].
  12. "Proposal to Revise SP 800-38D". National Institute of Standards and Technology. July 17, 2023. https://csrc.nist.gov/News/2023/proposal-to-revise-sp-800-38d. 
  13. Viega, John (May 2005). "Building Security Requirements with CLASP". 2005 ACM Workshop on Software Engineering for Secure Systems—Building Trustworthy Applications. doi:10.1145/1083200.1083207. 
  14. Viega, John (January–February 2011). "Reality Check". IEEE Security & Privacy 9 (1): 3–4. doi:10.1109/MSP.2011.17. https://ieeexplore.ieee.org/document/5705589/. Retrieved May 24, 2026. 
  15. Viega, John (November–December 2012). "Giving Back". IEEE Security & Privacy 10 (6): 3–4. doi:10.1109/MSP.2012.146. https://ieeexplore.ieee.org/document/6375714/. Retrieved May 24, 2026. 
  16. "I attended a hacker conference and all I got was all the data on your hard drive". Popular Science. April 2005. https://www.popsci.com/gear-gadgets/article/2005-04/i-attended-hacker-conference-and-all-i-got-was-all-data-your-hard-drive/. Retrieved May 15, 2026. 
  17. "Interview with John Viega, Vice President, McAfee Inc". iTnews. 2006. https://www.itnews.com.au/feature/interview-with-john-viega-vice-president-mcafee-inc-69126. 
  18. McMillan, Robert (January 17, 2007). "Fortify buys Secure Software". InfoWorld. https://www.infoworld.com/article/2660997/techology-business/fortify-buys-secure-software.html. 
  19. Westney, Andrew (October 21, 2014). "BAE Closes $233M Deal For Cybersecurity Co. SilverSky". Law360. https://www.law360.com/articles/588808/bae-closes-233m-deal-for-cybersecurity-co-silversky. 
  20. "Introducing Capsule8: Industry's First Container-Aware, Real-time Threat Protection for Linux". NYU Tandon School of Engineering. https://engineering.nyu.edu/news/introducing-capsule8-industrys-first-container-aware-real-time-threat-protection-linux. 
  21. "Sophos Acquires Capsule8 to Bring Powerful and Lightweight Linux Server and Cloud Container Security to its Adaptive Cybersecurity Ecosystem" (Press release). Sophos. July 7, 2021. Archived from the original on March 9, 2026. Retrieved November 30, 2023.
  22. Waldman, Arielle (July 23, 2025). "Crash Override Turns to ERM to Combat Visibility Challenges". Dark Reading. https://www.darkreading.com/application-security/crash-override-erm-combat-visibility-challenges. 
  23. "John Viega — FOSDEM 2024". FOSDEM. February 2024. https://fosdem.org/2024/schedule/speaker/john_viega/. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Biography:John_Viega&oldid=4407979"