John Viega

John Viega is CTO of the SaaS Business Unit at McAfee, his second stint at McAfee. Previously, he was their Chief Security Architect, after which he founded and served as CEO of Stonewall Software, which focused on making anti-virus technology faster, better and cheaper. John was also the founder of Secure Software (now part of Fortify).

John is author of many security books, including Building Secure Software (Addison-Wesley), Network Security with OpenSSL (O'Reilly), and the forthcoming Myths of Security (O'Reilly). He is responsible for numerous software security tools and is the original author of Mailman, the GNU mailing list manager. He has done extensive standards work in the IEEE and IETF and co-invented GCM, a cryptographic algorithm that NIST has standardized. John is also an active advisor to several security companies, including Fortify and Bit9. He holds a MS and BA from the University of Virginia.

The Myths of Security The Myths of Security
by John Viega
June 2009
Print: $29.99
Ebook: $23.99

Beautiful Security Beautiful Security
by Andy Oram, John Viega
April 2009
Print: $39.99
Ebook: $31.99

Secure Programming Cookbook for C and C++ Secure Programming Cookbook for C and C++
by John Viega, Matt Messier
July 2003
Print: $74.99
Ebook: $62.99

Network Security with OpenSSL Network Security with OpenSSL
by John Viega, Matt Messier, Pravir Chandra
June 2002
Print: $39.95
Ebook: $31.99

Recent Posts | All O'Reilly Posts

John blogs at:

SCADA vulnerability disclosures are unconscionable

January 20 2012

Today was a shameful day for the Internet security industry, as researchers disclosed information about numerous vulnerabilities in critical US infrastructure systems produced by five different vendors, demonstrating that they are happy to make the world a riskier place in order to market themselves. read more

Unhappy Valentine's Day

February 16 2009

On Valentine's Day, I found myself 500 miles away from my two daughters (10 and 7). I'd already decided to get them a gift certificate from Amazon, with an e-greeting. Amazon has so much stuff, both kids could easily get... read more

Responsible Disclosure is Irresponsible

January 23 2009

I was pretty amused recently when two people I respect went at each other over vulnerability disclosure, quickly devolving into name-calling. It's always fun to watch a flame war (nobody got compared to Hitler, but one person did get compared... read more

The cult of Schneier

January 12 2009

There's no doubt who the world's leading IT security expert is, Bruce Schneier. Sure, Bruce Schneier may not be a household name on the lips of every man woman and child, but he's certainly far better known than anyone else... read more

New PKI problem: Resolved

January 01 2009

Every CA that was potentially vulnerable to this week's problem with public key infrastructure has phased out MD5-based signatures, meaning it is now impossible to launch the attack that the researchers described. But, despite plenty of experts assuring people there's... read more

The sky is not falling (re: today's PKI attack)

December 30 2008

In my last post I talked about how anybody with enough money (a small 6-figure sum) could create a rogue certification authority (CA). This would allow them to generate certificates for any web site that seem to be genuine. That... read more

An attack on public key infrastructure

December 30 2008

About three years ago I was having breakfast with a friend of mine, who was talking about a particular appliance product that claimed to be able to transparently/silently intercept all SSL/TLS traffic, so that it could be inspected. He was... read more

Virtualization: host security's silver bullet?

December 26 2008

The biggest problem with host-based security has always been what happens when your protection fails. And yes, all traditional host-based protections will have the potential for failure, especially when you consider that it's generally easy to trick users into installing... read more

Snake oil: legitimate vendors sell it too

December 18 2008

Traditionally when security experts talk about snake oil products (i.e., security products that don't actually offer any security), they are usually only brave enough to call out products from dubious companies that make claims that are obviously false... almost always... read more

Why most companies shouldn't run intrusion prevention

December 04 2008

The IT security industry is filled with plenty of technologies that work, but not very well. Technologies that sell, even if they're not particularly cost effective. One of the most pervasive security technologies that doesn't work very well is the... read more

Is Apple OS X More Secure than Windows?

December 01 2008

OS X Security is a pretty fun topic for me, because I love watching the carnage when people fight. Before I register my opinion, I need to be clear that I've been operating almost exclusively on a Mac since OS... read more

Our first big infection

November 24 2008

At 7:30 eastern this morning, one of my brothers called to tell me that he is, "being attacked by hackers. My computer has hackers on it, and over 100 viruses, spywares and password stealing Trojans, and I don't even know... read more

Why Microsoft's free AV won't matter

November 20 2008

Earlier this week, Microsoft announced that they're going to stop selling their consumer security product OneCare, and instead they're going to give away for free an AV product based on the same technology. I've had several people ask me questions... read more

Why geeks don't like to run AV

November 19 2008

When you look at the average, non-technical user, they probably should be running AV, because it is pretty unobtrusive, it does catch some things (even if it's not many), and they don't have the same sense of what the real risks are as I do. But, many technical people are… read more

My journey into security

November 17 2008

This is my first blog post on O'Reilly. I thought I would start out with some background on myself, and then give a high level overview of the kinds of things I'm going to be blogging about. When I was... read more

Recent Posts | All O'Reilly Posts

"Each of the short chapters is an ideal size for the daily commute between the home and office, and there is a good index to help resolve the inevitable “where did I see that?” questions."
--David B. Henderson, Computing Reviews

"This is an essential read for anyone in the field, and it should be a companion read for anyone designing secure software."
--T. D. Richardson, South University, CHOICE

"...if you have a stake in IT risk management, read the book."
--Mayer Nudell, CSC, Security Management

"Overall I found the book a very fascinating and enjoyable read, and since no jargon is used it should be accessible to any audience. If you want to find out what the cyber criminals are up to and what security professionals are doing to counteract, then this is a very good place to start."
--Mehmet Hurer, ITNOW

"Right from the beginning, this book offers a startlingly fresh perspective on the realm of computer security...This work is a must for anyone investigating security on a professional or cursory level."
--T. D. Richardson, South University, CHOICE, February 2010 Vol. 47 No. 06

"This book was a lot of fun to read even if I did not agree with some of his opinions. It is well-written, has light writing style and touches most if not all controversial issues in security; the book also has a lot of fun novel ideas for the future to think about."
--Anton Chuvakin, Anton Chuvakin Blog

"Beautiful Security is an enjoyable book that answers many questions and does so in a simple, yet effective way. It is particularly suitable for all those people who have been around the net for a while and have learned many terms and phrases concerning information security, but they have still only a vague idea of the notion they represent."
--Zeljka Zorz, Help Net Security

"Overall this book was a very fast (you could read it on a short flight), but very good read. It may not challenge your perspective as I had previously thought, but it is a good refresher as to why some of us work in the Information Security industry. "
--Wayne M Gipson, CISSP, CISA, Amazon.com

"...an interesting and thought-provoking book."
--Ben Rothke, Slashdot.org

"...a great read which, whether you agree with his points or not, should make you re-evaluate how you look at security."
--Jim Holmes, FrazzledDad

"As with any good security book, there’s plenty of well-done content which will likely scare you in to re-thinking how you and your company approach security. Beautiful Security can help you identify practices, problems, and mindsets which leave you, your company, or your clients at risk."
--Jim Holmes, FrazzledDad

"Beautiful Security goes well beyond the confines of traditional security books that dive into technical minutia and bore you to tears. Yes there is technical jargon to be seen throughout, but the real hook to this collection of ideas and best practices is the thinking and logic the various contributors gracefully convey through the pages within. "
--Wesley M. Talbert, Amazon.com

"...a required read. For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security."
--Ben Rothke, Slashdot.org

"The preface states that the purpose of the book is to convince the reader that security is not bureaucratic drudgery but is an exciting career, and I think the book is successful at this."
--Allen Stenger, SPUG Nuggets, July 2009 Issue

"In Beautiful Security, experienced insiders share some rarely spoken truths about the real problems in information security today, and point the way towards how the situation could or should be improved. The challenges we face in security and personal privacy are not always purely technical--in fact they rarely are. Instead, they are social, geo-political, legacy, or simply when interests are not in alignment. Taking into account all the external factors, the authors behind Beautiful Security explore more modern and practical information security approaches, with a healthy skepticism for conventional wisdom."
--Jeremiah Grossman, Chief Technology Officer, WhiteHat Security, Inc.

"There is no doubt that the way we manage information security in the future will need to evolve as significantly and swiftly as the technology itself and adapt to the new ways we choose to embrace it. Information security plays a critical role in enabling a secure and reliable business that earns the trust of our customers. The thoughts and ideas shared by the authors in this book can shape the security "cogs and levers" of tomorrow."
--Tony Scott, Corporate Vice President and Chief Information Officer, Microsoft Corporation

"Whereas a lot of books are either narrowly focused (and convinced that their focus is all that matters), or too wide to be useful, Beautiful Security draws a wide net and collects a representative view of the state of the problem in infosecurity today."
--Michael Collins, Chief Scientist at RedJack, creator of the SiLK Analysis Suite

"Computer security is quite possibly the most intellectually challenging field today, an interdisciplinary and rapidly evolving arena that straddles the realms of people and technology. Hacking, both positive and negative, is simply the activity of smart people stretching the limits and repurposing what a computer can do for their own objectives. Beautiful Security gives us a window into the minds of the passionate people who defend us by out-thinking and staying one step ahead of our black hat adversaries. "
--Chris Wysopal, CTO & co-founder of Veracode, a software security company; pioneering vulnerability researcher at the L0pht

"Any project that undertakes to get students and professionals interested in security issues is laudable. This book is no exception. I found Jim Routh's chapter on 'Forcing Firms to Focus' to be profound. It is not often we get to look under the hood with leaders actually doing the work--rather than listening to vendors and experts talk about what 'might' work."
--Mason Brown, Director, SANS Institute

"This collection of thoughtful essays catapults the reader well beyond deceptively shiny security FUD (the drum major of the bug parade) toward the more subtle beauty of building security in. Security is an essential emergent property for all modern systems--something that most people implicitly expect and few people explicitly enjoy. This book demonstrates the yin and the yang of security, and the fundamental creative tension between the spectacularly destructive and the brilliantly constructive. Read. Learn. Emulate."
--Gary McGraw, CTO, Cigital, author of Software Security and 9 other books