John Viega

Early Life and Education

Viega earned a BA and an MS in computer science from the University of Virginia. As an undergraduate he joined Randy Pausch's Stage 3 Research Group, contributing to an early version of the Alice 3D programming environment. During this period he also managed a popular mailing list for the Dave Matthews Band; frustrated by the administrative overhead of running a large, active list, he wrote the first version of GNU Mailman. The software helped shift mailing-list management from email-only command interfaces toward web-based administration and went on to become a widely used open-source project under the GNU umbrella.

Software Security and Static Analysis

Viega's early research centered on static program analysis for security vulnerabilities. He led development of ITS4, one of the first static-analysis tools designed to detect security defects in C and C++ source code, and co-founded Secure Software, a commercial firm in the application-security space. Secure Software also released the open-source Rough Auditing Tool for Security (RATS), extending the same approach to a broader audience.

Viega was the lead author of OWASP's Comprehensive, Lightweight Application Security Process (CLASP), a set of lightweight security activities intended to be integrated into existing software-development processes. He held adjunct teaching appointments at Virginia Tech and New York University, and served as editor-in-chief of IEEE Security & Privacy. In 2005, Popular Science covered his participation in the DEF CON capture-the-flag competition.

Cryptographic Work

In 2005, working with David A. McGrew of Cisco, Viega co-designed Galois/Counter Mode (GCM), an authenticated encryption mode of operation for block ciphers such as AES. GCM was engineered to provide both confidentiality and message authentication through a single, hardware-efficient primitive unencumbered by patents. NIST standardized the mode in Special Publication 800-38D in 2007, and it was subsequently adopted in TLS, IPsec, and numerous other protocols. By 2021, F5 Labs reported that GCM-based cipher suites accounted for the majority of observed TLS connections. NIST initiated a process to revise SP 800-38D in 2023.

Industry Roles

In late 2005 Viega left Secure Software to join McAfee, where he served first as Chief Security Architect and later as CTO for Software-as-a-Service. Secure Software was subsequently acquired by Fortify Software. After McAfee, Viega joined SilverSky, a cloud-security provider backed by Goldman Sachs and Bessemer Venture Partners, as Executive Vice President of Products and Engineering; BAE Systems acquired SilverSky in 2014.

In 2016, Viega co-founded Capsule8 alongside Dino Dai Zovi and Brandon Edwards. The company produced runtime security software for Linux servers and cloud containers; Sophos acquired Capsule8 in July 2021. Viega subsequently co-founded Crash Override, where he serves as chief executive, and is the lead developer of Chalk, an open-source software-provenance and observability tool.

Notable Works

Viega has co-authored several books on software security, including Building Secure Software (2001, with Gary McGraw), Network Security with OpenSSL (2002), Secure Programming Cookbook for C and C++ (2003), 19 Deadly Sins of Software Security (2005), and the edited volume Beautiful Security (2009). His academic papers include the original ITS4 vulnerability-scanner paper presented at ACSAC 2000, the 1998 LISA paper introducing GNU Mailman, and the 2005 NIST technical report introducing GCM co-authored with McGrew.