This biography of a living person needs additional citations for verification. Please help by adding reliable sources. Contentious material about living persons that is unsourced or poorly sourced must be removed immediately from the article and its talk page, especially if potentially libelous.Find sources: "John Viega" – news · newspapers · books · scholar · JSTOR (March 2011) (Learn how and when to remove this message)

John Viega (born February 22, 1974) is an American computer security author, researcher and professional.

Early life

John Viega earned his BA from the University of Virginia. As an undergraduate, he worked in Randy Pausch's Stage 3 Research Group, as an early contributor to Alice.[1] Viega earned an MS in Computer Science, also from the University of Virginia.[2]

While at the University of Virginia, Viega started a popular mailing list for the Dave Matthews Band.[3] Frustrated by the maintenance costs for a large, active mailing list, he wrote the first version of GNU Mailman, which quickly took off, leading the shift of mailing list management from email commands to the web.[4]


Viega co-authored Building Secure Software[5] (Addison Wesley, 2001), which was the first book to teach developers about writing secure software. He has since co-authored a number of additional books on computer security, including Network Security with OpenSSL[6] (O'Reilly, 2002), the Secure Programming Cookbook[7] (O'Reilly, 2003), Beautiful Security [8] (O'Reilly, 2009), and the 19 Deadly Sins of Software Security [9] (McGraw Hill, 2005)

In 2005, he co-authored the widely used GCM mode of operation for AES, along with David A. McGrew,[10] which was designed to provide both encryption and authentication with one primitive that is both cost-effective in hardware, and unencumbered by parents.

Viega was also a pioneer in static analysis for security vulnerabilities. He was responsible for ITS4,[11] the first static analsyis tool for in this class. He co-founded Secure Software, the first commercial vendor for such tools, which also released an open source tool, Rough Auditing Tool for Security (RATS).

At the end of 2005, Viega left Secure Software and joined McAfee, first as Chief Security Architect, and later as CTO, SaaS. Secure Software was bought by Fortify Software just over a year later.[12]

Post-McAfee, he was an executive at SilverSky, a cloud security provider funded by Goldman Sachs and Bessemer Venture Partners, which was acquired by BAE Systems in 2014,[13] where he was Executive Vice President of Products and Engineering.

In 2016, he left to co-found Capsule8 with Dino Dai-Zovi and Brandon Edwards, which was acquired by Sophos in July 2021.[14]

Viega was also the lead author of OWASP's CLASP,[15] a lightweight process for relating software development to security. He is also a former editor-in-chief for the IEEE Security & Privacy Magazine. He has been an adjunct professor at Virginia Tech, and New York University.[16]

Viega is currently the lead developer for the open source software provenance and observability tool, Chalk, as well as the co-founder and CEO of Crash Override.[17]


  1. ^ Conway, Matthew (2000). "Alice: Lessons Learned from Building a 3D System For Novices" (PDF). Archived from the original (PDF) on 2001-06-16.
  2. ^ Viega, John; Warsaw, Barry; Manheimer, Ken (1998-12-09). Mailman: The Gnu Mailing List Manager. 12th Systems Administration Conference (LISA '98). Boston, Ma.
  3. ^ Brown, Amy; Wilson, Brown (2012-03-30). The Architecture of Open Source Applications, Volume II. Lulu. p. 149. ISBN 978-1105571817.
  4. ^ Viega, John; Warsaw, Barry; Manheimer, Ken (1998-12-09). Mailman: The Gnu Mailing List Manager. 12th Systems Administration Conference (LISA '98). Boston, Ma.
  5. ^ Viega, John; McGraw, Gary (2001-09-24). Building Secure Software. Addison Wesley. ISBN 978-0321774958.
  6. ^ Viega, John; Messier, Matt; Chandra, Pravir (2002-06-15). Network Security with OpenSSL. O'Reilly Media. ISBN 978-0596002701.
  7. ^ Viega, John; Messier, Matt (2003-08-19). Secure Programming Cookbook for C and C++. O'Reilly Media. ISBN 978-0596003944.
  8. ^ Oram, Andy; Viega, John (2009-07-02). Beautiful Security: Leading Security Experts Explain How They Think. O'Reilly Media. ISBN 978-0596527488.
  9. ^ Howard, Michael; LeBlanc, David; Viega, John (2005-07-26). 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media. ISBN 978-0072260854.
  10. ^ McGrew, David A.; Viega, John (2005). "The Galois/Counter Mode of Operation (GCM)" (PDF). p. 5.
  11. ^ Viega, J.; Bloch, J. T.; Kohno, Y.; McGraw, G. (29 December 2018). ITS4: A Static Vulnerability Scanner for C and C++ Code. IEEE Computer Society. pp. 257–. ISBN 9780769508597. Retrieved 29 December 2018 – via ACM Digital Library.
  12. ^ McMillan, Robert (17 January 2007). "Fortify buys Secure Software". Retrieved 29 December 2018.
  13. ^ Andrew Westney. "BAE Closes $233M Deal For Cybersecurity Co. SilverSky - Law360". Retrieved 29 December 2018.
  14. ^ Sophos Inc. (2021-07-07). "Sophos Acquires Capsule8 to Bring Powerful and Lightweight Linux Server and Cloud Container Security to its Adaptive Cybersecurity Ecosystem..." (Press release). Retrieved 2023-11-30.
  15. ^ Viega, John (May 2005). "Building Security Requirements with CLASP". Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications. ACM 2005 workshop on Software engineering for secure systems—building trustworthy applications. doi:10.1145/1083200.1083207.
  16. ^ Ankur Shah and Neelima Rustagi (2021-07-29). "Zero To Exit" (Podcast). Retrieved 2023-11-30.
  17. ^ Chris Romeo and Robert Hurlbut (2023-07-29). "The Application Security Podcast" (Podcast). Retrieved 2023-09-05.