Friday, March 23, 2007

Reflection on Robert Auger



This week on Reflection we have someone who has contributed to the webappsec community in many different ways. We all know Robert Auger through http://www.cgisecurity.com/. CGI Security is one of the very early website on the topic and has a wealth of information on web application security. Robert is also a Co-Founder of the Web Application Security Consortium and a founder and moderator of the WASC mailing list. He also co-leads the WASC articles project. Recently he has started http://qasec.com/ where he discusses security testing in the PDLC with an emphasis in QA. He is also leading the WASC Threat Classification (TC v2) project which is currently underway.

Here he shares with us how he got started in webappsec. In his own words

My interest in security sparked in the mid 90's after getting infected with the Stoned Empire Monkey Virus. I was very curious how it and other viruses worked, executed, and hid on my machine. Around the same time I was given access to my high school's VAX/VMS network and met up with a few people creating/setting up fake login screens/key loggers on the dumb terminals spread throughout the school. This VMS network was where I learned my first language 'DCL' and helped out on the local school student run bbs. Sometime later I started reading about 'cgi vulnerabilities' such as the infamous 'phf vulnerability' and was amazed that with nothing more than a browser, I could take over a machine. Since then web based attack research has been my primary hobby (others include finding ways to abuse crawlers and parsers, co running The Web Application Security Consortium, and whitehat/blackhat SEO research).

Based out of Silicon Valley, California, Robert is only in his late 20s, and currently works for a large multinational organization where he focuses on anything application security related. I have had the pleasure of meeting him on a few occasions and not only he is a very friendly guy but very passionate about web application security and can speak to you for hours on the topic. He has enormous knowledge in webappsec field and one of the very few people who also possess good knowledge of security in the Software Development Life Cycle.


Below is a list of his contributions to the webappsec community.



Articles:-


The Cross-site Request Forgery FAQ
The Cross-site Scripting FAQ

Identifying Risks in the Development Cycle

Writing Software Security Test Cases: Putting security test cases into your test plan

Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations

Preventing Log Evasion in IIS

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures.
http://www.cgisecurity.com/papers/fingerprint-port80.shtml

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two.

Anatomy of the Web Application Worm

Challenges faced by automated web application security assessment tools


Contributions:-

Founder and Moderator of WASC 'The Web Security Mailing List' http://www.webappsec.org/lists/websecurity/

The Web Application Firewall Evaluation Criteria
http://www.webappsec.org/projects/wafec/

WASC's Threat Classification (TC)
http://www.webappsec.org/projects/threat/

Co-lead the WASC articles project http://www.webappsec.org/projects/articles/guidelines.shtml

The Web Application Security Consortium Web Security Glossary
http://www.webappsec.org/projects/glossary/

Distributed Open Proxy Honeypots Project
http://www.webappsec.org/projects/honeypots/

Contributor to the OWASP Application Security Testing Framework Project
http://web.archive.org/web/20030207091615/www.owasp.org/testing/

Cross-site Tracing (XST): - Research Contributor
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf

A core contributor to Snorts web-attacks.rules rule set


Presentations:-

Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems (Power Point) - Blackhat 2006 presentation
http://www.cgisecurity.com/papers/RSS-Security.ppt


Memberships:-

Co founder of The Web Application Security Consortium http://www.webappsec.org


Email:-

robert_@_@_@_@_@_@_webappsec.org


Blog:-

http://www.cgisecurity.com/


Website(s):-

http://www.cgisecurity.com/
http://www.webappsec.org
http://www.qasec.com/


Companies Worked for:-

SPI Dynamics, Other Consulting companies


Robert is a man of ideas and is already working on some very interesting projects. You should definitely keep an eye out on his websites as we will see a lot more contribution from him soon.

Last Week – Billy Hoffman
Next Week – Jeff Williams

1 comment:

Michael said...

Thanks for the nice post!