Monday, April 30, 2007

Reflection on Andrew Van Der Stock

This week on reflection we have Andrew Van der Stock. Andrew is very active in webappsec industry through OWASP and is involved in a lot of activities including OWASP top ten or OWASP Guide, etc. He has contributed a lot to webappsec field, more so in terms of research and awareness on securing the applications rather then exploiting them. He used to be based out of Australia and has recently moved to Columbia, MD and joined Aspect Security. Today he shares with us his journey with web application security and his thoughts on black hat and white hat hackers (or should I say security professionals). In his own words

”I started playing with computers when I was 7 on a Commodore Pet. My first attempts of squeezing more out of my computer than it probably was capable of was with my Amstrad 6128, which ran a Z80 at 4 MHz. I more than doubled the speed of the 3" (yes, 3") disk drive by driving it directly. This is where I had my first taste of assembly language and low level prodding and probing.

Back in the mid-1990, I was a system administrator at an Australian hospital. Doctors would frequently try to dump private electronic patient (UR) records for their private use, possibly to sell to drug companies, but always illegal. This unregulated (at the time) but
immoral use of our health data infuriated me and got me into ethics and privacy in a big way. This led me to join SAGE-AU, the System Administrator's Guild of Australia, eventually rising to be SAGE-AU's President.

I used to be the editor of SAGE Advice, the SAGE-AU journal, and I ended up writing about 20-30 articles for that. Most are system administration flavored, so not that useful to your readers.

I used to pen a weekly column for the Australian newspaper (a daily national broadsheet in Australia). I think I wrote about 30 odd articles for them back in the day, but their archives are closed to non-subscribers so I can't tell for sure. I lost a lot of data (we all
learn once!) when I went from my early Macs to my SMP workstation running Windows NT 3.51, and I still don't have all my data from that time. Luckily, I'm back on a beautiful Mac again, and as I've learnt the hard lessons of data, I have everything dating back to 1995.

I was the author of most of the technical standards and policy set by auDA, the Australian Domain Name Administrator (similar in function to ICANN). I worked with two or three others for the majority of this project, although as always, we started with many more. My work on this panel regulates how DNS works in Australia.

I never completed my degree. If anyone from RMIT CS is reading, I wouldn't mind getting some credits for my work at OWASP so I can finish it up. Let's talk! If anyone else is interested in offering me a place in masters by research program in web app sec, I'd be interested. I don't think I'm really cut out for undergraduate course work, but I love doing ground breaking research.

I am a dual Microsoft MCSE. My first MCSE was NT 4.0 back in 1997, and then I got my Windows 2000 early adopter MCSE in late 1999 when they were trialing the exams. Early adopters got a nice Gold MCSE card! Many folks find this a bit funny, especially as I've been active in open source for so long... And that I'm really a Mac dude at heart.
But I have a soft spot for Microsoft as they do the basic research in our field, and they own up to security flaws and fix them properly. Now, they're reaping the rewards. Good for them. Many vendors could learn a thing or ten from MS. I'm pretty sure my MCSE's are expired now.

In 1998, I entered the field properly as a security consultant. At that stage, finance institutions were starting to review the lockdown of apps. I was drafted into looking at various apps for many larger finance institutions, who were concerned with unmanaged risk and "mobile code" - ActiveX and Java applets running on their PCs. My interest grew from there, even though I didn't really start code reviewing stuff every day until the early part of this century.

In web app sec, I am completely self taught, but I did learn a lot from folks at OWASP – no one lives in a vacuum. I still do a lot of research using forum software to see how things can be fixed in the real world. I love working with some very smart folks who challenge me every day. It's a sad day when you don't learn or discover something new.

To understand this field, you must understand the threats and attacks to defend against them. I am reasonably certain anyone can learn how to attack if they Think Evil for long enough. It's far easier to Think Evil and destroy than it is to create solid software.

The proof of this putrid state of affairs is s'kid marks getting lots of unthinking column centimeters every day, and yet how little praise the folks in Microsoft got for their work on .NET 2.0. .NET 2.0 advances the field in so many ways – say by automatically rejecting any option in a select list which wasn't sent out in the first place. Whoever thought of that should be on the front page of CNET for a year to make up for the waste of space most "hacking" stories get. And there are so many more unsung heroes - master craftsmen (and women!) all. For every La Padula or Bell or Schneier, there's a thousand or more s'kid marks. This is a very asymmetrical situation and it's not good for our industry.

Criminals who attack systems are simply criminals, or in the abstract, attackers. Low level attackers are "s'kid marks" to me – morons who have a script who think they are the most l33t players. Unfortunately, a million s'kid marks equates to a lot of damage as eventually one or two will strike it lucky during school break.

The true hackers are folks like polymaths like Turing, von Neumann, Douglas Engelbart (the primary creator of the desktop metaphor back in the 1960s), Steve Wozniak (a true hardware hacker), the folks who made my HP 48G calculator (a work of art and mathematical tour de force!), and the recently deceased John Backus (the guy who created Fortran and is the "Backus" in BNF, used in every RFC grammar from here to
eternity). Those folks are worthy of respect and are the true meaning of the word "hacker". But now, the word is lost forever because of constant misuse over a long period of time.

My thing is software engineering as a repeatable practice. We have to stop treating web app sec as a black art. We have to stop lauding the attackers and praising the folks who deliberately break software for nothing more than getting their name in lights. We have to stop thinking these folks are somewhat special. If you're a s'kid mark today, it's time to step up and move on. If you're any good, come join us on the light side of the force – before you commit a crime. There's so much to do and so much research begging for someone to just come and do it.

We should be celebrating the folks who put the hard yards into security research which protects us all – permanently. I'm trying to do this with CSRF at the moment, and will be taking some time this year to make PHP 6.0 safer. I know how to attack software and have done so, but I prefer to build strong software, so my skills lie in ensuring that the defenses and controls I write about, recommend, or indeed implement are robust against known attacks as well as the stuff over the horizon. Occasionally, I am at the horizon, such as when I went and played with JSON injection before pretty much anyone else. I don't claim to have invented JSON injection as it's so totally obvious anyone with half a clue could have recreated my work without any knowledge of what I was doing.

We need more folks who hang out at OWASP and WASC. We should have totally eliminated all forms of injection and other common weaknesses by now - and moved on to where the value lies – the business rules. It's a shame so many are sucked in by the dark side of our industry. It's such a waste of good talent.

I'm one of the dudes working on questions for SANS "National Secure Programming Skills Assessment", a soon to be forthcoming certification which will sort the wheat from the chaff. I'm doing the Java questions (eventually) and hope to be involved in the PHP questions when they kick that off. With some luck, this will not become a paper certification (where certified but clueless folks are rampant), but a suitable metric to prove skill.

I had a book contract to write an Ajax Security Book based upon my world famous Ajax Security Presentation from February last year. However, life intervened, and that's on permanent hold, especially as Billy Hoffman & co is writing what will be a superb Ajax Security book if his research is anything to go by.

I have the bones of a security architecture book waiting to go. If anyone feels like writing it with me, I should be free enough sometime in about two-five years :) Really should finish Guide 3.0 before starting this one though.

I've been involved in open source a long time. My first open source project, which I never completed (shame!) was GNU stty (gstty). Since then, I've been involved in XFree86 (from about 1996 onwards), Linux kernel when things didn't work on my SMP workstation (SMP was rare in the day), on the extreme periphery of NetBSD (my friend Luke was NetBSD core, so I wanted to show a little loyalty to his projects ;), pnm2ppa – print drivers for HP's worst ever printers for Unix/Linux/BSD.

Since 2001, I've been running Aussieveedubbers, a largish VW nut forum. Through that, I got into writing forums. Initially, I helped write XMB, which after a spat became UltimaBB, then GaiaBB, and possibly that code base will be re-forked back into XMB. UltimaBB is very secure compared to its contemporaries as I've been busy with it. However, like all projects using my infinite spare time... Things take a back seat to my real job and my real life.”

Below are his contributions to the webappsec community.


OWASP Guide 2.0 – as lead author and editor.

OWASP Top 10 2007 (along with Dave Wichers and Jeff Williams).

Many web app sec blog articles: (web app sec, 47 blog entries) (OWASP, 24 blog entries) (conferences and travel)


Executive Director - OWASP
Columbia PHP user group
SAGE-AU 1995 - 2002, ex-President Jun 2000 – Mar 2001


Andrew has presented at the following conferences:

SAGE-AU - The System Administrators Guild of Australia
OWASP – Open Web Application Security ProjectLinux Australia
AusCERT – Australian Computer Emergency Response Team
RuxCon - Australian security conference, Vulnerability assessment and hacking information, for Australia
Black Hat – Black Hat
OSCON – Oreilly Open Source Convention

His favorite presentation is Ajax Security presentation.

Predictable ISN numbers in Foundry ServerIron. My first bugtraq advisory back in 2000. So proud!

Tutored "Internet 101" back in the early 1990's at the Business Faculty at RMIT University

Tools written by him:-

WebSphere {xor} Secret Magic Ring Decoder Toy (C#)

XMB / UltimaBB / GaiaBB – forum software. It's a good test harness for new webappsec ideas. XMB 1.9.7 is due soon which fixes a lot of security issues. (PHP)

Companies worked for:-

Web Application Security jobs:

e-Secure – Senior Security Architect
b-sec – Chief Technologist
National Australia Bank – Security Application Architect
Aspect Security – Senior Engineer

Company working for:-

Aspect Security




He has one of the sharpest brains in the industry. These contributions above do not reflect the amount of work he has done in promoting awareness in web application security.

Last Week – Nish Bhalla
Next Week – Bill Pennington

No comments: