Tuesday, May 15, 2007

Reflection on Caleb Sima

This week on reflection we have caleb sima from SPI dynamics. He is the co-founder and CTO of SPI dynamics. He has been involved with internet security since its very early age and is widely respected in the industry. He is often quoted in various magazines and is called upon for his expert opinions. Caleb’s story tells us we can be what we want to be if only we put our minds to it and channel our efforts in the right direction. Caleb is exceptionally talented and at a very young age has achieved so much because of his determination, hard work and dedication.

I guess some other reporter had also done a bit on him before which caleb shared with me along with some other details. His is a very interesting read on how he got into web application security and his journey so far. In his own words

“It started off when I was a kid. I was in trouble a lot in school and with my parents, so restriction was a way of life for me. One day, when I was around 8 or 9 years old, my dad bought a PC and said that I could play on it when I was on restriction, but no games. So I started messing around w/ computers, which started my obsession. Soon afterwards I read something on a friend’s computer about how to make free payphone calls. At this point I become hooked on IT security. I wanted to bypass any security, figure out how to hack into anything electrical from phones to bypassing screensavers. This kicked into my rebellious phase where I got kicked out of multiple schools. It got so bad that my step-dad told me that he would not allow me to touch or read anything about computers. This really sucked as I knew that I wanted to do something with computers when I grew up, so I eventually quit school and ran away from home around the age of 16. I ended up living with one of my best friends and his dad in Jasper, Georgia where the only thing to do was to get in trouble and read books. At the same time though I knew what I wanted to do very early on in life and to me nothing else mattered. So I went and pursued my career in computers and security.

I got to a point where I knew I could get a job with computers somewhere so I started applying. I ended up landing a job on Delk Road in a hole in wall computer repair shop where I was the technician. I was the little Asian kid that fixed your computer when it had problems :). After being there around six months, I went to visit my Mom at her work one day. She introduced me to the network administrator of their company. We hit it off and he offered me a job being a network administrative assistant. Then one day he got fired and a new guy came in to take his place. I became real good friends with the new guy - slept on his couch multiple times. Then one day HR calls me in and fires me claiming that my new boss said I did not do my job. Welcome to my 1st corporate backstabbing. I was furious I went and posted my resume on the Internet and went to the mall. While I was there I received a page (this was when pagers were the “in” thing) that was a recruiter telling me they had a job for me doing network security for a bank. The most perfect job and not even hours after I posted! I called the recruiter and landed my first real security job interview at a company called S1. On the morning of my interview I had one suit to my name, which I wore. It was raining when I left to go to the interview and as I was driving my car (a Chevy Nova of all things – definite piece of junk) I hydroplaned and went into a ditch. So I walked back in the rain three miles to the house, obviously now running late. I woke my friend up and he lent me his suit which was three times too big for me and I drove his car into the interview which was 2.5 hours away.

With all this bad luck, I questioned how the rest of the day would go. Lucky me, my nightmare continued. I walk into this interview and the guy who interviewed me was literally the grouchiest looking old man I had ever seen. He came into the room and shot a round of questions at me like a machine gun, all of which I handled with ease. Then, he just got up and left the room without a word. No smiling, nothing. I just sat in this room not knowing what to do. It was terrible. All I could think was did I just completely do the wrong thing? Should I leave? After about 10 minutes he comes back in and miraculously offers me a job. I then became the security analyst for the world’s first online bank. It was a fantastic job I was able to help implement security for almost all the online banks and my job was to lock down the data center that had most of the major bank transactions going thru it. I ended up learning a great deal about security and it was my first intro into web security. That grouchy old man eventually became a great friend. I still make fun of him today for that interview.

At this stage I was around 17 or 18. I stayed at S1 for a while learning everything about online banking I could. Then one day I was evaluating some new software that claimed it would help protect our network. The software was from a company called Internet Security Systems (ISS). Being the security deviant I was from my years as a kid fascinated with breaking into things, I found huge holes in the software and was able to break the software in various different ways. I notified ISS about these problems and worked with them through various other issues. They liked what I did so much they offered to have me come down and interview with them for a job. This was a time when Internet security was unheard of. I was completely intrigued at the concept of a company solely dedicated to Internet security. I had two full day interviews with the company and they hired me. This was when the company was very small. I joined and became part of their research and development team. ISS became my family of sorts as I basically grew up with them all through the dotcom bubble. I was finally able to experience a company that really appreciated what I contributed and had a lot of fun doing what I did for them because it was something I was really interested in and knew I did well. I also learned a lot about business, which would come to help me in my future endeavors.

Around 2000 when I was about 20, I decided to leave ISS. I noticed that there was huge opportunity in the market for a different kind of security product that no one out there was focused on, but the need was significant. So I left and started doing my own consulting. At the time i was doing a lot of pentests and was breaking in 100% of the time via the web application. All current security products were useless in protecting or finding these flaws. Since most of my work was automated via perl scripts I started to see a way to turn it into a product. The real key moment though was when I was contracting with a large telecom company and the head of security told me that if I could automate what I do he would buy it no questions asked. Thus webinspect was born.

During this time I ran into an old friend from S1. I told him about my idea about a new type of security product. We both decided to hook up and form the company together, so we set-up shop in his house and my apartment. At the same time, I told another friend at S1 who was a very talented security professional about the idea and he wanted to help. So thus SPI Dynamics was created. During the past five years we have gone from an apartment and house to the top floor of a building in the Perimeter area with decks and 180 views of Atlanta, over 100+ employees and our revenue doubling every quarter. Guess I was right – there was a need for this new type of security.

My spare time is usually quite limited, but when I do have some there are a couple things I like to do. My hobby is motorcycles. I ride a 2005 black Yamaha R6 and I ride often. I will usually go up to Vortex in Little Five in atlanta on Thursday nights and hang out and talk with other riders, and on Sundays we usually get a group to go up to Sucches in the North Georgia mountains and hit the curves. I also play poker quite often and hold scratch games at my place every week.”

Based out of Atlanta, GA, Caleb is only 27 years old. He is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC). Below are some of his contributions to the community


Hacking Exposed – Web Applications 2

Sample Chapters:

Attacking Web authorization: Web authorization-Session token security

Input Validation Attacks -- Chapter 6, Hacking Exposed Web Applications, Second Edition


June 27, 2006 - SearchAppSecurity.com - "Web application security testing reaches new level"

March 1, 2006 - SearchAppSecurity.com - "Threat modeling key to pro-active security"

November 20, 2006 and December 11, 2006 - SearchAppSecurity.com Webcast - "Three Application Threats You Can't Afford to Ignore"

November 2006 - SearchAppSecurity.com - "Ask The App Security Expert: Questions & Answers - How to safely deploy Ajax"

January 25, 2007 - SearchAppSecurity.com - "Ask The App Security Expert:
Questions & Answers - Authentication - From passwords to passphrases

Is your site vulnerable to SQL injection attacks?

How do government regulations address application security?

The best way to secure a Web site

Ajax's effect on Web services security

Data breach legislation could affect Web site development

SQL injection: Secure your Web applications

Denial of service and Ajax

Automated SQL injection: What your enterprise needs to know - Part 1

Automated SQL injection: What your enterprise needs to know - Part 2

October 19, 2006 - SearchAppSecurity.com - "One simple rule to make your Web apps more secure"

October 31, 2006 - SearchAppSecurity.com - "Injection attacks -- Knowledge and prevention"

November 30, 2006 - SearchAppSecurity.com Podcast - "Ajax security: A dynamic approach"

December 2004 - Security Post - "Are Your Web Applications Secure?"

March 3, 2005 - VNUNET.com - "Bugwatch: Security through the development cycle"

May 15, 2006 - Government Security News (GSN) - "Web Applications: The Hacker's Ultimate Goldmine"

July 28, 2006 - ITToolbox.com - "The Software Development Life Cycle:
When to Secure Your Process"


Microsoft TechEd 2006
Microsoft TechEd 2007

Software Security Summit 2007

Software Security Summit 2006
Software Security Summit East 2006

RSA 2006
RSA 2007
RSA Europe 2006

Secure Software Forum 2005
Secure Software Forum 2006

Secure Software Forum 2007

Blue Hat 2006

Atlanta Code Camp 2006

Black Hat USA 2005
Black Hat USA 2006

HP World 2005
HP Technology Forum 2005
HP Technology Forum 2006

ISSA Georgia 2006
ISSA Austin 2006
ISSA Metro Atlanta Chapter Conference 2006 Charlotte Metro ISSA 2006 Security

Summit Interz0ne 2005

(ISC)2 D.C. 2005
(ISC)2 Las Vegas 2005

CarolinaCon 2005

Techno-Security 2005

2006 Texas Regional Infrastructure Security Conference University of South Carolina International Event 2007 Regular guest speaker at Georgia Institute of Technology

DHS Software Assurance Forum

InfoSec World

Quoted in:-

September 4, 2004 - The New York Times - "Citing Threats, Entrepreneur Wants to Quit Caller ID Venture"

January 2005 - SC Magazine - "Is your website an easy target?"

January 15, 2005 - SD Times - "Application Security: Mindset Is What Matters"

February 22, 2005 - DevX - "Security Training Falling Through the Education Cracks"

February 28, 2005 - Wired - "Known Hole Aided T-Mobile Breach"

April 11, 2005 - Atlanta Business Chronicle - "Blogging the new word-of-mouth for businesses"

April 18, 2005 - Network World - "Is your cell phone at risk?"

April 2005 - CNN - "Top 25 Technology Breakthroughs"

August 1, 2005 - SD Times - "Are Your Web Services Vulnerable?"

August 8, 2005 - Government Computer News (GCN) - "Agencies making little progress against cybervandalism"

January 17, 2006 - eWeek - "SPI Tool Measures Web App Security Risk"

February 15, 2006 - Network World - "Secure software is up to businesses"

May 10, 2006 - CNET (and ZDNET) - "Hijacking MySpace for fame and fortune"

June 6, 2006 - InformationWeek - "Caution, Developers: SOA And Ajax Open To Attack"

June 12, 2006 - Federal Computer Week (FCW) - "Preventive measures"

June 9-15, 2006 - Atlanta Business Chronicle – “SQL injection' attacks on the rise in Atlanta"

June 19, 2006 - InformationWeek - "Yahoo Mail Worm May Be First Of Many As Ajax Proliferates"

July 15, 2006 - SD Times - "In War for App Security, New Intelligence on Way"

July 30, 2006 - eWeek - "Vista, Rootkits Headline Hacker Confab"

July 31, 2006 - InternetNews.com - "SQL Injection Threatens to Needle Web Users"

August 3, 2006 - Computerworld - "Black Hat: Blog readers vulnerable to embedded malware"

August 15, 2006 - SD Times - "Slipping In The Side Door With App Security Message"

August 23, 2006 - CRN - "Keeping Up With The Hackers"

October 23, 2006 - CRN - "Is Oracle Downplaying Security Vulnerabilities?"

November 27, 2006 - eWeek - "Acunetix Offers New Security Audit Service"

Security overhaul key to Microsoft's software success

January 12, 2007 - Joe On .NET, Microsoft's Opinionated Misfit Geek - "Upcoming AJAX Security Webcasts"

February 5, 2007 - AccountingWEB.com - "Experts Predict Bad Year Ahead for Cyber-crime, Cyber-terrorism"

February 8, 2007 - VNUNET.com, HackInTheBox.com - "Online apps facing barrage of attacks"

February 8, 2007 - Computerworld - "RSA - Hackers find a wealth of victims on corporate sites"

Personal Awards:-

Info Security Products Guide Shaping Info Security 2006 award

Atlanta American Electronics Association (AeA) - Spirit of Endeavor Award for Technology Entrepreneur

Microsoft MVP Award - Developer Security - 2007


WASC Board Member

Tools written by him:-

Webinspect versions 1-6
SQL Injector
HTTP Editor
Regex Tester
SPI Proxy
SOAP Editor
Web Discovery
Web Brute






WASC Threat Classification

Companies worked for:-

S1, Equant, ISS, SPI Dynamics

Company working for:-

SPI Dynamics

Caleb is a very active contributor to the community and is also on the Expert Panel of SearchSoftwareQuality.com (formerly SearchAppSecurity.com). He is a man with ideas and vision and I am sure we will see a lot of cool things coming out of his brain.

Last Week – Bill Pennington
Next Week – Ryan barnett


Anonymous said...

Caleb's first security break in that I know of was when he told me that he knew the password to my credit card. He had written a program in DOS that recorded all the key strokes, which I didn't know about until he told me. He almost died that day, if you know what I mean..

Caleb's father

Anurag Agarwal said...

Nice piece of information. Thanks for sharing it with us.