Monday, July 02, 2007

Reflection on Dinis Cruz


In the last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of the OWASP board. At OWASP, he organizes events such as the OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads the OWASP .Net Project where (amongst others) he created the tools: OWASP Report Generator, OWASP Site Generator, SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) and Asp.Net Reflector. Dinis Cruz is a Security Consultant based in London specialized in Penetration Testing, ASP.NET Application Security, Source-Code Security reviews, Reverse Engineering and Security Curriculum Development. On his reflection, Dinis shares with us how he started in web application security. In his own words

“When I was 10 years old and started programming assembly on my brother’s ZX Spectrum 48k. I remember being very happy by using PEEK and POKE to manipulate pixels on the screen (I also remember translating by hand Assembly Code into Bytes since at the time I had a book on assembly but had no compiler (ahhhh, these kids today have it so easy).

I then went though an Amiga phase (probably the best computer ever, which was at that time miles ahead of everybody else), trying to write games and cool demos (again there was no Internet available).

After that came the BBS world with 2400 baud modems, followed by a super fast 14440 Modem and big phone bills. Once the Internet arrived I couldn’t get enough of it.

I started with Web Application Security about 6 years ago when I become fascinated on how easy it was to remotely 0wn computers. I then decided to shift my professional focus into security and have not looked back since.

I think my programming background was a big help since once I understood the issues with security I was able to use those skills to find vulnerabilities (and propose solutions)

On security, my first experiments where with first Edition of Hacking Exposed which taught me the basics of Network Security, followed by a special focus on ASP Classic and .NET Framework security.

My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on the security implications of running ASP.NET code in Full Trust. Mark replied with the challenge "Hey!, why don’t you publish this material on OWASP and manage the OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find their place and shine. OWASP was a perfect match for my values and professional objectives. I published most of my .NET Research and eventually become the Chief OWASP Evangelist.”


Based out of London, UK, Dinis is 32 years old. Below is a list of his contributions to the community.


Articles:-

Roadmap to a Partial Trust Managed Code world
http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/

‘Security Awareness Modes’ & the ‘day Microsoft changes’
http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/

On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for the future
http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/

I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0147.html

An 'Asp.Net' accident waiting to happen
http://www.owasp.org/index.php/An_

Microsoft must deliver secure environments not tools to write secure code
http://www.owasp.org/index.php/Microsoft_must_deliver_secure_environments_not_tools_to_write_secure_code
Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position
http://www.owasp.org/index.php/Full_Trust_Asp.Net_Security_Vulnerabilties,_and_Microsoft

What are the 'Real World' security advantages of the .Net Framework and the JVM?
http://www.owasp.org/index.php/What_are_the_

.NET research from OWASP .NET Project

Rooting The CLR (demo files available on request)
http://www.owasp.org/index.php/Rooting_The_CLR

Buffer OverFlow in ILASM and ILDASM
http://www.owasp.org/index.php/Buffer_OverFlow_in_ILASM_and_ILDASM

Full Trust CLR Verification issue: changing the Method Parameters order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_the_Method_Parameters_order

Full Trust CLR Verification issue: changing the return address order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_the_return_address_order

Full Trust CLR Verification issue: Changing Private Field using Proxy Struct
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Changing_Private_Field_using_Proxy_Struct

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Exploiting_Passing_Reference_Types_by_Reference

Manipulating private method behavior by overriding public virtual methods in public classes
http://www.owasp.org/index.php/Manipulating_private_method_behaviour_by_overriding_public_virtual_methods_in_public_classes

CSharp readonly modifier is not enforced by the CLR (when in Full Trust)
http://www.owasp.org/index.php/CSharp_readonly_modifier_is_not_inforced_by_the_CLR_(when_in_Full_Trust)

ANSI/UNICODE bug in System.Net.HttpListenerRequest
http://www.owasp.org/index.php/ANSI/UNICODE_bug_in_System.Net.HttpListenerRequest


Tools written by him:-

DN_BOFinder (DotNet Buffer Overflow Finder)
http://www.owasp.org/index.php/DN_BOFinder

OWASP Site Generator
http://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Report Generator
http://www.owasp.org/index.php/Owasp_Report_Generator

.NET Assembly Analyzer
http://www.owasp.org/index.php/.Net_Assembly_Analyzer

New version (v2.0) of Foundstone's HacMe Bank (with Web Services) http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/hacmebank.htm

Video of above is located here
http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/videos/hacmebank/index.htm

Foundstone's CodeScout (basic Source code analysis tool) http://secure.foundstone.com/resources/proddesc/codescout.htm

Foundstone's .NETMon (Flow Trace Tool for .NET)
http://secure.foundstone.com/resources/proddesc/dotnetmon.htm

HttpModule for Foundstone’s Validator.NET http://secure.foundstone.com/resources/proddesc/validator.htm

OWASP’s SAMSHE (Security Analyzer for Microsoft's Shared Hosting Environments)
http://www.owasp.org/index.php/SAM
is a part of
http://www.owasp.org/index.php/ANBS

OWASP’s ANSA (Asp.Net Security Analyser)
http://www.owasp.org/index.php/ANSA

Online Active Directory User Management System

Multi-lingual website Content Management System (COTS application)

Windows Security Log Analysis solution

Relational Database for London University Researchers
Back end for travel agency website

E-Commerce system for music publisher selling custom CDs online

Online website Content Management System


Contributions:-

Created and organized the OWASP Autumn of Code 2006 http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006

OWASP Spring of Code 2007 http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007

Participation as a speaker in several Security Conferences (including Keynote presentations at OWASP conferences)

Buffer Overflows on the .Net Framework, 2006 Seattle

Panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" , 2006 Seattle

Keynote OWASP 2.0 - Enabling organizations to develop, maintain, and acquire applications they can trust, 2006 Europe (Leuven) and 2006 Seattle

Panel: "The role of Sandboxing in creating secure .Net and Java applications.”, 2006 Europe ( Leuven )

Rooting the CLR, 2005 Washington DC

The Fog of Software, 2005 London

OWASP DotNet Security tools: DefApp, ANBS, SAM'SHE, ASP.NET Reflector, Beretta, .NETMon , 2005 London

Full Trust Asp.Net Insecurity, 2004 NYC


Videos:

FSTV (Foundstone TV) Interview on '.NET, web security tools, the future of OWASP, and ‘Open Source Software' , BlackHat 2006 http://video.google.com/videoplay?docid=941077664562737284

Attacking Web and Windows Apps ( UK 's DDD3 on Jun 2006) http://www.roadtowinfx.com/ddd3/2006-06-03%20Developer%20Developer%20Developer%20session%203.lo%20res.wmv

Attacking Web and Windows Applications (presented in the DDD2 on Oct 2005)
http://www.roadtowinfx.com/ddd/2005-10-22_DeveloperDay_session06.wmv

Rooting the CLR, OWASP conference in DC's NISC, Oct 2005 http://video.google.com/videoplay?docid=-2492965730809426450&q=owaspLog

Training:-

Advanced Asp.Net Exploits and Countermeasures (IOActive):

London (July 17th/18th)
http://www.nxtgenug.net/Course.aspx?CourseID=4

Black Hat in Las Vegas (July 28th/29th and July 30th/31st )
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-io-net.html

Advanced Asp.Net Security (Security Compass)

Writing Secure ASP.NET Code (IOActive)

Writing Secure Code - ASP.NET (C#) (Foundstone)

Writing Secure Code Boot Camp ( Intense School / Vigilar)


Memberships:-

OWASP


Company working for:-

Dinis has a main contract with Ounce Labs but continue to do other projects and training (for example the Black Hat training in Las Vegas for IOActive)


Companies worked for:-

Dinis has been the director of his UK based company for 10 years now, and have worked (under direct contract) for companies like: Ounce Labs, ABN AMRO, IOActive, Foundstone, Vigilar, Infosys, Security Compass, UK’s Defence Science and Technology Laboratory, UK’s Department for Transport, UK’s Competition Commission and many others.


Email:-

Dinis.Cruz at owasp.net


Blog:-

http://blogs.owasp.org/diniscruz


Website:-

http://www.owasp.org/


Education:-

Dinis has 50% of a degree from the Portuguese’s University of Algarve in ‘Computing Systems and Analysis’ (where he completed 3 out of five years) and have 50% of a degree from the UK ’s University of Westminster in ‘Commercial Music’ (where he completed 1 and ½ of 3 years).

So basically he has a degree in ‘Computing Commercial Systems and Music Analysis’


Dinis uses both Apple and Windows and prefer to program in C#. When he is not in front of a computer, he likes to spend time with his family, play football, golf, guitar and drums.

With this the reflection project comes to an end. I would like to thank everyone who participated in it and spent time with me in putting all the information together. It has been truly a fantastic experience.

Last Week - Cesar Cerrudo