Monday, April 16, 2007

Reflection on Ory Segal

This week on reflection we have Ory Segal of Watchfire. Ory has been involved in the webappsec from its very early days. He has published several whitepapers, articles and advisories. He has contributed to security standards like WASC Threat Classification and WASC Firewall Evaluation Criteria. He has spoken at various conferences and security events and is very reputed amongst the web application security professionals. Today, he shares with us his journey in web application security field. In his own words

“My involvement in the security world started back in 1995, when I was hired as a technician for a company that dealt with counter-intelligence. The job was very interesting and included all sorts of things you only see in movies – scanning and locating eavesdropping equipment, installing all sorts of intelligence gadgets for government agencies, etc. (during that time I developed paranoia, and to this day I always search new places I visit for hidden security cams).

When I grew tired of counter-intelligence I made the switch over to the Internet which was just emerging here in Israel. I worked for about a year for one of Israel’s biggest ISPs, and I learned all about network security - specifically TCP/IP and Linux. Someone I knew (and who knew what I was doing in my spare time) who worked for a large data security consulting company in Israel asked me to help her build a penetration testing team, which sounded very interesting to me. I then spent almost two years building a team of penetration testers that performed risk assessments for almost every major company in Israel, as well as most of the government offices. As a part of my job, I was managing several large-scale and critical information security projects for clients such as the Tel Aviv Stock Exchange, Israeli banks and the Israeli Department of Defense.

On one of the projects I was managing, I was introduced to a very interesting piece of software, which at the time was quite innovative – a Web Application Firewall. It was called Clearnet, and was developed by a small company called Perfecto Technologies. The product would later become AppShield, and the company would later become Sanctum Inc. AppShield was such an interesting and refreshing idea that it got me very intrigued. As part of my role I got the chance to try and hack my way through AppShield which was very hard. I did find some minor issues, but never got through… that’s when I really got hooked on web application security. Unlike network-level hacking, which almost always summed up to exploiting some buffer overflow, web application hacking posed a lot more challenges. It was all about bypassing application logic and felt like solving a puzzle.

After a few months I received an offer from Gili Raanan (co-founder of Sanctum) who was in the process of putting together a team of security researchers. During my interview I was introduced to the soon-to-be-famous Amit Klein. Lucky for me, Amit decided to hire me. In the end, working with Amit is one of my fondest memories of my years with Sanctum. Amit is a great mentor and I could not have hoped for a better boss, and friend.

My work at Sanctum revolved mostly around AppScan - a new product the company was just building. It was the first automated web application scanner in the world. When I started working on the product, it was just at v1.0, and was built around an HTTP Proxy. It worked by proxying and analyzing HTTP traffic that was created by the user who manually browsed through the application, and by creating some simple parameter tampering attacks. At that time it did not include the sophisticated capabilities that we have all come to expect from AppScan.

As well as performing lots of web application security audits and researching and publishing vulnerabilities, I was also responsible for writing parts of AppScan’s attack engine, creating and maintaining thousands of attacks for the product’s test database. At the time, one of the biggest challenges for web application scanners was how to automate the process of testing and validating web security issues - our group pioneered this field.

When I first started working for Sanctum in 2000, web application security was in its infancy – we had to educate the market. It was challenging but very fulfilling. Sanctum created this market space and I was thrilled to be a part of something I knew would only grow in importance. I remember how people who attended presentations I gave looked at me, and how their jaws dropped when I would demonstrate simple things like Shopping-Cart manipulations or SQL Injection. Big pieces of the WebAppSec puzzle were still missing – XSS, Blind SQL Injection, and many other techniques were either not yet know publicly, or known but not taken very seriously. In fact, as you probably know, XSS was disregarded by many during the first years after it was discovered – people didn’t take it seriously for a long time.

In 2004 Watchfire acquired Sanctum and I took the role of AppShield Product Manager and helped the company successfully transition AppShield to F5.

In 2005 I accepted the role of Director of Security Research for Watchfire and since then I have been a part of the Product Management Group. In this role I am responsible for helping to improve AppScan and to continually find ways to automate more aspects of the web application security assessment process. In addition, I am also researching new technologies and directions for Watchfire’s products as well as overseeing the security research which is now performed by a much larger team of security experts (who recently published the “Overtaking Google Desktop” whitepaper).

I am very excited about the direction that AppScan and automated scanning has taken in recent years, and I am sure we’ll see some major improvements and interesting new technologies in the near future. I am also very happy to see that more and more organizations are taking WebAppSec seriously, the market has come a long way.

In the “old days”, we did publish some *nasty* anonymous security advisories. It was fun, but I can’t disclose any more information. Now I am a strong supporter of proper disclosure policies (go RFPolicy!)

Back in 2002, I co-founded a small local group of security experts called (it was a takeoff on the whole, and 8200 – an Israeli intelligence army unit, which spawned some of the greatest minds in the security industry). We ran several projects, one of which was the first WarDriving experiment in Israel. The results were obvious and we got some publicity in local newspapers. Among others, the group included Liraz Siri (who performed the Internet Auditing Project and scanned 36 million servers across the internet)

I am a musician, I mainly play guitar. I have been a part of the Tel Aviv Indie Rock scene since 1997. In 1997 I put out a solo record (where I played all instruments), under the pseudonym “Wilkesboro Brothers”, since then I have been involved in several bands. My current band is called Pits (, we put out an album in 2005, which got good reviews and we are currently working on our second album. If you happen to be in Tel-Aviv, check out our gig schedule.

I live with my wife Orli, who is also involved in the IT Security market (Orli worked many years for Check Point, and also co-founded another security start-up). It’s not uncommon to hear us talk about security stuff at home. We are both techies and also fanatic music lovers.”

Based out of Tel Aviv, Israel, Ory is only 33 years old. Below is a list of his contributions to the community.


Testing Privilege Escalation in Web Applications:

Web Application Forensics: The uncharted territory:

Methodologies & Tools for Web Application Security Assessment:

Ory has also authored a series of web casts on the subject of the WASC TC project, covering web application security, advanced hacking courses, and gave numerous presentations around the globe on the subject of Web Application Security. Those links can be found on Watchfire website (Requires personal information).


Apache Win32 Batch File Remote Command Execution Vulnerability:

Multiple vendors web server source code disclosure - 8.3 name format vulnerability:

Macromedia ColdFusion MX Missing Template Cross Site Scripting Vulnerability:

Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site Scripting Vulnerability:

Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server:

Cpanel Admin Interface HTML Injection Vulnerability:

Microsoft IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS (Written by Amit Klein). Helped to apply the vulnerability to Microsoft IIS servers:

PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities: &

Deerfield VisNetic WebSite Cross Site Scripting Vulnerability:


Ory has been actively developing parts of Watchfire AppScan and the PowerTools for a long time now, but other than that most of the tools are only used internally in Watchfire.


MITRE CWE project


WASC Threat Classification


Web Application Security Consortium



BA in Computer Science from the Open Univ. of Israel.

Companies worked for:-

YTS Security Systems, Internet Gold, Avnet Data Security, Sanctum, Watchfire

Company working for:-



osegal at watchfire dot com

Ory Segal is amongst one of the respected figures in web application security. I hope he starts his blog soon to share his ideas and thoughts more frequently with us.
Last Week - Chris Shiflett
Next Week – Nish Bhalla

1 comment:

Anonymous said...

Im trying to record a login sequence over the internet for the ibm demo application. however im not able to do so. Any particular reasons for this?