Monday, July 02, 2007

Reflection on Dinis Cruz

In the last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of the OWASP board. At OWASP, he organizes events such as the OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads the OWASP .Net Project where (amongst others) he created the tools: OWASP Report Generator, OWASP Site Generator, SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) and Asp.Net Reflector. Dinis Cruz is a Security Consultant based in London specialized in Penetration Testing, ASP.NET Application Security, Source-Code Security reviews, Reverse Engineering and Security Curriculum Development. On his reflection, Dinis shares with us how he started in web application security. In his own words

“When I was 10 years old and started programming assembly on my brother’s ZX Spectrum 48k. I remember being very happy by using PEEK and POKE to manipulate pixels on the screen (I also remember translating by hand Assembly Code into Bytes since at the time I had a book on assembly but had no compiler (ahhhh, these kids today have it so easy).

I then went though an Amiga phase (probably the best computer ever, which was at that time miles ahead of everybody else), trying to write games and cool demos (again there was no Internet available).

After that came the BBS world with 2400 baud modems, followed by a super fast 14440 Modem and big phone bills. Once the Internet arrived I couldn’t get enough of it.

I started with Web Application Security about 6 years ago when I become fascinated on how easy it was to remotely 0wn computers. I then decided to shift my professional focus into security and have not looked back since.

I think my programming background was a big help since once I understood the issues with security I was able to use those skills to find vulnerabilities (and propose solutions)

On security, my first experiments where with first Edition of Hacking Exposed which taught me the basics of Network Security, followed by a special focus on ASP Classic and .NET Framework security.

My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on the security implications of running ASP.NET code in Full Trust. Mark replied with the challenge "Hey!, why don’t you publish this material on OWASP and manage the OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find their place and shine. OWASP was a perfect match for my values and professional objectives. I published most of my .NET Research and eventually become the Chief OWASP Evangelist.”

Based out of London, UK, Dinis is 32 years old. Below is a list of his contributions to the community.


Roadmap to a Partial Trust Managed Code world

‘Security Awareness Modes’ & the ‘day Microsoft changes’

On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for the future

I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes

An 'Asp.Net' accident waiting to happen

Microsoft must deliver secure environments not tools to write secure code
Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position,_and_Microsoft

What are the 'Real World' security advantages of the .Net Framework and the JVM?

.NET research from OWASP .NET Project

Rooting The CLR (demo files available on request)

Buffer OverFlow in ILASM and ILDASM

Full Trust CLR Verification issue: changing the Method Parameters order

Full Trust CLR Verification issue: changing the return address order

Full Trust CLR Verification issue: Changing Private Field using Proxy Struct

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference

Manipulating private method behavior by overriding public virtual methods in public classes

CSharp readonly modifier is not enforced by the CLR (when in Full Trust)

ANSI/UNICODE bug in System.Net.HttpListenerRequest

Tools written by him:-

DN_BOFinder (DotNet Buffer Overflow Finder)

OWASP Site Generator

OWASP Report Generator

.NET Assembly Analyzer

New version (v2.0) of Foundstone's HacMe Bank (with Web Services)

Video of above is located here

Foundstone's CodeScout (basic Source code analysis tool)

Foundstone's .NETMon (Flow Trace Tool for .NET)

HttpModule for Foundstone’s Validator.NET

OWASP’s SAMSHE (Security Analyzer for Microsoft's Shared Hosting Environments)
is a part of

OWASP’s ANSA (Asp.Net Security Analyser)

Online Active Directory User Management System

Multi-lingual website Content Management System (COTS application)

Windows Security Log Analysis solution

Relational Database for London University Researchers
Back end for travel agency website

E-Commerce system for music publisher selling custom CDs online

Online website Content Management System


Created and organized the OWASP Autumn of Code 2006

OWASP Spring of Code 2007

Participation as a speaker in several Security Conferences (including Keynote presentations at OWASP conferences)

Buffer Overflows on the .Net Framework, 2006 Seattle

Panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" , 2006 Seattle

Keynote OWASP 2.0 - Enabling organizations to develop, maintain, and acquire applications they can trust, 2006 Europe (Leuven) and 2006 Seattle

Panel: "The role of Sandboxing in creating secure .Net and Java applications.”, 2006 Europe ( Leuven )

Rooting the CLR, 2005 Washington DC

The Fog of Software, 2005 London

OWASP DotNet Security tools: DefApp, ANBS, SAM'SHE, ASP.NET Reflector, Beretta, .NETMon , 2005 London

Full Trust Asp.Net Insecurity, 2004 NYC


FSTV (Foundstone TV) Interview on '.NET, web security tools, the future of OWASP, and ‘Open Source Software' , BlackHat 2006

Attacking Web and Windows Apps ( UK 's DDD3 on Jun 2006)

Attacking Web and Windows Applications (presented in the DDD2 on Oct 2005)

Rooting the CLR, OWASP conference in DC's NISC, Oct 2005


Advanced Asp.Net Exploits and Countermeasures (IOActive):

London (July 17th/18th)

Black Hat in Las Vegas (July 28th/29th and July 30th/31st )

Advanced Asp.Net Security (Security Compass)

Writing Secure ASP.NET Code (IOActive)

Writing Secure Code - ASP.NET (C#) (Foundstone)

Writing Secure Code Boot Camp ( Intense School / Vigilar)



Company working for:-

Dinis has a main contract with Ounce Labs but continue to do other projects and training (for example the Black Hat training in Las Vegas for IOActive)

Companies worked for:-

Dinis has been the director of his UK based company for 10 years now, and have worked (under direct contract) for companies like: Ounce Labs, ABN AMRO, IOActive, Foundstone, Vigilar, Infosys, Security Compass, UK’s Defence Science and Technology Laboratory, UK’s Department for Transport, UK’s Competition Commission and many others.


Dinis.Cruz at




Dinis has 50% of a degree from the Portuguese’s University of Algarve in ‘Computing Systems and Analysis’ (where he completed 3 out of five years) and have 50% of a degree from the UK ’s University of Westminster in ‘Commercial Music’ (where he completed 1 and ½ of 3 years).

So basically he has a degree in ‘Computing Commercial Systems and Music Analysis’

Dinis uses both Apple and Windows and prefer to program in C#. When he is not in front of a computer, he likes to spend time with his family, play football, golf, guitar and drums.

With this the reflection project comes to an end. I would like to thank everyone who participated in it and spent time with me in putting all the information together. It has been truly a fantastic experience.

Last Week - Cesar Cerrudo