Reflection on Dinis Cruz

In the last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of the OWASP board. At OWASP, he organizes events such as the OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads the OWASP .Net Project where (amongst others) he created the tools: OWASP Report Generator, OWASP Site Generator, SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) and Asp.Net Reflector. Dinis Cruz is a Security Consultant based in London specialized in Penetration Testing, ASP.NET Application Security, Source-Code Security reviews, Reverse Engineering and Security Curriculum Development. On his reflection, Dinis shares with us how he started in web application security. In his own words

“When I was 10 years old and started programming assembly on my brother’s ZX Spectrum 48k. I remember being very happy by using PEEK and POKE to manipulate pixels on the screen (I also remember translating by hand Assembly Code into Bytes since at the time I had a book on assembly but had no compiler (ahhhh, these kids today have it so easy).

I then went though an Amiga phase (probably the best computer ever, which was at that time miles ahead of everybody else), trying to write games and cool demos (again there was no Internet available).

After that came the BBS world with 2400 baud modems, followed by a super fast 14440 Modem and big phone bills. Once the Internet arrived I couldn’t get enough of it.

I started with Web Application Security about 6 years ago when I become fascinated on how easy it was to remotely 0wn computers. I then decided to shift my professional focus into security and have not looked back since.

I think my programming background was a big help since once I understood the issues with security I was able to use those skills to find vulnerabilities (and propose solutions)

On security, my first experiments where with first Edition of Hacking Exposed which taught me the basics of Network Security, followed by a special focus on ASP Classic and .NET Framework security.

My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on the security implications of running ASP.NET code in Full Trust. Mark replied with the challenge "Hey!, why don’t you publish this material on OWASP and manage the OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find their place and shine. OWASP was a perfect match for my values and professional objectives. I published most of my .NET Research and eventually become the Chief OWASP Evangelist.”

Based out of London, UK, Dinis is 32 years old. Below is a list of his contributions to the community.


Articles:-

Roadmap to a Partial Trust Managed Code world
http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/

‘Security Awareness Modes’ & the ‘day Microsoft changes’
http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/

On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for the future
http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/

I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0147.html

An 'Asp.Net' accident waiting to happen
http://www.owasp.org/index.php/An_

Microsoft must deliver secure environments not tools to write secure code
http://www.owasp.org/index.php/Microsoft_must_deliver_secure_environments_not_tools_to_write_secure_code
Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position
http://www.owasp.org/index.php/Full_Trust_Asp.Net_Security_Vulnerabilties,_and_Microsoft

What are the 'Real World' security advantages of the .Net Framework and the JVM?
http://www.owasp.org/index.php/What_are_the_

.NET research from OWASP .NET Project

Rooting The CLR (demo files available on request)
http://www.owasp.org/index.php/Rooting_The_CLR

Buffer OverFlow in ILASM and ILDASM
http://www.owasp.org/index.php/Buffer_OverFlow_in_ILASM_and_ILDASM

Full Trust CLR Verification issue: changing the Method Parameters order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_the_Method_Parameters_order

Full Trust CLR Verification issue: changing the return address order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_the_return_address_order

Full Trust CLR Verification issue: Changing Private Field using Proxy Struct
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Changing_Private_Field_using_Proxy_Struct

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Exploiting_Passing_Reference_Types_by_Reference

Manipulating private method behavior by overriding public virtual methods in public classes
http://www.owasp.org/index.php/Manipulating_private_method_behaviour_by_overriding_public_virtual_methods_in_public_classes

CSharp readonly modifier is not enforced by the CLR (when in Full Trust)
http://www.owasp.org/index.php/CSharp_readonly_modifier_is_not_inforced_by_the_CLR_(when_in_Full_Trust)

ANSI/UNICODE bug in System.Net.HttpListenerRequest
http://www.owasp.org/index.php/ANSI/UNICODE_bug_in_System.Net.HttpListenerRequest


Tools written by him:-

DN_BOFinder (DotNet Buffer Overflow Finder)
http://www.owasp.org/index.php/DN_BOFinder

OWASP Site Generator
http://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Report Generator
http://www.owasp.org/index.php/Owasp_Report_Generator

.NET Assembly Analyzer
http://www.owasp.org/index.php/.Net_Assembly_Analyzer

New version (v2.0) of Foundstone's HacMe Bank (with Web Services) http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/hacmebank.htm

Video of above is located here
http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/videos/hacmebank/index.htm

Foundstone's CodeScout (basic Source code analysis tool) http://secure.foundstone.com/resources/proddesc/codescout.htm

Foundstone's .NETMon (Flow Trace Tool for .NET)
http://secure.foundstone.com/resources/proddesc/dotnetmon.htm

HttpModule for Foundstone’s Validator.NET http://secure.foundstone.com/resources/proddesc/validator.htm

OWASP’s SAMSHE (Security Analyzer for Microsoft's Shared Hosting Environments)
http://www.owasp.org/index.php/SAM
is a part of
http://www.owasp.org/index.php/ANBS

OWASP’s ANSA (Asp.Net Security Analyser)
http://www.owasp.org/index.php/ANSA

Online Active Directory User Management System

Multi-lingual website Content Management System (COTS application)

Windows Security Log Analysis solution

Relational Database for London University Researchers
Back end for travel agency website

E-Commerce system for music publisher selling custom CDs online

Online website Content Management System


Contributions:-

Created and organized the OWASP Autumn of Code 2006 http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006

OWASP Spring of Code 2007 http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007

Participation as a speaker in several Security Conferences (including Keynote presentations at OWASP conferences)

Buffer Overflows on the .Net Framework, 2006 Seattle

Panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" , 2006 Seattle

Keynote OWASP 2.0 - Enabling organizations to develop, maintain, and acquire applications they can trust, 2006 Europe (Leuven) and 2006 Seattle

Panel: "The role of Sandboxing in creating secure .Net and Java applications.”, 2006 Europe ( Leuven )

Rooting the CLR, 2005 Washington DC

The Fog of Software, 2005 London

OWASP DotNet Security tools: DefApp, ANBS, SAM'SHE, ASP.NET Reflector, Beretta, .NETMon , 2005 London

Full Trust Asp.Net Insecurity, 2004 NYC


Videos:

FSTV (Foundstone TV) Interview on '.NET, web security tools, the future of OWASP, and ‘Open Source Software' , BlackHat 2006 http://video.google.com/videoplay?docid=941077664562737284

Attacking Web and Windows Apps ( UK 's DDD3 on Jun 2006) http://www.roadtowinfx.com/ddd3/2006-06-03%20Developer%20Developer%20Developer%20session%203.lo%20res.wmv

Attacking Web and Windows Applications (presented in the DDD2 on Oct 2005)
http://www.roadtowinfx.com/ddd/2005-10-22_DeveloperDay_session06.wmv

Rooting the CLR, OWASP conference in DC's NISC, Oct 2005 http://video.google.com/videoplay?docid=-2492965730809426450&q=owaspLog

Training:-

Advanced Asp.Net Exploits and Countermeasures (IOActive):

London (July 17th/18th)
http://www.nxtgenug.net/Course.aspx?CourseID=4

Black Hat in Las Vegas (July 28th/29th and July 30th/31st )
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-io-net.html

Advanced Asp.Net Security (Security Compass)

Writing Secure ASP.NET Code (IOActive)

Writing Secure Code - ASP.NET (C#) (Foundstone)

Writing Secure Code Boot Camp ( Intense School / Vigilar)


Memberships:-

OWASP


Company working for:-

Dinis has a main contract with Ounce Labs but continue to do other projects and training (for example the Black Hat training in Las Vegas for IOActive)


Companies worked for:-

Dinis has been the director of his UK based company for 10 years now, and have worked (under direct contract) for companies like: Ounce Labs, ABN AMRO, IOActive, Foundstone, Vigilar, Infosys, Security Compass, UK’s Defence Science and Technology Laboratory, UK’s Department for Transport, UK’s Competition Commission and many others.


Email:-

Dinis.Cruz at owasp.net


Blog:-

http://blogs.owasp.org/diniscruz


Website:-

http://www.owasp.org/


Education:-

Dinis has 50% of a degree from the Portuguese’s University of Algarve in ‘Computing Systems and Analysis’ (where he completed 3 out of five years) and have 50% of a degree from the UK ’s University of Westminster in ‘Commercial Music’ (where he completed 1 and ½ of 3 years).

So basically he has a degree in ‘Computing Commercial Systems and Music Analysis’


Dinis uses both Apple and Windows and prefer to program in C#. When he is not in front of a computer, he likes to spend time with his family, play football, golf, guitar and drums.

With this the reflection project comes to an end. I would like to thank everyone who participated in it and spent time with me in putting all the information together. It has been truly a fantastic experience.

Last Week - Cesar Cerrudo

Reflection on Cesar Cerrudo

This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows, Microsoft Commerce Server, etc. He is passionate about application security and a big believer in open source community both for software and books. Cesar shares his journey with application security in his own words

"I think I always have had "hacker mind" for calling it in some way, I remember being a child and breaking things to look inside. When I was 10 or so I got my first computer a CZ Spectrum (I don't remember the exact model) but it ran BASIC. when I wanted to learn how to use it and to code in BASIC, I went to a place for kids but got bored after many days of being taught PRINT "HOLA MUNDO" only, so I used that computer for games (games were stored on a audio cassette tape and loading them required playing it in a cassette player). I learnt few tricks looking at the guy from a store that recorded games so I started to modify screens when the games were loading, I also hacked multilevel games by loading parts of one level and the rest from a different level, which for my age was a big deal. After a couple of years I stopped using that computer and I didn’t do anything computer related for several years apart from taking few boring classes of MS DOS, QPRO, Lotus, etc. When I was 19 I started to study Computer Science but I didn't have a PC (they were a bit expensive on this side of the planet earth) so I only read old books available at the university and played with a friend's computer, on those days the challenge was to try running cool games on old computers, I became an expert in MS DOS :)

I remember one day being very excited because I found the assembly code from a MS DOS virus in one of the PC at the university, I spent several hours with an old assembly book (thanks Norton-Socha!) until I learnt how the virus worked (in the process I learnt some x86 assembler without coding it in a PC). After some time I started to work on a client/server software for a couple of different local companies and one of the companies had internet access so I started using Internet and since I always liked hacking, Internet was a really good source of information so I started to learn something about hacking for the first time, I was lucky since I had a good academic background on programming, computers, etc. so I didn't end up reading and learning stupid things, but because I had an old PC and no Internet access at home I couldn't test much of the stuff I learnt. Then I took up a new job where I started using Internet frequently and started trying things in free time, this was like 7 years ago and that was when I started with webappsec. I had worked a lot with MS SQL Server so when I first read about SQL Injection I was really amazed with it and I started to create my own techniques, tools, etc.

That’s when I started to play with MS SQL Server and after some time I found my first vulnerability, then the next one and so on when I realized I had found dozen of vulnerabilities on MS SQL Server, I also learnt how to code exploits and new techniques for finding vulnerabilities, since then I have found several vulnerabilities on MS Windows, Oracle Database Server, etc. I have also created new exploitation and attack techniques. Few years ago I designed and wrote a complete web application scanner for a security company, the scanner at that time was better than other available web app scanners but because of some patent issues the product was stop being sold (hurray for Watchfire!!!). Currently I do research on application security mostly focused on database security and in my spare time I like to hack MS Windows :)

I always try to keep big vendors improving on security, I don't care if I have to publish 0day vulnerabilities or controversial papers in order to accomplish that. I have been offered to write books but the only way I can write or contribute in a book is if it will be available for free in some way (electronic, etc.), I know what is not having resources for learning, all people should have easy access to knowledge, books only makes money for the editors and people without money can't get them."

Based out of Parana, Entre Rios, Argentina, Cesar is 31 years old. Below is a list of his contribution to the community


Articles:-

Hacking databases for owning your data
http://www.argeniss.com/research/HackingDatabases.zip

Practical security audit: Oracle case
http://www.argeniss.com/research/10MinSecAudit.zip

WLSI-Windows Local Shellcode Injection
http://www.argeniss.com/research/WLSI.zip

Story of a dumb patch
http://www.argeniss.com/research/MSBugPaper.pdf

Demystifying MS SQL Server & Oracle Database Server security
http://www.argeniss.com/research/SQL-Oracle.zip

Hacking Windows Internals
http://www.argeniss.com/research/hackwininter.zip

Auditing ActiveX Controls
http://www.blackhat.com/presentations/win-usa-04/bh-win-04-cerrudo/bh-win-04-cerrudo.pdf

Hunting Flaws in SQL Server
http://www.appsecinc.com/presentations/Hunting_Flaws_in_SQL_Server.pdf

Manipulating Microsoft SQL Server Using SQL Injection
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf


Tools written by him:-

DataThief
http://www.argeniss.com/research/HackingDatabases.zip

Shared section tools
http://www.argeniss.com/research/hackwininter.zip


Contributions:-

WASC - Web Security Threat Classification


Advisories

Microsoft Windows Kernel GDI local privilege escalation procedure
http://www.argeniss.com/research/ARGENISS-ADV-110604.txt
http://www.argeniss.com/research/GDIKernelPoC.c

Oracle Database Server Directory traversal
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt

COM+ Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

COM Structured Storage Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.argeniss.com/research/SSExploit.c

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

Vulnerability in Windows LSASS Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

Multiple vulnerabilities in Oracle Database Server
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

Vulnerability in Utility Manager Could Allow Code Execution
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx

Utility Manager Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Biztalk Server Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS03-042.mspx

Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/8008

http://secunia.com/advisories/8924/
Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability

Multiple buffer overflows in DBCC and SQL Injections
http://www.appsecinc.com/resources/alerts/mssql/02-0011.shtml

BULK INSERT buffer overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0010.shtml

Encoded password written by service pack
http://www.appsecinc.com/resources/alerts/mssql/02-0009.shtml

Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures
http://www.appsecinc.com/resources/alerts/mssql/02-0000.html

xp_dirtree Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0007.shtml

Heterogenous Queries Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0008.shtml


Conferences:-

Hacking databases for owning your data - Black Hat Europe 2007
http://www.blackhat.com/

Practical security audit: Oracle case - Black Hat DC 2007
http://www.blackhat.com/

DataTheft - How databases are hacked and how to protect them - No cON Name 2006
http://www.noconname.org/

WLSI - Windows Local Shellcode Injection - Black Hat Europe 2006
http://www.blackhat.com/

WLSI - Windows Local Shellcode Injection - EUSecWest/core06 conference
http://www.eusecwest.com/

Database Hacking and Security - Web Application Security and Hacking
http://www.websec.com.mx/

Demystifying Microsoft SQL Server & Oracle Database Server security - Black Hat USA 2005
http://www.blackhat.com/

Hacking Windows Internals - cansecwest/core05 conference
http://www.cansecwest.com/

Hacking Windows Internals - Bellua Cyber Security Asia 2005
www.bellua.com/bcs2005/

Hacking Windows Internals - Black Hat Europe 2005
http://www.blackhat.com/

Auditing ActiveX Controls - Black Hat Windows 2004
http://www.blackhat.com/

Hunting Flaws in MS SQL Server - Black Hat Windows 2003
http://www.blackhat.com/


Company working for:-

Argeniss


Companies worked for:-

Application Security Inc.


Website:-

http://www.argeniss.com/


Email:-

Cesar<(at)>argeniss<(.)>com


Education:-

Analyst programmer


Cesar is very driven and passionate about application security. One of the best in database security. Though he doesn't have a blog right now but you can get all the information on his website along with the whitepapers and latest on database security.

Last Week – Alex Stamos

Next Week – Dinis Cruz

Reflection on Alex Stamos

This week on reflection we have Alex Stamos from iSEC Partners Inc. Alex has been involved in webappsec for sometime now and has presented at Blackhat, ToorCon, OWASP, ISACA, etc. He is a founder and Vice President of Professional Services at iSEC. He is a leading researcher in the field of web application and web services security and is also a co-author of an upcoming book Hacking Exposed Web 2.0. Alex shares with us how he got started in webappsec field. In his own words

"Back in 2001 I started working at Loudcloud, which was basically a large ISP/ASP made famous by the fact that Mark Andreessen was a founder. While there, I ended up with the primary security responsibility for about 50 Fortune-500 web applications. Through a series of late night pages, self-exploration through our customer's code, and a couple of hairy incidents, I decided that web app security was way more important to these apps than double-checking the firewall rulesets or slightly decreasing how fast we patched OpenSSH.

At @stake, a major focus of my work was penetration testing of web applications and teaching classes to web app developers on how to stop making the same mistakes others had already made. Since we started iSEC about three years ago, web application and web services security has been a major focus of my research and work with clients, although I also dabble in other security areas such as forensics. "

Based out of San Francisco, CA, US, Alex is only 28 years old. Below is a list of his contribution to the community.


Books:-

Co-authored - Hacking Exposed Web 2.0 (to be released soon)
(http://www.amazon.com/Hacking-Exposed-Web-2-0-Solutions/dp/0071494618/ref=sr_1_1/103-2901853-2679805?ie=UTF8&s=books&qid=1182153208&sr=8-1)


Tools written by him:-

Alex has worked on a few SOAP security tools with Scott Stender and Jesse Burns, and is releasing some new file and file system fuzzing tools to attack forensic software at BlackHat this summer.
All the tools can be found on ISEC website
http://www.isecpartners.com/tools.html


Presentations:-

Upcoming - "Breaking Forensics Software: Weaknesses in Critical Evidence Collection"
BlackHat USA 2007
http://blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Palmer


"Vulnerabilities 2.0 in Web 2.0: Next Generation Web Apps from a Hacker's Perspective" - Web 2.0 Expo, BlackHat USA, BlackHat Japan, ToorCon, ACM Reflections/Projections, OWASP SF
http://www.isecpartners.com/files/Attacking_AJAX_Applications-UIUC_ACM_2006.pdf


Cyber Crime- Security, Strategy & Solutions - ISACA Silicon Valley Annual Conference
http://www.isaca-sv.org/WinterConferenceSecTopic.html#11


"Cross-Domain Request Forgery and Web Crimes" - SF Bay Infraguard with Jesse Burns
http://www.sfbay-infragard.org/


Attacking Web Services - BlackHat USA, CanSecWest, OWASP App Sec, SyScan
http://www.infoworld.com/event/soa/may/



Memberships:-

OWASP
http://www.owasp.org/

ISACA
http://www.isaca.org/

IEEE
http://www.ieee.org/portal/site


Company working for:-

Founder and Vice President of Professional Services at iSEC
Partners, Inc. (http://www.isecpartners.com/)


Email:-

alex__at__isecpartners_dot_com


Website:-

http://www.isecpartners.com/


Companies worked for:-

@stake, Loudcloud, E.O. Lawrence Berkeley National Laboratory


Education:-

BS in Electrical Engineering and Computer Science- University of
California, Berkeley.


Last Week – pdp
Next Week – Cesar Cerrudo

Reflection on pdp

This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed in OWASP Appsec Conference in Italy 2007. In his reflection pdp shares with us how he got started in webappsec field. In his own words

“I have always been fascinated by the power of Web but it was around year 2000 when I got into web application security. Other then that, my interests towards IT security has been growing since 1995. Funny enough, it was "Hackers", the movie that sort of inspired me to spend my time on solving interesting problems with my not-so-advance for that time PC, rather then wasting time on games. Back then, I had 286 MHz "Pravetz", produced in Bulgaria. One of the first projects of mine was a simple calculator that was also password protected. When I finished the project, I also learned how to trick the password protection mechanism by modifying the jumper inside the program binary. That was fun. The Bulgarian underground scene used to be a great resource for me to learn. I started reading an online-zine called Phreadom. I am still looking for the old issues but I guess they are somehow lost forever.

I started hacking from the time I learned how to program. My Dad told me that programming is one of the few professions out there that teaches you about the world in general since programmers try to reflect real world problems into easy to maintain and use software products. That made me start thinking outside the box. I define myself as a life-hacker. I guess this is the reason why I am where I am today. When I came to UK I didn't wanted to waste time so I did a lot of security related projects. This is when my IT Security career started. I was 18 I was doing the stuff that I wanted to do all my life.”

Based out of london, UK, pdp is only 22 years old. Below is a list of his contributions to the webappsec community.


Books:-

XSS Attacks: Exploits and Defense
http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149?ie=UTF8&s=books

Articles:-

The Web has Betrayed Us
http://www.gnucitizen.org/blog/the-web-has-betrayed-us

Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell

Preventing CSRF
http://www.gnucitizen.org/blog/preventing-csrf

Sex, Candies and Bookmarklet Exploits
http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits

The Machine is Using Us
http://www.gnucitizen.org/blog/the-machine-is-using-us

Playing in Large
http://www.gnucitizen.org/blog/playing-in-large

Universal PDF XSS After Party
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party

Danger Danger Danger
http://www.gnucitizen.org/blog/danger-danger-danger

Web OS
http://www.gnucitizen.org/blog/web-os

Cross-site Request Forgery
http://www.gnucitizen.org/blog/cross-site-request-forgery

The 0XSS Credo
http://www.gnucitizen.org/blog/the-0xss-credo

The Backdooring Series:
http://www.gnucitizen.org/blog/backdooring-images
http://www.gnucitizen.org/blog/backdooring-mp3-files
http://www.gnucitizen.org/blog/backdooring-quicktime-movies
http://www.gnucitizen.org/blog/backdooring-flash-objects-receipt
http://www.gnucitizen.org/blog/backdooring-flash-objects
http://www.gnucitizen.org/blog/backdooring-web-pages

The XSSing the Lan Series:
http://www.gnucitizen.org/blog/xssing-the-lan-4
http://www.gnucitizen.org/blog/xssing-the-lan-3
http://www.gnucitizen.org/blog/xssing-the-lan-2
http://www.gnucitizen.org/blog/xssing-the-lan


Presentation:-

Advanced Web hacking revealed
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda


Tools written by him:-

Some of the tools published by him

JavaScript YPipes Spider
http://www.gnucitizen.org/projects/6th-owasp-conference/spider.htm

JavaScript TinyURL Filesystem
http://www.gnucitizen.org/projects/6th-owasp-conference/tinyfs.htm

Google Hacking Database Interface
http://www.gnucitizen.org/applications/ghdb

JavaScript Port Scanner
http://www.gnucitizen.org/projects/javascript-port-scanner

Greasemonkey Backdoor
http://www.gnucitizen.org/projects/greasecarnaval

Exploit Development Environment for Firefox
http://www.gnucitizen.org/projects/technika

Geo position Zombies on a map
http://www.gnucitizen.org/applications/zombiemap

Attack Framework for controlling zombies
http://www.gnucitizen.org/applications/backframe

simple JavaScript tesing framework
http://www.gnucitizen.org/projects/firetest

powerful JavaScript based attack library
http://www.gnucitizen.org/projects/attackapi

The Cross-site Scripting database
http://www.gnucitizen.org/applications/xssdb

Powerful and very customizable attack communication channel
http://www.gnucitizen.org/projects/javascript-attack-channel

Set of utilities useful when performing enumeration attacks
http://www.gnucitizen.org/projects/met


Company working for:-

NTA-Monitor


Email:-

pdp__at__gnucitizen_dot_org


Blog:-

gnucitizen.org


Web:-

gnucitizen.org


Companies worked for:-

Freelance


Pdp has a vast knowledge of different technologies and frameworks available on the internet. If you are not already following his blog, then I would recommend doing so. He brings up some good points for webappsec community.

Last Week – Saumil Shah
Next Week – Alex Stamos

Reflection on Saumil Shah

This week on reflection we have Saumil Shah from net-square Solutions. Saumil has been involed in webappsec community for a long time and is a regular presenter at Blackhat. He focuses on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square's tools and products, and developing short term training programmes. He specializes in ethical hacking and security architecture. In his reflection, Saumil shares with us how he got involed in webappsec. In his own words

“My original interest in security has always been Unix hacking and reverse engineering. In 1998, when I joined Ernst & Young as a penetration testing specialist, we used to have a field day with systems wide open on the Internet. NetBIOS and SunRPC made our day. Not to mention a slew of other services like open database ports, terminal ports, and more. By the end of 1999, the only ports we could find open on the Internet were 80 and 443. Not to be outdone, I ended up finding out ways to compromise systems, this time using HTTP and the application behind it.

Leaving apart the whole idiotic debate on hacking vs. cracking, I shall say that I truly started hacking at the age of 11. My first few "hacks" were to spot programming errors in home computer magazines, for the ZX Spectrum and the BBC Micro, fixing them while keying in long listings in BASIC, and enjoying the games until I had to unplug the power. The only storage medium was cassette tape back in 1984.”


Based out of Ahmedabad, India, Saumil is only 33 years old and is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996). He has served as a technical editor for "Hacking Exposed 2nd Ed", and has contributed to "Know your Enemy - the Honeynet Project" book. Saumil has also presented at Blackhat, CNET eDevCon, hack.lu, EUSecWest, and many more. Below are a list of his contributions to the webappsec community.

Books:-

Web Hacking - Attacks and Defense
http://www.awprofessional.com/bookstore/product.asp?isbn=0201761769&rl=1

The Anti Virus Book
http://saumil.net/antivirus/contents.html


Articles:-

Saumil did a monthly column for two years on C-NET Builder.com, titled ”Security Issues”, along with Chris Prosise.
http://builder.cnet.com/

One Way Web Hacking
http://net-square.com/papers/one_way

An Introduction to HTTP fingerprinting
http://net-square.com/httprint/httprint_paper.html


Tools written by him:-

httprint - Advanced HTTP Fingerprinting
http://net-square.com/httprint/


Contributions:-

One of the very early members of The Honeynet Project in 2000.


Presentations:-

Web Hacking
http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html

Adware/Spyware
http://www.blackhat.com/html/bh-japan-05/bh-jp-05-en-speakers.html

The Exploit Laboratory: Analyzing Vulnerabilities and Writing Exploits
(Black Hat Europe 2006 Briefings and Training, Black Hat USA Training 2006)
http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-ss-el.html

Defeating Automated Web Assessment Tools
http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html


HTTP Fingerprinting and Advanced Assessment Techniques – (BH Europe 2004, BH Asia 2003, BH Federal 2003, BH Windows 2004)
http://www.blackhat.com/html/bh-europe-04/bh-europe-04-speakers.html


HTTP: Advanced Assessment Techniques
http://www.blackhat.com/html/win-usa-03/win-usa-03-speakers.html#Saumil%20Udayan%20Shah


Top Ten Web Attacks
http://www.blackhat.com/html/bh-asia-02/bh-asia-02-speakers.html

One-Way SQL Hacking: Futility of Firewalls in Web Hacking
http://www.blackhat.com/html/bh-europe-01/bh-europe-01-speakers.html#Marc%20Witteman


Writing Metasploit Plugins - From Vulnerability to Exploit
http://conference.hackinthebox.org/hitbsecconf2006kl/?page_id=81


CNET eDevCon 2000: "Hacking Exposed: Ecommerce - Live!


Company working for:-

Net-Square - Founder and CEO
http://net-square.com/


Companies worked for:-

Ernst & Young, Foundstone


Email:-

saumil__at__net-square_dot_com


Website:-
http://saumil.net/


Education:-

M.S. Computer Science, Purdue University, USA - graduated in 1998
B.E. Computer Engineering, Gujarat University, India - graduated in 1995


Saumil has also been doing pre-conference training since past 6 years at Blackhat, and have also taught classes at CanSecWest and Hack in the Box. I am sure we will see a lot more contribution from him going forward.


Last Week – Stefano Di Paola

Next Week – pdp

Reflection on Stefano Di Paola

This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in acrobat reader plugin and had the potential of infecting almost all the websites hosting PDF files (Universal XSS).

Stefano has released several advisories including the ones that are not publicly disclosed but patched. He has also contributed to OWASP testing guide and is a also a Research & Development Director of OWASP Italian Chapter. Today he shares with us how he started with web application security. In his own words


”When I was 9 or 10 years old, I began to hack my 45 rpm portable record player in order to control the angular speed and play with my childhood songs in a funnier way. Then I realized I didn't know how to remount my opened player, I asked my parents to buy me another one with the promise to not break it again. I kept that promise… or at least for a while. A couple of years later I decided to hack my tape recorder and I succeeded in mixing voice recording while playing music (my mother never knew I recorded my voice on her music tapes).

I started to practice with computer security when I bought a 486 in 1997; I was a student at the Computer Engineering Faculty at the University of Florence. The first thing I read about hacking was about reverse engineering and cracking shareware software protections. It was quite funny but when I managed to install my first linux 2.0 on my PC, the approach and the vision were going to change inside me. I had already worked on Sun Solaris and AIX at the University, but linux was my first Unix love. The research and the study about linux configurations tutorials brought me to Phrack and "Smashing the Stack for Fun and Profit" by Aleph1. The first time I applied all the theory I had learned was when I urgently needed root privileges on a SGI Workstation at the university while I was finishing my master degree thesis. As the sysadmin was sick I decided to get root by myself and accomplish my tasks. After a couple of days I warned the sysadmin about my privilege escalation and I told him how to fix the issue.

It was in 1999 the first time I stumbled upon http://www.fravia.org/ and I was amazed by the quantity of information about hacking old style CGI web pages and search engines. Since large number of web servers where on *nix OS flavors at that time, my background on linux, Sun Solaris and AIX helped me a lot. I realized it was quite easy for me to find flaws on CGI scripts (most of all system execution vulnerabilities). As a consequence of my hacking research activity, I began to think about web application firewalls but since it was early days of web application security and no information on WAF was available on the net, so I gave up. But it was in the 2004 that I decided to work as web application security consultant and released my first public advisory.

I've been working as a freelance in Italy from 2000 to early 2007 then I founded MindedSecurity(an Application Security Company with the mission to build a Center of Excellence on Web Application Security in order to give high quality services).”


Based out of Florence, Italy, Stefano is 35 years old and works as a freelance ICT security consultant and software architect for several companies and public institutions in Italy. Below is a list of his contributions to the webappsec community.



Articles:-

Universal Cross Site Scripting (Internet Magazine - Italy)
http://www.edmaster.it/?job=arretrati&id=3&op=sommario&num=113

The Owasp Testing Guide (Hackin9)
http://hakin9.org/

Several sections in the Owasp Testing Guide v 2.0

XML Injection
http://www.owasp.org/index.php/Testing_for_XML_Injection

Xpath Injection
http://www.owasp.org/index.php/Testing_for_XPath_Injection

LDAP Injection
http://www.owasp.org/index.php/Testing_for_LDAP_Injection

Mysql Injection
http://www.owasp.org/index.php/Testing_for_MySQL

Ajax Testing
http://www.owasp.org/index.php/Testing_for_AJAX


Memberships:--

Research & Development Director of Owasp Italian Chapter.


Tools written by him:-

PassBroker - a php extension which dispatch secrets which are often embedded in clear inside php web pages (ie. sql username and password.)
http://www.wisec.it/projects.php?id=2

HMAUTH - A Html form authentication using HMAC
http://www.wisec.it/projects.php?id=1

Anti Tamper Module for Apache 2.0 - It is a tool which parses every outbound html page and add a sign to every static link and to cookies, in order to prevent malicious users from tampering GET parameters and cookies.
http://www.wisec.it/projects.php?id=3

Rul-o-matic - a web agent for white list mod_security rules generation.
http://www.wisec.it/sectou.php?id=438064b3e5ea4
http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz


Company working for :-

Co-founder of Minded Security ( http://www.mindedsecurity.com/ ).


Email:-

stefano.dipaola_at_mindedsecurity_dot_com
stefano.dipaola_at_wisec_dot_it


Blog:-

http://www.wisec.it/


Website:-

http://www.wisec.it/
http://www.midedsecurity.com/


Conferences:-

Web Security By Example - SMAU (Italy)
http://www.webb.it/event/eventview/4476/

Subverting Ajax - 23rd CCC (Germany)
http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf

Ajax Security - Infosecurity (Italy)
http://www.sikurezza.org/wiki/Risorse/I07FedonDiPaola

Testing Flash Applications - 6th Owasp AppSec Conference (Italy)
http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt


Lectures (University of Florence):-

Secure Software Development Life Cycle(2007) - Phd Course Faculty of Software Eng.

Web Developing Security(2005/2006) - Course of 'Databases', Faculty of Software Eng.


Advisories:-

Php RFC1867 Arbitrary File Upload (10/2004)
http://www.wisec.it/vulns.php

Php shmop safemode bypass and write to arbitrary locations (10/2004)
http://www.wisec.it/vulns.php

MySQL Server CREATE FUNCTION libc arbitrary code execution (03/2005)
http://www.wisec.it/vulns.php

MySQL Server CREATE FUNCTION mysql.func table arbitrary library injection (03/2005)
http://www.wisec.it/vulns.php

MySQL Server insecure temporary File Creation (03/2005)
http://www.wisec.it/vulns.php

MySQL Server COM_TABLE_DUMP Information Leakage and Arbitrary command execution.(04/2006)
http://www.wisec.it/vulns.php?page=8

MySQL Server Anonymous Login Handshake Information Leakage. (04/2006)
http://www.wisec.it/vulns.php?page=7

Acrobat Reader Plugin Multiple Vulnerabilities (01/2007)
http://www.wisec.it/vulns.php?page=9

Php import_req_var globals overwrite Advisory (03/2007)
http://www.wisec.it/vulns.php?id=10

IE and Firefox Digest Authentication Request Splitting (04/2007)
http://www.wisec.it/vulns.php?id=11


Education:-

Masters in Software Engineer (University of Florence)
Certified Lead Auditor ISO 27001.


Stefano had recently released a paper on Flash vulnerabilities in OWASP Europe conference and is also working on some new interesting research ideas. For all those who are in webappsec community should definitely keep an eye on him.


Last Week – Ryan Barnett
Next Week – Saumil Shah

Reflection on ryan barnett

This week on reflection we have Ryan Barnett from breach security. Ryan is a well respected figure in web application security and is well known for his book “Preventing Web Attacks with Apache”. He is a faculty member for SANS institute and a WASC officer. He is also the Project Lead for the Center for Internet Security Apache Benchmark Project. Ryan has a passion for web application security and has made several contributions to the community. Today he shares with us how he got into the webappsec field and his journey so far. In his own words


“I first realized that I had the hacker’s mindset back in 1999. It was at this time that I got my first real IT consulting gig which was testing a Federal Government’s software for Y2K compatibility. What I found was that I had a knack for identifying input validation issues beyond just whether or not the application would implode if the date field went to 00. After Y2K came and went, the company that I worked for appreciated my Y2K efforts so much that they offered me another position as a Unix Administrator with the same client. I knew a little bit of Unix but not too much about its security. That is when I went to Borders and stumbled upon the two books that would change my career path: Practical Unix and Internet Security and The Cuckoo’s Egg. After gobbling up those books, I was hooked. I wanted to be in security. My first step on this path was when I joined my client’s Computer Security Incident Response Capability (CSIRC) Team. Around this time is also when the SANS Institute was starting to really take off. I took the Hacker Techniques and Incident Response course and obtained the GCIH certification. After successfully helping the client respond to a number of incidents, we then ran into a misconfigured web server allowing anonymous FTP and it quickly turned into a Warez depot. This proved to be a pivotal incident as I was able to work with both the client’s Web Server Admins to track down and fix the problems and setup new monitoring systems (Snort) to identify future issues. It was after this incident that I was offered the position of Web Security and IDS Admin. Basically, they wanted me to be in charge of security within the DMZ segments.

My first real taste of web security came as I was monitoring Snort sensors in DMZ segments and I was constantly weeding out false positives with the web attack signatures. In December of 2001, I was presenting at the SANS Cyber Defense Initiative Conference in Washington D.C. At this conference, they set up a hacker network called ID-Net and I wanted to test the TCP session-resetting capabilities of Snort vs. web attacks. My goal was to try and create a whitelist of allowed URLs and then have Snort pass on these requests. If a requested URL was not listed in the whitelist, Snort would use its Flexible Response capabilities with Libpcap to craft TCP reset packets and try to kill the connections. So, how did Snort perform while under attack on the ID-Net? It did reasonably well; however, the session sniping was not able to effectively terminate all requests that were not in the whitelist file. This was due to a few variables, such as the low network latency and the placement of Snort. One of the main limitations was the actual flexible response code itself. Snort creator Marty Roesch was actually at the SANS CDI conference/ID-Net and I showed him my idea. He liked the concept, but confessed that the Snort session sniping capabilities were probably not fast enough to terminate a malicious HTTP request before it got to the web server. We ran some tests to prove his theory and he was correct. Snort was not able to stop the inbound requests. It did, however perform rather well on the outbound data returned after the web server processed the request. This test did get Marty's wheels turning as he spent a good deal of time while on the ID-Net re-coding the flexible response portion of Snort.

After my adventures with attempting to use Snort for HTTP protection, I realized that in order to provide the best identification and protection, I need to either be inline (reverse proxy) or on the web server itself. I then set out to learn all that I could about Apache security. The research led me to create a hardening checklist for Apache that included many tweaks to the configurations and attempted to leverage Mod_Rewrite for URL filtering and CGI scripts for alerting on malicious traffic. These new configurations proved their worth the next time the Government auditors came a round and attempted their pen-tests. My client was ecstatic that we were able to quickly identify the auditor’s traffic, implement blocking rules and notify them through the proper incident response channels within 5 minutes. After successfully passing that audit, I was flattered to learn that my client’s CSO had provided my hardening information to the other Department Bureaus. Not soon afterwards, I was asked to give a number of presentations on Web Security to the Department and also participating in other Government Security Technical Conferences. A short time later, I met the fine folks at the Center for Internet Security and accepted their offer to lead the Apache Benchmark Project. Over the next few years, I worked my normal job and I also freelanced with the SANS Institute where I both developed and taught classes on Web Security.

It was around 2003 when I had another career altering encounter, even if I didn’t know it at the time, when I was doing research for new Apache Intrusion Detection information and I found an application called ModSecurity. At this time, it was in its early stages however it included many of the advancements and features that I had been left wanting after trying to squeeze every possible ounce of configuration voodoo that I could out of other modules. I immediately started testing it and a kinship with Ivan Ristic quickly developed. I would test ModSecurity and would find bugs and/or request features and Ivan would crank it out almost immediately. As ModSecurity progressed, so did our working friendship as we both wrote separate books on Apache Security and helped each other with reviews and answering questions. We had discussed the possibilities of working together in some capacity but it never worked out. That is until Breach Security acquired Ivan’s company Thinking Stone in late 2006. And that is how I came to work for Breach as the Director of Application Security Training and ModSecurity Community Manager.

Based out of Falls Church, Virginia, Ryan is only 34 years old. Below is a list of his contributions to the webappsec community.


Books:-

Preventing Web Attacks with Apache (Addison-Wesley)
http://www.awprofessional.com/bookstore/product.asp?isbn=0321321286&rl=1

Sample Chapter/Article: Mitigating the WASC Threat Classification with Apache
http://www.awprofessional.com/articles/article.asp?p=442984&rl=1


Articles:-

Quoted In:

May 15, 2007 – InfoWorld (ZeroDay) – “WASC Details Honeypot Project”
http://weblog.infoworld.com/zeroday/archives/2007/05/wasc_details_ho.html

May 4, 2005 – SANS NewsBytes – “Web Server Attacks and Web Site Defacements Up Thirty-Six Percent”
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=18#sID314

January 16, 2004 – ComputerWorld – “Opinion: Sticky Security”
http://www.computerworld.com/networkingtopics/networking/story/0,10801,89107,00.html


Contributions:-

ModSecurity Community Manager
http://www.modsecurity.org/

WASC Distributed Open Proxy Honeypot - Project Leader
http://www.webappsec.org/projects/honeypots/

WASC Threat Classification: Contributing Author
http://www.webappsec.org/projects/threat/contributors.shtml

WASC Web Application Firewall Evaluation Criteria: Contributor
http://www.webappsec.org/projects/wafec/

The Center for Internet Security’s Apache Benchmark Document and Scoring Tool
http://www.cisecurity.org/bench_apache.html

The SANS Institute’s Top 20 Vulnerabilities Team
http://www.sans.org/top20/2002/

Sponsored the Honeynet Project’s Scan of the Month Challenge #31
http://www.honeynet.org/scans/scan31/

SecureWorld Conferences - http://www.secureworldexpo.com/

Panel: Facing Off With the Digital Dozen-Technology Challenges Of PCI DSS 1.1

Panel: The Tangled Web: Web Security 2007


Webinars:-

Webcasts: http://www.breach.com/webinars.asp
(ModSecurity Cool Rules, Web Security Threat Report)


Lectures:-

Web Application Security Workshop (Developer/Instructor)

Building a Web Application Firewall Workshop (Developer/Instructor)

Web Intrusion Detection and Prevention with Apache (Developer/Instructor)

Securing and Auditing Apache (Developer/Instructor)

Secure Internet Presence – LAMP (Developer)


Presentations:-

Web Server Fingerprinting

Preventing Website Defacements

Catching Intruders with Snare

ModSecurity: Web Intrusion Detection and Prevention


Memberships:-

WASC Officer
http://www.webappsec.org/officers.shtml

SANS Institute: Courseware Developer, Instructor and Local Mentor
http://www.sans.org/training/instructors.php#Barnett

The Center for Internet Security: Apache Benchmark Project Leader
http://www.cisecurity.org/honor_roll.html

Member of the Counterpane Intelligence Committee
http://www.counterpane.com/alert-cis-ra-0058.html


Blog:-

http://www.modsecurity.org/blog/


Website:-

http://www.breach.com/
http://www.modsecurity.org/


Companies worked for:-

Universal Systems and Technology (Unitech), RS Information Systems, EDS, Breach Security


Company working for:-

Breach Security: http://www.breach.com/
Position Title: Director of Application Security Training


Email:-

Commercial: Ryan_dot_Barnett__@__breach_dot_com
Personal : RCBarnett__@__gmail_dot_com


Ryan has a vast knowledge on web application defense strategies and is also involved in mod security cool rules project. He has started blogging recently and I am sure we will start to see a lot of his original thoughts being shared with the community through his blog.


Last Week – Caleb Sima
Next Week – Stefano Di Paola

Reflection on Caleb Sima

This week on reflection we have caleb sima from SPI dynamics. He is the co-founder and CTO of SPI dynamics. He has been involved with internet security since its very early age and is widely respected in the industry. He is often quoted in various magazines and is called upon for his expert opinions. Caleb’s story tells us we can be what we want to be if only we put our minds to it and channel our efforts in the right direction. Caleb is exceptionally talented and at a very young age has achieved so much because of his determination, hard work and dedication.

I guess some other reporter had also done a bit on him before which caleb shared with me along with some other details. His is a very interesting read on how he got into web application security and his journey so far. In his own words


“It started off when I was a kid. I was in trouble a lot in school and with my parents, so restriction was a way of life for me. One day, when I was around 8 or 9 years old, my dad bought a PC and said that I could play on it when I was on restriction, but no games. So I started messing around w/ computers, which started my obsession. Soon afterwards I read something on a friend’s computer about how to make free payphone calls. At this point I become hooked on IT security. I wanted to bypass any security, figure out how to hack into anything electrical from phones to bypassing screensavers. This kicked into my rebellious phase where I got kicked out of multiple schools. It got so bad that my step-dad told me that he would not allow me to touch or read anything about computers. This really sucked as I knew that I wanted to do something with computers when I grew up, so I eventually quit school and ran away from home around the age of 16. I ended up living with one of my best friends and his dad in Jasper, Georgia where the only thing to do was to get in trouble and read books. At the same time though I knew what I wanted to do very early on in life and to me nothing else mattered. So I went and pursued my career in computers and security.

I got to a point where I knew I could get a job with computers somewhere so I started applying. I ended up landing a job on Delk Road in a hole in wall computer repair shop where I was the technician. I was the little Asian kid that fixed your computer when it had problems :). After being there around six months, I went to visit my Mom at her work one day. She introduced me to the network administrator of their company. We hit it off and he offered me a job being a network administrative assistant. Then one day he got fired and a new guy came in to take his place. I became real good friends with the new guy - slept on his couch multiple times. Then one day HR calls me in and fires me claiming that my new boss said I did not do my job. Welcome to my 1st corporate backstabbing. I was furious I went and posted my resume on the Internet and went to the mall. While I was there I received a page (this was when pagers were the “in” thing) that was a recruiter telling me they had a job for me doing network security for a bank. The most perfect job and not even hours after I posted! I called the recruiter and landed my first real security job interview at a company called S1. On the morning of my interview I had one suit to my name, which I wore. It was raining when I left to go to the interview and as I was driving my car (a Chevy Nova of all things – definite piece of junk) I hydroplaned and went into a ditch. So I walked back in the rain three miles to the house, obviously now running late. I woke my friend up and he lent me his suit which was three times too big for me and I drove his car into the interview which was 2.5 hours away.

With all this bad luck, I questioned how the rest of the day would go. Lucky me, my nightmare continued. I walk into this interview and the guy who interviewed me was literally the grouchiest looking old man I had ever seen. He came into the room and shot a round of questions at me like a machine gun, all of which I handled with ease. Then, he just got up and left the room without a word. No smiling, nothing. I just sat in this room not knowing what to do. It was terrible. All I could think was did I just completely do the wrong thing? Should I leave? After about 10 minutes he comes back in and miraculously offers me a job. I then became the security analyst for the world’s first online bank. It was a fantastic job I was able to help implement security for almost all the online banks and my job was to lock down the data center that had most of the major bank transactions going thru it. I ended up learning a great deal about security and it was my first intro into web security. That grouchy old man eventually became a great friend. I still make fun of him today for that interview.

At this stage I was around 17 or 18. I stayed at S1 for a while learning everything about online banking I could. Then one day I was evaluating some new software that claimed it would help protect our network. The software was from a company called Internet Security Systems (ISS). Being the security deviant I was from my years as a kid fascinated with breaking into things, I found huge holes in the software and was able to break the software in various different ways. I notified ISS about these problems and worked with them through various other issues. They liked what I did so much they offered to have me come down and interview with them for a job. This was a time when Internet security was unheard of. I was completely intrigued at the concept of a company solely dedicated to Internet security. I had two full day interviews with the company and they hired me. This was when the company was very small. I joined and became part of their research and development team. ISS became my family of sorts as I basically grew up with them all through the dotcom bubble. I was finally able to experience a company that really appreciated what I contributed and had a lot of fun doing what I did for them because it was something I was really interested in and knew I did well. I also learned a lot about business, which would come to help me in my future endeavors.

Around 2000 when I was about 20, I decided to leave ISS. I noticed that there was huge opportunity in the market for a different kind of security product that no one out there was focused on, but the need was significant. So I left and started doing my own consulting. At the time i was doing a lot of pentests and was breaking in 100% of the time via the web application. All current security products were useless in protecting or finding these flaws. Since most of my work was automated via perl scripts I started to see a way to turn it into a product. The real key moment though was when I was contracting with a large telecom company and the head of security told me that if I could automate what I do he would buy it no questions asked. Thus webinspect was born.

During this time I ran into an old friend from S1. I told him about my idea about a new type of security product. We both decided to hook up and form the company together, so we set-up shop in his house and my apartment. At the same time, I told another friend at S1 who was a very talented security professional about the idea and he wanted to help. So thus SPI Dynamics was created. During the past five years we have gone from an apartment and house to the top floor of a building in the Perimeter area with decks and 180 views of Atlanta, over 100+ employees and our revenue doubling every quarter. Guess I was right – there was a need for this new type of security.

My spare time is usually quite limited, but when I do have some there are a couple things I like to do. My hobby is motorcycles. I ride a 2005 black Yamaha R6 and I ride often. I will usually go up to Vortex in Little Five in atlanta on Thursday nights and hang out and talk with other riders, and on Sundays we usually get a group to go up to Sucches in the North Georgia mountains and hit the curves. I also play poker quite often and hold scratch games at my place every week.”


Based out of Atlanta, GA, Caleb is only 27 years old. He is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC). Below are some of his contributions to the community


Books:-

Hacking Exposed – Web Applications 2
http://www.webhackingexposed.com/

Sample Chapters:

Attacking Web authorization: Web authorization-Session token security
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1210022,00.html

Input Validation Attacks -- Chapter 6, Hacking Exposed Web Applications, Second Edition
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1204666,00.html


Articles:-

June 27, 2006 - SearchAppSecurity.com - "Web application security testing reaches new level"
http://searchsoftwarequality.techtarget.com/originalContent/0,289142,sid92_gci1196342,00.html

March 1, 2006 - SearchAppSecurity.com - "Threat modeling key to pro-active security"
http://searchsoftwarequality.techtarget.com/originalContent/0,289142,sid92_gci1169779,00.html

November 20, 2006 and December 11, 2006 - SearchAppSecurity.com Webcast - "Three Application Threats You Can't Afford to Ignore"

November 2006 - SearchAppSecurity.com - "Ask The App Security Expert: Questions & Answers - How to safely deploy Ajax"
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1196901,00.html

January 25, 2007 - SearchAppSecurity.com - "Ask The App Security Expert:
Questions & Answers - Authentication - From passwords to passphrases
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1240747,00.html

Is your site vulnerable to SQL injection attacks?
http://searchsqlserver.techtarget.com/tip/1,289483,sid87_gci1157666,00.html

How do government regulations address application security?
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1163408,00.html

The best way to secure a Web site
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1176981,00.html

Ajax's effect on Web services security
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1163402,00.html

Data breach legislation could affect Web site development
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1186073,00.html

SQL injection: Secure your Web applications
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1211973,00.html

Denial of service and Ajax
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1236230,00.html

Automated SQL injection: What your enterprise needs to know - Part 1
http://searchsoftwarequality.techtarget.com/originalContent/0,289142,sid92_gci1157989,00.html

Automated SQL injection: What your enterprise needs to know - Part 2
http://searchsoftwarequality.techtarget.com/generic/0,295582,sid92_gci1227121,00.html

October 19, 2006 - SearchAppSecurity.com - "One simple rule to make your Web apps more secure"
http://searchsoftwarequality.techtarget.com/qna/0,289202,sid92_gci1225425,00.html

October 31, 2006 - SearchAppSecurity.com - "Injection attacks -- Knowledge and prevention"
http://searchsoftwarequality.techtarget.com/generic/0,295582,sid92_gci1227121,00.html

November 30, 2006 - SearchAppSecurity.com Podcast - "Ajax security: A dynamic approach"
http://media.techtarget.com/audioCast/APP_DEVELOPMENT/AppSec_AjaxSecurity_Caleb_2006-11-15.mp3

December 2004 - Security Post - "Are Your Web Applications Secure?"

March 3, 2005 - VNUNET.com - "Bugwatch: Security through the development cycle"
http://www.vnunet.com/vnunet/news/2126891/bugwatch-security-development-cycle

May 15, 2006 - Government Security News (GSN) - "Web Applications: The Hacker's Ultimate Goldmine"
http://www.gsnmagazine.com/may_06_02/guest_columnist.html

July 28, 2006 - ITToolbox.com - "The Software Development Life Cycle:
When to Secure Your Process"
http://research.ittoolbox.com/


Presentations:-

Microsoft TechEd 2006
Microsoft TechEd 2007
http://www.microsoft.com/events/teched2007/default.mspx

Software Security Summit 2007
http://www.s-3con.com/monday.htm

Software Security Summit 2006
Software Security Summit East 2006
http://www.s-3con.com/

RSA 2006
RSA 2007
RSA Europe 2006
http://www.rsaconference.com/

Secure Software Forum 2005
Secure Software Forum 2006
http://www.securesoftwareforum.com/SSF2006/panel_participant.html

Secure Software Forum 2007
http://www.securesoftwareforum.com/SSF2007/panel_participant.html

Blue Hat 2006
http://www.microsoft.com/technet/security/bluehat/sessions/default.mspx

Atlanta Code Camp 2006
http://www.atlantacodecamp.com/

Black Hat USA 2005
Black Hat USA 2006
http://www.blackhat.com/

HP World 2005
HP Technology Forum 2005
HP Technology Forum 2006
http://www.hptechnologyforum.com/about/specialEvents.html

ISSA Georgia 2006
ISSA Austin 2006
ISSA Metro Atlanta Chapter Conference 2006 Charlotte Metro ISSA 2006 Security
http://www.issa.org/

Summit Interz0ne 2005
http://www.interzonewest.com/

(ISC)2 D.C. 2005
(ISC)2 Las Vegas 2005
https://www.isc2.org/cgi-bin/content.cgi?category=86

CarolinaCon 2005
http://www.carolinacon.org/

Techno-Security 2005
http://www.technosecurity.com/html/Techno2005.html

2006 Texas Regional Infrastructure Security Conference University of South Carolina International Event 2007 Regular guest speaker at Georgia Institute of Technology

DHS Software Assurance Forum
https://buildsecurityin.us-cert.gov/daisy/bsi/events/660.html

InfoSec World
http://www.misti.com/default.asp?Page=65&Return=70&ProductID=5539&LS=infosecworld2007


Quoted in:-

September 4, 2004 - The New York Times - "Citing Threats, Entrepreneur Wants to Quit Caller ID Venture"
http://www.nytimes.com/2004/09/04/technology/04caller.html?ex=1252123200&en=68bab740982a4cb1&ei=5088

January 2005 - SC Magazine - "Is your website an easy target?"
http://www.securecomputing.net.au/print.aspx?CIID=62767

January 15, 2005 - SD Times - "Application Security: Mindset Is What Matters"
http://www.sdtimes.com/article/special-20050115-01.html

February 22, 2005 - DevX - "Security Training Falling Through the Education Cracks"
http://www.devx.com/security/Article/27323

February 28, 2005 - Wired - "Known Hole Aided T-Mobile Breach"
http://www.wired.com/politics/security/news/2005/02/66735

April 11, 2005 - Atlanta Business Chronicle - "Blogging the new word-of-mouth for businesses"
http://www.bizjournals.com/atlanta/stories/2005/04/11/smallb2.html

April 18, 2005 - Network World - "Is your cell phone at risk?"
http://www.networkworld.com/research/2005/041805-mobile-virus.html?page=2

April 2005 - CNN - "Top 25 Technology Breakthroughs"
http://transcripts.cnn.com/TRANSCRIPTS/0504/17/cp.01.html

August 1, 2005 - SD Times - "Are Your Web Services Vulnerable?"
http://www.sdtimes.com/article/story-20050801-03.html

August 8, 2005 - Government Computer News (GCN) - "Agencies making little progress against cybervandalism"

January 17, 2006 - eWeek - "SPI Tool Measures Web App Security Risk"
http://www.eweek.com/article2/0,1895,1911830,00.asp

February 15, 2006 - Network World - "Secure software is up to businesses"
http://www.networkworld.com/news/2006/021506-secure-software.html

May 10, 2006 - CNET (and ZDNET) - "Hijacking MySpace for fame and fortune"
http://news.com.com/2100-1038_3-6070533.html

June 6, 2006 - InformationWeek - "Caution, Developers: SOA And Ajax Open To Attack"
http://www.informationweek.com/story/showArticle.jhtml?articleID=188702205

June 12, 2006 - Federal Computer Week (FCW) - "Preventive measures"
http://www.fcw.com/article94828-06-12-06-Print

June 9-15, 2006 - Atlanta Business Chronicle – “SQL injection' attacks on the rise in Atlanta"

June 19, 2006 - InformationWeek - "Yahoo Mail Worm May Be First Of Many As Ajax Proliferates"
http://www.informationweek.com/showArticle.jhtml?articleID=189500060

July 15, 2006 - SD Times - "In War for App Security, New Intelligence on Way"

July 30, 2006 - eWeek - "Vista, Rootkits Headline Hacker Confab"

July 31, 2006 - InternetNews.com - "SQL Injection Threatens to Needle Web Users"
http://www.internetnews.com/security/article.php/3623421

August 3, 2006 - Computerworld - "Black Hat: Blog readers vulnerable to embedded malware"
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=viruses__worms_and_security_holes&articleId=9002180&taxonomyId=85

August 15, 2006 - SD Times - "Slipping In The Side Door With App Security Message"
http://www.sdtimes.com/article/special-20060815-01.html

August 23, 2006 - CRN - "Keeping Up With The Hackers"

October 23, 2006 - CRN - "Is Oracle Downplaying Security Vulnerabilities?"
http://www.crn.com.au/story.aspx?CIID=67019&src=site-marq

November 27, 2006 - eWeek - "Acunetix Offers New Security Audit Service"
http://www.eweek.com/article2/0,1895,2064320,00.asp

Security overhaul key to Microsoft's software success
http://searchsoftwarequality.techtarget.com/originalContent/0,289142,sid92_gci1193337,00.html

January 12, 2007 - Joe On .NET, Microsoft's Opinionated Misfit Geek - "Upcoming AJAX Security Webcasts"
http://joeon.net/archive/2007/01/12/Upcoming-AJAX-Security-Webcasts.aspx

February 5, 2007 - AccountingWEB.com - "Experts Predict Bad Year Ahead for Cyber-crime, Cyber-terrorism"
http://www.accountingweb.com/cgi-bin/item.cgi?id=103119

February 8, 2007 - VNUNET.com, HackInTheBox.com - "Online apps facing barrage of attacks"
http://www.pcauthority.com.au/news.aspx?CIaNID=45612

February 8, 2007 - Computerworld - "RSA - Hackers find a wealth of victims on corporate sites"
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010844&intsrc=article_more_bot


Personal Awards:-

Info Security Products Guide Shaping Info Security 2006 award
http://www.infosecurityproductsguide.com/people/CalebSima.html

Atlanta American Electronics Association (AeA) - Spirit of Endeavor Award for Technology Entrepreneur
http://www.spidynamics.com/news/pr/2004/pr51804.html

Microsoft MVP Award - Developer Security - 2007


Memberships:-

WASC Board Member
http://www.webappsec.org/officers.shtml


Tools written by him:-

Webinspect versions 1-6
SQL Injector
HTTP Editor
Regex Tester
SPI Proxy
SOAP Editor
Web Discovery
Web Brute
Encoders/Decoders


Email:-

Csima__at__spidynamics_dot_com


Website:-

http://www.spidynamics.com/


Contributions:-

WASC Threat Classification
http://www.webappsec.org/projects/threat/


Companies worked for:-

S1, Equant, ISS, SPI Dynamics


Company working for:-

SPI Dynamics
http://www.spidynamics.com/


Caleb is a very active contributor to the community and is also on the Expert Panel of SearchSoftwareQuality.com (formerly SearchAppSecurity.com). He is a man with ideas and vision and I am sure we will see a lot of cool things coming out of his brain.


Last Week – Bill Pennington
Next Week – Ryan barnett