Friday, March 30, 2007

Reflection on Jeff Williams


This week on reflection need no introduction. Jeff Williams, is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major contributors in webappsec community. He has written many whitepapers, spoken at many conferences including Secure Software Summit, OWASP conferences, ISSA InfoSec Conference, NSA High Confidence Software and Systems Conference (HCSS), JavaOne, National Computer Security Conference (NCSC), etc, written many tools available at OWASP and also chairs OWASP foundation. Jeff Williams has done a lot of work in promoting awareness of web application security.

On his reflection, Jeff shares with us how he got into web application security and his journey with OWASP and a little bit about his personal life and interests. In his own words

“I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user interface for a big Navy system that just happened to be highly secure – targeting B2 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Orange Book. I took on an R&D project to port cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user interface to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 challenge of securing such a complex system.

Then Java 1.0 came along and I got NIST and NRL funding to do security research. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, we thought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java sandbox was a good idea, but that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were attacks that might bypass it. So I wrote a special classloader that modified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r protocols – sort of a very early application firewall. But unlike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modern WAFs, we took a whitelist approach where you would define exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data formats and rules for allowing messages.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-90’s, I chaired cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group that authored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SSE-CMM, which is now ISO 21827. As it turns out, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of assurance arguments from my work is starting to be used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application security world.

Then in 1998, while I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest and most complex web applications in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world.

In April 2002, togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with Dave Wichers, Noelle Hardy, and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most fun of my professional career.

I first heard of OWASP in 2001 from Chuck Pfleeger (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, getting companies to focus on application security was difficult. In meetings with several government agencies, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y acknowledged that it was an issue, but that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were managing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Top 20. I came home and literally in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead in drafting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first OWASP Top Ten.

Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.

I was honored to take over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 barriers to entry for contribution so low that security experts will be motivated to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effort and share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir expertise.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products. We’re also starting to ferret out abuse of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP brand by companies that claim cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products “address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rship. Our conferences have also been a great experience.

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contributions and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.

We’re still a long way from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where a company can go to OWASP for everything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

I have a wonderful wife Jennifer and three kids, Chance (9), Zack (7), and Zoe (1). We live in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 woods and spend a lot of time outside with our four Labrador retrievers. I’m very much into sports – I rowed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

Based out of Ashton, MD, Jeff is 39 years old and is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO of Aspect Security. Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community

Articles / Presentations:-

Opening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Box: A Source Code Security Analysis Case Study
http://www.aspectsecurity.com/documents/Aspect_Opening_Black_Box.doc

Application Security Initiatives - The Best Defense Is a Good Offense
http://www.aspectsecurity.com/documents/Application_Security_Initiatives.htm

Let's Sue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Idiots -- Security, Software, Contracts, and Lawyers -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/sscl.htm

How to Build an HTTP Request Validation Engine for Your J2EE Application -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/bld_HTTP_req_val_engine.htm

Access Control (aka Authorization) in Your J2EE Application -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/access_control.htm

Trustworthy Java - Are your apps bulletproof? -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/trust_java.htm

The Ten Most Critical Web Application Security Vulnerabilities -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/owasp.htm

Security Code Review - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Best Way to Eliminate Vulnerabilities in Software" -
White paper, Aspect Security
http://www.aspectsecurity.com/documents/AspectCodeReviewWhitePaper.pdf

Can a 'Social Protocol' Help Protect Privacy?
http://www.aspectsecurity.com/documents/p3p.pdf

Jini and Mobile Agent Security -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Workshop on Agent Technologies (AT ‘98)
http://www.aspectsecurity.com/documents/jini.pdf

A Practical Approach to Improving and Communicating Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Canadian Information Technology Security Symposium (CITSS)
http://www.aspectsecurity.com/documents/Arguing.pdf

A Practical Approach to Measuring Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1998 Security Applications Conference (ACSAC)
http://www.aspectsecurity.com/documents/Measuring.pdf

System Security Engineering Capability Maturity Model (SSE-CMM) version 2.0 -
Released at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 21st Annual National Information System Security Conference (NISSC)
http://www.aspectsecurity.com/documents/SSECMMv2Final.pdf

Just Sick about Security -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New Security Paradigms Workshop
http://www.aspectsecurity.com/documents/Sick.pdf

An Enterprise Assurance Framework -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5th Workshop on Enabling Technologies
http://www.aspectsecurity.com/documents/WetIce.pdf

Pretty Good Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New Security Paradigms Workshop
http://www.aspectsecurity.com/documents/Pretty.pdf

Need for a Framework for Reasoning about Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Workshop on IT Assurance and Trustworthiness (WITAT)
http://www.aspectsecurity.com/documents/Need.pdf

Assurance is an N-Space (Where N is Hopefully Small) -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Invitational Workshop on Developmental Assurance
http://www.aspectsecurity.com/documents/Nspace.pdf

A Capability Maturity Model For Security Engineering -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 6th Annual Canadian Computer Security Symposium
http://www.aspectsecurity.com/documents/CITSS94.doc

Unsafe at Any (CPU) Speed: Why We Keep Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Same Mistakes -
NSA High Confidence Software and Systems Conference

Web Applications: The “Last Mile” of Internet Security -
White paper, Exodus Communications

A Constructionist Approach to Law and Society -
Law and Society Seminar, Georgetown University Law Center

Interpreting Anticircumvention (DMCA) -
Advanced International Copyright Law, Georgetown University Law Center

P3I – Protection Profile Process Improvement -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 22nd National Information System Security Conference (NISSC)
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Canadian Information Technology Security Symposium (CITSS)

Windows NT Security -
17th Annual National Computer Security Conference (NCSC)

Windows NT Client Security and Windows NTAS Security -
The Local Area Network Security Conference (LANSEC)

Reusing Existing C3I Systems in a Secure Environment -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Application of COTS and Reusable Components Conference

A Framework for Reasoning about Assurance -
Published by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Computer Security Center of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 11th Annual Conference on Computer Assurance (COMPASS)

Interconnecting MLS Command Centers -
White paper for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Multilevel Security Initiative at Hanscomb AFB


Tools written:-

OWASP WebGoat
http://www.owasp.org/webgoat
I built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first WebGoat back in 1998 as a controller servlet with a few simple lessons on SQL injection, cross-site scripting, and access control. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, it’s grown to have dozens of lessons and has been revamped several times. Many people have contributed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project and it’s still quite active.

OWASP Stinger
http://www.owasp.org/stinger
Stinger was a simple idea that every part of every HTTP request should be validated with regular expressions. A mechanism for enforcing a positive security model for validation in an application. It uses a Java “filter” to ensure that all requests are validated and even developers can’t avoid it.

OWASP PDF XSS Attack Filter
https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE
This was a one-night project to build a little filter that generates a token to avoid a specific very dangerous flaw in Adobe Reader.


Contributions:-

OWASP Top Ten
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

OWASP Secure Software Contract Annex
http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex

OWASP Testing Guide (Risk Rating Sections)
http://www.owasp.org/index.php/How_to_value_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_real_risk

OWASP Honeycomb Project (Work in progress)
http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project


Website:-

http://www.aspectsecurity.com

http://www.owasp.org


Memberships:-

OWASP Chair


Companies worked for:-

Aspect Security
Exodus Communications
Arca Systems
TRW
MITRE


Company working for:-

CEO of Aspect Security


Education:-

JD cum laude – Georgetown Law - Cyberlaw and Intellectual Property
MA – George Mason - Human Factors Engineering
BA – University of Virginia - Cognitive Psychology and Computer Science (Specialization in AI)


I am sure we will see a lot more contribution from him going forward. Though he doesn’t have a blog yet but you can find most of his work on OWASP.

Next Week – Chris Shiflett

Last Week – Robert Auger

Friday, March 23, 2007

Reflection on Robert Auger



This week on Reflection we have someone who has contributed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community in many different ways. We all know Robert Auger through http://www.cgisecurity.com/. CGI Security is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very early website on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic and has a wealth of information on web application security. Robert is also a Co-Founder of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Security Consortium and a founder and moderator of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC mailing list. He also co-leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC articles project. Recently he has started http://qasec.com/ where he discusses security testing in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PDLC with an emphasis in QA. He is also leading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC Threat Classification (TC v2) project which is currently underway.

Here he shares with us how he got started in webappsec. In his own words

My interest in security sparked in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid 90's after getting infected with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Stoned Empire Monkey Virus. I was very curious how it and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r viruses worked, executed, and hid on my machine. Around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time I was given access to my high school's VAX/VMS network and met up with a few people creating/setting up fake login screens/key loggers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dumb terminals spread throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 school. This VMS network was where I learned my first language 'DCL' and helped out on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local school student run bbs. Sometime later I started reading about 'cgi vulnerabilities' such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infamous 'phf vulnerability' and was amazed that with nothing more than a browser, I could take over a machine. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n web based attack research has been my primary hobby (ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs include finding ways to abuse crawlers and parsers, co running The Web Application Security Consortium, and whitehat/blackhat SEO research).

Based out of Silicon Valley, California, Robert is only in his late 20s, and currently works for a large multinational organization where he focuses on anything application security related. I have had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pleasure of meeting him on a few occasions and not only he is a very friendly guy but very passionate about web application security and can speak to you for hours on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic. He has enormous knowledge in webappsec field and one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very few people who also possess good knowledge of security in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software Development Life Cycle.


Below is a list of his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community.



Articles:-


The Cross-site Request Forgery FAQ
The Cross-site Scripting FAQ

Identifying Risks in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Development Cycle

Writing Software Security Test Cases: Putting security test cases into your test plan

Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations

Preventing Log Evasion in IIS

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures.
http://www.cgisecurity.com/papers/fingerprint-port80.shtml

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two.

Anatomy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Worm

Challenges faced by automated web application security assessment tools


Contributions:-

Founder and Moderator of WASC 'The Web Security Mailing List' http://www.webappsec.org/lists/websecurity/

The Web Application Firewall Evaluation Criteria
http://www.webappsec.org/projects/wafec/

WASC's Threat Classification (TC)
http://www.webappsec.org/projects/threat/

Co-lead cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC articles project http://www.webappsec.org/projects/articles/guidelines.shtml

The Web Application Security Consortium Web Security Glossary
http://www.webappsec.org/projects/glossary/

Distributed Open Proxy Honeypots Project
http://www.webappsec.org/projects/honeypots/

Contributor to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Application Security Testing Framework Project
http://web.archive.org/web/20030207091615/www.owasp.org/testing/

Cross-site Tracing (XST): - Research Contributor
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf

A core contributor to Snorts web-attacks.rules rule set


Presentations:-

Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems (Power Point) - Blackhat 2006 presentation
http://www.cgisecurity.com/papers/RSS-Security.ppt


Memberships:-

Co founder of The Web Application Security Consortium http://www.webappsec.org


Email:-

robert_@_@_@_@_@_@_webappsec.org


Blog:-

http://www.cgisecurity.com/


Website(s):-

http://www.cgisecurity.com/
http://www.webappsec.org
http://www.qasec.com/


Companies Worked for:-

SPI Dynamics, Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Consulting companies


Robert is a man of ideas and is already working on some very interesting projects. You should definitely keep an eye out on his websites as we will see a lot more contribution from him soon.

Last Week – Billy Hoffman
Next Week – Jeff Williams

Saturday, March 17, 2007

Reflection on Billy Hoffman


This week on Reflection we have a very young guy from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec field. Billy Hoffman is a lead security researcher for SPI dynamics where he works on discovering and automating web application vulnerabilities and improving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir crawling technology. He has presented at a lot of conferences including (ToorCon, Black Hat, etc). Billy’s knowledge on Ajax is tremendous and he has written many papers and presented at many conferences on dangers of using Ajax. Based out of Atlanta, Georgia, he is only 26 years old, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 youngest webappsec expert I know of (I am sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may be younger people too but I am yet to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m) and like every webappsec expert, his ability to think differently has helped him achieve so much in such a short time. Here he shares with us how he got started in webappsec field. In his own words

“I got started in fall of 1996. My older brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r had left for college and he was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one who understood computers. One day cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer stopped working and I wanted to play Doom. So I started fiddling with it and fixed it. About this time I also got a graphing calculator for geometry, so I spend my days writing programs for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TI-85 in Basic and z80 assembler, and my nights writing Basic and learning C. Soon afterwards I actually used one of those AOL disks, discovered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, and learned how to create fake accounts and phish people in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New User Lobby. I wasn’t much of a network guy, let a lone a web hacking guy. In college most of my hacking was focused on hardware or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things that popped on my radar like spy software. I met Caleb Sima, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 co-founder and CTO of SPI Dynamics at an Atlanta hacker conference, and he told me to come in for an interview. I was amazed by how vulnerable companies were through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir websites. I started in QA, where my job was to verify our crawler and audit engines worked properly. Pretty quickly I saw ways we could improve both, I am now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead researcher focusing on crawlers and automated vulnerability detection. I continue to speak at security conferences much like I did in college. The only differences now are I speak under my real name, I have an expense report, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are more middle aged men in Dockers and polos and fewer guys in black t-shirts and green hair! I’ve done a good bit of non-web stuff too. Mainly lots of presentations at different conferences (Interz0ne, Phreaknic, The Fifth Hope), some articles for 2600, O’Reilly’s Make Magazine, etc.”

I got a chance to meet with him in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and listen. Below is a list of his contribution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry.


Books:

Upcoming book from Addison Wesley this summer tentatively titled “Securing Ajax Applications”


Articles:

“Patching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Holes in Ajax Security,” Cover Story, Software Test and Performance Magazine
http://www.stpmag.com/issues/stp-2007-01.pdf

Stealing Search Engine Queries with JavaScript –
http://www.spidynamics.com/spilabs/education/articles/JS-search.html

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript –
http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html

Application Error Handling: How to Avoid Death by a Thousand Cuts
http://www.spidynamics.com/spilabs/education/articles/application-error.html

Security Brief - Yamanner Web Worm
http://www.spidynamics.com/spilabs/education/articles/Yahoo-AJAXworm.html

Security Brief – MySpace Quicktime Web Worm
http://www.spidynamics.com/spilabs/education/articles/MySpace-QuickTime%20Worm.html

Ajax Security Dangers Whitepaper
http://www.spidynamics.com/assets/documents/AJAXdangers.pdf

Buiding a Magstripe reader, Cover Story, O’Reilly’s Make Magazine, Issue 1
http://makezine.com/01/magstripe/


Presentations/Conferences:

JavaScript Malware for a Grey Goo Tomorrow - Toorcon 8, Security Opus 2006
http://www.shmoocon.org/schedule.html

Ajax (in)security – BlackHat USA 2006, AJAXWorld, InfoSecurity Canada , SPICON, RSA Conference 2007
http://www.spidynamics.com/spilabs/education/presentations/BillyHoffman-Ajax(in)security.pdf

Analysis of Web Application Worms and Viruses – BlackHat USA 2006 and BlackHat Federal 2006
http://www.spidynamics.com/spilabs/education/presentations/billyhoffman-web_appworms_viruses.pdf

Covert Crawling: A Wolf Among Lambs – Shmoocon 2006, LayerOne 2006. Technology for this talk is used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MITRE honeyclient project.
http://www.spidynamics.com/spilabs/education/presentations/crawling.html

Layer 7 Fun: Extending Web Apps in Interesting Ways – Phreaknic 9
http://www.msblabs.org/talks/index.php#extending-webapps

Phuture of Phishing – Toorcon 7, FBI Cyber Security Summit
http://www.spidynamics.com/spilabs/education/presentations/phishing.html

Proof of Concepts:

Stealing Search Engine queries with JavaScript
http://www.spidynamics.com/spilabs/js-search/index.html

Portscanning and fingerprinting with JavaSript
http://www.spidynamics.com/spilabs/js-port-scan/

TinyDisk – Filesystem mashup that stores and retrieves data in TinyURL
http://www.msblabs.org/tinydisk/index.php


Memberships:

“Well, ain't it a small world, spiritually speaking. Pete and Delmar just been baptized and saved. I guess I'm cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only one that remains unaffiliated.” –Oh Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Where Art Thou


Tools:

StripSnoop - Suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripe cards. This has received a lot of attention, having been Slashdotted twice, appeared on G4TechTV’s The Screen Savers, and at O’Reilly Emerging Technologies Conference Makers Faire.
http://stripesnoop.sourceforge.net/

Phasmatis – Read and Edits captured data from SpectorSoft’s computer monitoring software
http://phasmatis.sourceforge.net/

TinyDisk – Filesystem mashup that stores and retrieves data in TinyURL
http://www.msblabs.org/tinydisk/index.php

NanoURL – Web Application that provides link shortening services exactly like TinyURL
http://www.msblabs.org/nanourl/index.php

LineBreaker – Anti Phishing Web proxy, released at Toorcon 2005
http://www.spidynamics.com/LineBreaker.zip


Company working for:

SPI Dynamics



Blog:



Website:

Most Significant Bit Labs
http://www.msblabs.org/


Companies worked for:

Crawford and Company, and NetEffects


Education:

BS in Computer Science from Georgia Tech, graduated in 2005.


Billy has a very sharp mind and is very passionate about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec field. He has a bright career ahead of him and is definitely amongst cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones to follow.

Last Week : Sheeraj Shah
Next Week : Robert Auger

Friday, March 09, 2007

Reflection on Sheeraj Shah



This week on Reflection we have anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r big contributor to webappsec field. Sheeraj Shah is a founder of Net Square Solutions where he performs consulting, training and R&D activities. He has done a lot of research on web application and web services security. Sheeraj started with web application security in mid 2000 when he was working on WebLogic application server and discovered some architecture level security issues. He quickly found out similar issues in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r products like WebSphere, JRun, Java Web Server etc. and posted a lot of advisories on SecurityFocus. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n he has performed numerous network security pen testing and application assessments for many significant companies.


Based out of Ahmedabad, India, Sheeraj is 31 years old and has a lot of experience in web application security and has authored a couple of books, published many articles, presented at many conferences (including Blackhat, HackInTheBox, RSA, etc), and posted several vulnerabilities and advisories at securityfocus. Below is a compilation of most of his work including article, whitepapers, books, presentations, etc


Books:-

Hacking Web Services (Thomson 06)

Web Hacking – Attacks & Defense (AWL 03)


Articles:-

Stateful Web Application Firewalls with .NET
http://www.informit.com/articles/article.asp?p=694855&rl=1

Ajax Fingerprinting for Web 2.0 Applications
http://www.net-security.org/article.php?id=976

Detect Your Web Application's Vulnerabilities Early with Ruby
http://www.devx.com/security/Article/33559

Crawling Ajax-driven Web 2.0 Applications
http://www.net-security.org/article.php?id=973

XSRF attack vector with Ajax serialization
http://searchappsecurity.techtarget.com/tip/0,289483,sid92_gci1235537,00.html

Vulnerability Scanning Web 2.0 Client-Side Components
http://www.securityfocus.com/infocus/1881

Web 2.0 defense with Ajax fingerprinting & filtering
http://www.insecuremagazine.com/INSECURE-Mag-9.pdf

Top 10 Ajax Security Holes and Driving Factors
http://www.net-security.org/article.php?id=956

Detecting Web Application Security Vulnerabilities
http://www.oreillynet.com/pub/a/sysadmin/2006/11/02/webapp_security_scans.html

Hacking Web 2.0 Applications with Firefox
http://www.securityfocus.com/infocus/1879

Top 10 Web 2.0 attack vectors
http://www.net-security.org/article.php?id=949

Assessing Web App Security with Mozilla
http://www.onlamp.com/pub/a/security/2005/10/20/web_vulnerabilities.html

Protect your applications without recoding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m
http://www.onlamp.com/pub/a/onlamp/2005/06/09/wss_security.html

Web Services - Attacks and Defense
http://www.net-square.com/whitepapers/WebServices_Info_Gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring.pdf

Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques
http://www.net-square.com/whitepapers/Defending-web-services.pdf

Web Application Footprints and Discovery
http://www.net-square.com/whitepapers/WebApp_Footprints_Disco.pdf

Web application defense at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gates - Leveraging IHttpModule
http://www.net-square.com/whitepapers/WebApp_HTTPMod.pdf

Web Services: Enumeration and Profiling
http://www.net-square.com/whitepapers/WebServices_Profiling.pdf

Domain Footprinting for Web Applications and Web Services
http://www.net-square.com/whitepapers/domain_footprints.pdf

Web Application Footprinting & Assessment with MSN Search Tricks
http://www.net-square.com/whitepapers/MSN_Search_For_WebApp.pdf

Browser Identification for Web Applications
http://www.net-square.com/whitepapers/browser_ident.pdf


Tools:-

wsChess - Toolkit for Web Services Assessments and Defense
http://www.net-square.com/wschess/index.shtml

MSNPawn - Footprinting, Profiling & Assessment with MSN Search
http://www.net-square.com/msnpawn/index.shtml

Ajaxfinger – Ajax fingerprinting script
http://www.net-square.com/ns_freetools.shtml#ajaxfinger


Presentations:-

Advanced Web Hacking - EUSecWest
http://www.slideshare.net/shreeraj/advanced-web-hacking/

Advanced Web Services Hacking - AusCERT
http://www.slideshare.net/shreeraj/advanced-web-services-hacking/

Web Services Security Chess - RSA
http://www.slideshare.net/shreeraj/web-services-security-chess-rsa/

Web Application Kung-Fu, Art of Defense - Bellua/HITB
http://www.slideshare.net/shreeraj/web-application-kungfu-art-of-defense-bellua/

Hacking and Securing .NET Apps - Infosecworld
http://www.slideshare.net/shreeraj/hacking-and-securing-net-apps-infosecworld/

Defending Web Applications: Strategies, methods and practices
http://www.archive.org/details/hitb2003-Shreeraj-Shah


Blog:-

http://shreeraj.blogspot.com


Companies worked for:-

IBM, Chase bank and Foundstone


Education:-

Masters in Computer Science


Company working for:-

Net Square Solutions Pvt. Ltd.


Email:-

shreeraj__at__net-square__dot__com

Sheeraj has come up with interesting ideas before and i am sure he has a lot more to contribute to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec industry. If you dont already follow his blog cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I suggest you should definitely keep an eye on it.

Last Week - Ivan Ristic
Next Week - Billy Hoffman

Friday, March 02, 2007

Reflection on Ivan Ristic


If we hear so much about web application firewalls and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir role as a first line of defense in protecting our web applications, a large amount of credit has to go to Ivan Ristic. Ivan Ristic is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine). He started playing in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec space sometime around 2002 and working seriously since 2004. Based out of London, UK, he is only 33 years old and works for Breach Security. He is currently in charge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ModSecurity product line, which includes ModSecurity, sensor appliances based around it and management appliances. Ivan also wrote Apache Security for O'Reilly, a web security guide for administrators, system architects, and programmers. Prior to web application security, he has worked as a developer, system architect and technical director in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software development industry. He shared briefly his journey with ModSecurity for us. In his own words

"I started developing web applications in 1997. At that time no one really thought about web application security. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 applications I worked on were sensitive, I had to deal with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n or shortly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re after. Over time it became apparent to me that designing 100% secure web applications is simply not possible. And even pretty good security is difficult to achieve for an average programmer. The only choice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n (and it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same today) was to fix applications. So cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real choice was between having IDS (a network level tool) or a proper HTTP-level tool. Using IDS to deal with HTTP-level problems is very difficult. They will not reassemble transactions and are typically very easy to evade. On top of that most can't see into SSL traffic. So I don't really think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a choice.

I started working on ModSecurity in November 2002. I came up with a beta version pretty quickly. If I recall 1.2 was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first version to be made available to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public. But it wasn't until 1.5 that I felt comfortable enough with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product to tell ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can use it in production. Version 1.5 was out in May 2003. Although 1.4.2 (February 2003) was actually ready for production, version 1.5 had a web site, manual, mailing lists, etc. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole package needed for a project.

My biggest hurdle was lack of documentation for Apache and (especially) Apache 2 programming. That's where I spent most of my time in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first couple of years. Getting content interception to work in Apache 1.3.x was difficult because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no API in Apache 1.3.x for that purpose (so my solution is a hack). And it's been very difficult in Apache 2.0.x because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no documentation and when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was - it was outdated. In terms of code I always worked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project alone. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community is not only about code - I've had a lot of help from various people over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years, in one form or anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

The biggest decision I made was about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 model. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I was thinking of building a separate program or writing an Apache module. I am still happy with my decision (to write an Apache module) because it allowed me to focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas I really cared about. Plus it allowed me to learn a lot about Apache and that lead me to write Apache Security, which was a tremendous project on its own.

I didn't work for a security company up until 2004. In 2004 I started my own business (Thinking Stone) to support ModSecurity. Thinking Stone was subsequently bought by Breach Security in 2006. I am still working for Breach Security today. We are a web application firewall company.As for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of Web Application Firewall, I cannot see a world without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Even if web applications magically become secure overnight, a large part of what I think WAFs do is auditing and monitoring. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words - defence in depth. I don't see that need ever going away."


Ivan spends his time thinking about web intrusion detection, web application security and security patterns. When he is not working, he spends his time cooking, photography, and studying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 English language but most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time he ends up back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec space. He is probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first to talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of "impedance mismatch" between applications and external security layers. Below are various ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r contributions from him


Books:-

Apache Security (O'Reilly, 2005)
http://www.apachesecurity.net/
http://www.oreilly.com/catalog/apachesc/index.html


Articles:-

Software Documentation with DocBook Quick HOWTO
http://www.oreillynet.com/sysadmin/blog/2005/11/software_documentation_with_do.html

Web Security Appliance with Apache and ModSecurity
http://www.securityfocus.com/infocus/1739

ModSecurity 2.0 with Ivan Ristic
http://www.securityfocus.com/columnists/418

Introducing mod_security
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

What's New in ModSecurity
http://www.onlamp.com/pub/a/apache/2005/12/01/modsecurity.html

The public life of Apache Security begins
http://www.oreillynet.com/sysadmin/blog/2005/04/cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_public_life_of_apache_secu.html

Web Application Firewalls Primer
http://www.net-security.org/dl/insecure/INSECURE-Mag-5.pdf


Contributions:-


Presentations:-

Web Application Firewalls – When are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y useful?
http://www.modsecurity.org/documentation/Web_Application_Firewalls_-_When_Are_They_Useful.pdf

Web Intrusion Detection with Mod Security
http://www.thinkingstone.com/talks/Web_Intrusion_Detection_with_ModSecurity.pdf

Mod Security: Embeddable Web Application Firewall
http://www.thinkingstone.com/talks/ModSecurity_Elevator_Pitch.pdf

Threat Modeling for Web Applications Deployment
http://www.thinkingstone.com/talks/Threat_Modelling.pdf

Apache Security Training
http://www.thinkingstone.com/talks/Apache_Security_Training.pdf


Memberships:-


Tools written by him:-

ModSecurity for Apache
ModSecurity Console
Apache Tools


Blog:-

http://www.modsecurity.org/blog/


Website:-

http://www.modsecurity.org/
http://www.apachesecurity.net/
http://www.ivanristic.com/


Companies worked for:-

Thinking Stone (founder)
DNS Europe
Eunet


Education:-

BSc in Computing & IT.


Email:-

ivanr__at__webkreator__dot__com

Last Week : Jeremiah Grossman
Next Week : Sheeraj Shah