Monday, July 02, 2007

Reflection on Dinis Cruz


In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP board. At OWASP, he organizes events such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP .Net Project where (amongst ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs) he created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools: OWASP Report Generator, OWASP Site Generator, SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) and Asp.Net Reflector. Dinis Cruz is a Security Consultant based in London specialized in Penetration Testing, ASP.NET Application Security, Source-Code Security reviews, Reverse Engineering and Security Curriculum Development. On his reflection, Dinis shares with us how he started in web application security. In his own words

“When I was 10 years old and started programming assembly on my brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r’s ZX Spectrum 48k. I remember being very happy by using PEEK and POKE to manipulate pixels on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen (I also remember translating by hand Assembly Code into Bytes since at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I had a book on assembly but had no compiler (ahhhh, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se kids today have it so easy).

I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n went though an Amiga phase (probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best computer ever, which was at that time miles ahead of everybody else), trying to write games and cool demos (again cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no Internet available).

After that came cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BBS world with 2400 baud modems, followed by a super fast 14440 Modem and big phone bills. Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet arrived I couldn’t get enough of it.

I started with Web Application Security about 6 years ago when I become fascinated on how easy it was to remotely 0wn computers. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n decided to shift my professional focus into security and have not looked back since.

I think my programming background was a big help since once I understood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues with security I was able to use those skills to find vulnerabilities (and propose solutions)

On security, my first experiments where with first Edition of Hacking Exposed which taught me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basics of Network Security, followed by a special focus on ASP Classic and .NET Framework security.

My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security implications of running ASP.NET code in Full Trust. Mark replied with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 challenge "Hey!, why don’t you publish this material on OWASP and manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir place and shine. OWASP was a perfect match for my values and professional objectives. I published most of my .NET Research and eventually become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chief OWASP Evangelist.”


Based out of London, UK, Dinis is 32 years old. Below is a list of his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community.


Articles:-

Roadmap to a Partial Trust Managed Code world
http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/

‘Security Awareness Modes’ & cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ‘day Microsoft changes’
http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-day-microsoft-changes/

On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future
http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-future/

I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0147.html

An 'Asp.Net' accident waiting to happen
http://www.owasp.org/index.php/An_

Microsoft must deliver secure environments not tools to write secure code
http://www.owasp.org/index.php/Microsoft_must_deliver_secure_environments_not_tools_to_write_secure_code
Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position
http://www.owasp.org/index.php/Full_Trust_Asp.Net_Security_Vulnerabilties,_and_Microsoft

What are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'Real World' security advantages of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .Net Framework and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JVM?
http://www.owasp.org/index.php/What_are_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_

.NET research from OWASP .NET Project

Rooting The CLR (demo files available on request)
http://www.owasp.org/index.php/Rooting_The_CLR

Buffer OverFlow in ILASM and ILDASM
http://www.owasp.org/index.php/Buffer_OverFlow_in_ILASM_and_ILDASM

Full Trust CLR Verification issue: changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Method Parameters order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_Method_Parameters_order

Full Trust CLR Verification issue: changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 return address order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_return_address_order

Full Trust CLR Verification issue: Changing Private Field using Proxy Struct
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Changing_Private_Field_using_Proxy_Struct

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Exploiting_Passing_Reference_Types_by_Reference

Manipulating private method behavior by overriding public virtual methods in public classes
http://www.owasp.org/index.php/Manipulating_private_method_behaviour_by_overriding_public_virtual_methods_in_public_classes

CSharp readonly modifier is not enforced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLR (when in Full Trust)
http://www.owasp.org/index.php/CSharp_readonly_modifier_is_not_inforced_by_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_CLR_(when_in_Full_Trust)

ANSI/UNICODE bug in System.Net.HttpListenerRequest
http://www.owasp.org/index.php/ANSI/UNICODE_bug_in_System.Net.HttpListenerRequest


Tools written by him:-

DN_BOFinder (DotNet Buffer Overflow Finder)
http://www.owasp.org/index.php/DN_BOFinder

OWASP Site Generator
http://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Report Generator
http://www.owasp.org/index.php/Owasp_Report_Generator

.NET Assembly Analyzer
http://www.owasp.org/index.php/.Net_Assembly_Analyzer

New version (v2.0) of Foundstone's HacMe Bank (with Web Services) http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/hacmebank.htm

Video of above is located here
http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/videos/hacmebank/index.htm

Foundstone's CodeScout (basic Source code analysis tool) http://secure.foundstone.com/resources/proddesc/codescout.htm

Foundstone's .NETMon (Flow Trace Tool for .NET)
http://secure.foundstone.com/resources/proddesc/dotnetmon.htm

HttpModule for Foundstone’s Validator.NET http://secure.foundstone.com/resources/proddesc/validator.htm

OWASP’s SAMSHE (Security Analyzer for Microsoft's Shared Hosting Environments)
http://www.owasp.org/index.php/SAM
is a part of
http://www.owasp.org/index.php/ANBS

OWASP’s ANSA (Asp.Net Security Analyser)
http://www.owasp.org/index.php/ANSA

Online Active Directory User Management System

Multi-lingual website Content Management System (COTS application)

Windows Security Log Analysis solution

Relational Database for London University Researchers
Back end for travel agency website

E-Commerce system for music publisher selling custom CDs online

Online website Content Management System


Contributions:-

Created and organized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Autumn of Code 2006 http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006

OWASP Spring of Code 2007 http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007

Participation as a speaker in several Security Conferences (including Keynote presentations at OWASP conferences)

Buffer Overflows on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .Net Framework, 2006 Seattle

Panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" , 2006 Seattle

Keynote OWASP 2.0 - Enabling organizations to develop, maintain, and acquire applications cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can trust, 2006 Europe (Leuven) and 2006 Seattle

Panel: "The role of Sandboxing in creating secure .Net and Java applications.”, 2006 Europe ( Leuven )

Rooting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLR, 2005 Washington DC

The Fog of Software, 2005 London

OWASP DotNet Security tools: DefApp, ANBS, SAM'SHE, ASP.NET Reflector, Beretta, .NETMon , 2005 London

Full Trust Asp.Net Insecurity, 2004 NYC


Videos:

FSTV (Foundstone TV) Interview on '.NET, web security tools, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of OWASP, and ‘Open Source Software' , BlackHat 2006 http://video.google.com/videoplay?docid=941077664562737284

Attacking Web and Windows Apps ( UK 's DDD3 on Jun 2006) http://www.roadtowinfx.com/ddd3/2006-06-03%20Developer%20Developer%20Developer%20session%203.lo%20res.wmv

Attacking Web and Windows Applications (presented in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DDD2 on Oct 2005)
http://www.roadtowinfx.com/ddd/2005-10-22_DeveloperDay_session06.wmv

Rooting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLR, OWASP conference in DC's NISC, Oct 2005 http://video.google.com/videoplay?docid=-2492965730809426450&q=owaspLog

Training:-

Advanced Asp.Net Exploits and Countermeasures (IOActive):

London (July 17th/18th)
http://www.nxtgenug.net/Course.aspx?CourseID=4

Black Hat in Las Vegas (July 28th/29th and July 30th/31st )
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-io-net.html

Advanced Asp.Net Security (Security Compass)

Writing Secure ASP.NET Code (IOActive)

Writing Secure Code - ASP.NET (C#) (Foundstone)

Writing Secure Code Boot Camp ( Intense School / Vigilar)


Memberships:-

OWASP


Company working for:-

Dinis has a main contract with Ounce Labs but continue to do ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r projects and training (for example cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat training in Las Vegas for IOActive)


Companies worked for:-

Dinis has been cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 director of his UK based company for 10 years now, and have worked (under direct contract) for companies like: Ounce Labs, ABN AMRO, IOActive, Foundstone, Vigilar, Infosys, Security Compass, UK’s Defence Science and Technology Laboratory, UK’s Department for Transport, UK’s Competition Commission and many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.


Email:-

Dinis.Cruz at owasp.net


Blog:-

http://blogs.owasp.org/diniscruz


Website:-

http://www.owasp.org/


Education:-

Dinis has 50% of a degree from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Portuguese’s University of Algarve in ‘Computing Systems and Analysis’ (where he completed 3 out of five years) and have 50% of a degree from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK ’s University of Westminster in ‘Commercial Music’ (where he completed 1 and ½ of 3 years).

So basically he has a degree in ‘Computing Commercial Systems and Music Analysis’


Dinis uses both Apple and Windows and prefer to program in C#. When he is not in front of a computer, he likes to spend time with his family, play football, golf, guitar and drums.

With this cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reflection project comes to an end. I would like to thank everyone who participated in it and spent time with me in putting all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. It has been truly a fantastic experience.

Last Week - Cesar Cerrudo

No comments: