Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

Thought Leaders

Table of Contents

Caleb Sima, CTO for SPI Dynamics

Stephen Northcutt - May 29th, 2007

Caleb Sima, the CTO for SPI Dynamics, has agreed to be interviewed for the security lab, and we certainly thank him for his time. Caleb, we understand you were a child prodigy; when did you first start looking "under the hood" with computers, and do you remember your first "aha" moment, the first time you went, "wow, this is cool"?
Well, first off, a child prodigy I was not. I was just really rebellious at a young age and was able to focus that on computers to get where I am today. Trust me, if I were to take the SATs now, I would fail miserably.

So, the first time I actually ended up playing with computers was when I was on restriction and my dad purchased a new PC; of course, the only thing I was allowed to do was to fiddle with it. I still remember the first joke I played on my dad by taking a screenshot of windows and putting it as the background, and then watching my dad complain about how the computer was frozen and would not work. So, at this point I was not into security as I really did not know it existed; I guess where I started getting into the so-called underground was when I logged into this BBS and read a file on how to make free payphone calls. That blew my mind - my first "aha" moment. I had no idea that you could subvert technology to do what you wanted and, from that point forward, I become obsessed with phone phreaking and hardware hacking which, of course, led me into software security.

We know you were one of the authors of Hacking Exposed Web Applications with Joel Scambray and Mike Shema, and I bet that was a lot of work; what do you find is the biggest benefit from the project?
I found two large benefits. The first is personal; I have always been a terrible writer (and really still am), but it was a real growing experience in getting my thoughts down on paper and working on writing a book. The 2nd benefit is that I really tried to put down attack methodology and thought process in the book, not just "here is XSS" and "here is SQL injection." I wanted to point out that web hacking was more then just a couple of attacks that get press, and I emphasized that a lot in the book. The feedback that I have received from people has been just that - they really liked that they learned something new; I think that is a huge benefit and, really, the goal of everything I put into that book.

We understand you co-founded SPI. Can you tell us just a bit about how it got started, what was the vision, what was the headache you wanted to be the aspirin for?
Well, this is a really long story which should be told over some beers, but, since we can’t do that, I will shorten it up as much as possible. I was doing a lot of pen testing and found that I could break into the web application in hours instead of days. I did not need to use any network scanners and EVERYONE was vulnerable because no one ever looked at the web application as a security concern. I had built a bunch of perl scripts to help automate some of my process and had ideas of writing an opensource web application scanner, which really was unheard of at the time since the closest thing to that was whisker, which is not an app scanner but, rather, a web server scanner. Well, I was contracting at a large telecom company and the head of security there said to me, "If you can automate this so I can use it, I will buy it from you". Thus, WebInspect was born.

Wow, Caleb, thank you for sharing that. And SPI has really grown, is it a fair assessment to say that since 2000, you are the market leader? What can you share about the web app security market segment, growing, shrinking, becoming more sophisticated?
Yes, since then SPI has grown rapidly. We now have over 1200 customers and over 140 people. We were rated number 4 in the fastest growing companies in Atlanta. The vision that started out just automating the web scanning process I used to do has grown into helping companies implement and manage a secure development lifecycle for web applications. It's funny you mention the app security market since I have been doing this for 9+ years and it seems old hat, but the web security market never really came around until about 2 years ago. SPI was educating the market and evangalizing to companies why web security was important and only in 2005 the light bulb finally really went on and people understood. So the market, as old as I might think it is, really is quite young and it will be exciting to see where the ride takes us.

So you realized that web applications were a primary Achilles heel from a security perspective for many organizations and you and your team developed WebInspect, what can you tell us about the directions it is expected to go in the next year or so?
Webinspect is but a small piece of the total solution for the websecurity problem. Webinspect is the "What problems do we have?" piece; then there is the "How do we solve this problem?" piece, which is devinspect; then "How can we ensure this does not happen again?" which is QAInspect; and, finally, the "How do I manage and control all of this?", which is AMP. So, as you can see, we have a lot of work to do in all parts of our product suite. Our goal has changed from what it was 7 years ago, which was to show people the problem. They understand that now, so our focus is to help customers with the solution, and that is the real key. Fixing software vulnerabilities from development through to production is the right solution and that is the direction the market has taken us.

One of the unique things about web applications is that one programming error can be referenced in hundreds of instances, often all of them Internet reachable. What do you think the number one error is, the mistake a programmer can make to guarantee a spot in the hall of shame?
I have seen some serious stupidity in my career. *smile* There is never really one thing a developer can do to put them in the hall of shame, but I can tell you some of the more memorable mistakes I have seen. For instance, I have seen a developer put full on SQL queries in their cookies to a very important government web application. Literally, it was like ‘Cookie: sessionquery=SELECT+*+FROM….’ Nice one, buddy! I have also seen a big push toward pushing code to the client in the form of javascript, thanks to the phenomenon known as AJAX , and one application the developer kept their privilege checking in javascript and, based on who you were, either displayed or hid the menus. So, you just viewed source and could see all the admin functions and access them directly.

There is one thing that I always tell developers - that is to VALIDATE INPUT.

Check out the book Security, Accuracy, and Privacy in computer systems written by James Martin in 1973; on page 54 he states, "A particular important set of checks, however, is that used at the start of the operation when new input is first received. Every effort should be made to detect any erroneous or invalid input before it is processed."

You would think after 34 years we would have followed this advice. If we did this one thing properly, it would remove the exploitability of XSS, SQL Injection, Command Execution, Path traversal, Buffer Overflows ... and the list goes on.

One simple step can instantly make your code 80% more secure.. geez, who would have thought?

Of course, we are all familiar with Johnny Long’s web site, but I needed an example for some courseware I was working on, and it is almost depressing how much system configuration information people leave unprotected. Do we need more than technology, is education part of the equation?

No matter what technology you try to put into place or any amount of education you attempt, people will always do stupid things. You will always find that system config information or the username password database in a directory because people will always do it. Even if you put controls into place in order to stop them, they will find ways around it so that they can do stupid things. It's life. *smile* So, unless Google prohibits you from doing these types of searches (doubtful, and almost impossible to do), then you can always play the "Let’s see what stupid stuff we can find with Google" trick. Which, by the way, had existed long before Google; remember doing this with Lycos web crawler and good ol' Altavista, back in the day?

Thanks Caleb, I am glad we agree on the importance of education; is SPI Dynamics involved in education on web security? And, if so, can you tell us a bit about that.
Education is always important and is something that SPI is heavily involved in. Ask anyone who has attended our presentations that we give; I go out of my way to ensure that everytime someone attends a SPI presentation, they walk away learning something new. No product pitches from us. I know that if we help educate the people, that, of course, will educate the market, and then those same people will come back to us wanting to learn more and trust that if we are the experts, then we put that expertise into our products. A lot of companies don’t realize that. You will always see us at security conferences giving presentations - we speak at almost every one of them.

I’ve written a book and so many articles I can’t count, *smile* and our engineering group has actually done the same. Educating the market is a primary goal for us and we will always continue to do so.

Caleb, the security market continues to change, new threats evolve, what are the hottest trends right now in attacking web applications and what can we do to prevent them?

The hottest trend right now is definitely AJAX. Now AJAX security is separated into two distinct areas: 1) AJAX misconfiguration/implementation issues; and, 2) Exploiting XSS using AJAX. As with any new technology, people rush out to implement it right away and AJAX, of course, is no different. We are seeing a huge push of taking server side code and chunking out huge parts of it out to the client using javascript. This, of course, leads to huge security issues. I do a presentation about what these issues are on our website. The 2nd example is that XSS has obviously taken off. Hackers are using it in a much more meaningful way in order to really do some crazy things, and this is all because of the AJAX ability. XSS+AJAX = Massive exploitation. So the important question is, how do we prevent these issues? Well, the first is easy (I say this as a consultant, not a CSO *smile* ): Remember that AJAX is really there for a better user interface, nothing more. So, be very careful in how you design your application with AJAX and ensure that security is thought of. The second problem is a little bigger; companies need to start plugging these XSS holes. However, this says nothing about the malicious websites that you browse to, in which case, there is really nothing that can be done.

What advice do you have for someone in the security field to stay current on web app security? What is your favorite newsgroup, mailing list or other information source?
I’m a mailing list guy so these are what I read in terms of being the most fun:
  1. WASC (Web application security consortium): Web security focused with all the experts reading and posting. Really good activity.
  2. Full Disclosure: Always has the latest events and issues happening and is really quite amusing (keeps me entertained)
  3. Daily Dave: More serious and always has a good thread going. Most of the people on the list are experts in the field and they talk about good issues
  4. PenTest: Decent
  5. Secure Coding: Decent

If you had a close friend, who was primarily technical, but was being offered a senior level position such as a CTO in a mid sized company, what is the primary piece of advice you would give him or her based on your own experience?
Listen to your customers. The rest of the advice requires about 6 hours and some drinks. *smile*

We really want to thank you for your time and have one last question: can you tell us just a bit about yourself? What do you like to do when you are not in front of a computer?
Well, I’m an addicted poker player and play regularly online, and I hold a small weekly game at my place. I also enjoy riding my bike, a black '05 Yamaha R6; one of these days I’ll get that thing on the track. Just recently I have started hosting SPI dodgeball and basketball games, which are a ton of fun. There is nothing like getting smacked in the head with a dodgeball. *smile*