Table of Contents
- What is a Security Thought Leader - Updated November 18th, 2009
- Framework for Security Thought Leader Interview - August 26th, 2009
- Daniel B. Cid, Sucuri - November 21st, 2013
- Dominique Karg, AlienVault - November 20th, 2013
- Lance Spitzner, Securing The Human, founder - Updated November 29th, 2012
- Bill Pfeifer, Juniper Networks - March 4th, 2011
- Chris Pogue, Senior Security Analyst - July 8th, 2010
- John Kanen Flowers - May 26th, 2010
- Kees Leune, Leune Consultancy, LLC - February 13th, 2010
- Joel Yonts, CISO - February 12th, 2010
- Maury Shenk, TMT Advisor, Steptoe & Johnson - January 31st, 2010
- Chris Wysopal, CTO, Veracode - January 27th, 2010
- Amir Ben-Efraim, CEO, Altor Networks - November 25th, 2009
- Ed Hammersla, COO, Trusted Computer Solutions - Updated November 19th, 2009
- Amit Klein, CTO, Trusteer - September 27th, 2009
- An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - Updated August 13th, 2009
- A. N. Ananth, CEO, Prism Microsystems, Inc. - August 7th, 2009
- Jeremiah Grossman, Founder and CTO of WhiteHat Security - Updated April 24th, 2009
- Mike Yaffe, Director of Product Marketing, Core Security Technologies. - April 15th, 2009
- Chris Petersen, Chief Technology Officer, LogRhythm - March 13th, 2009
- John Pirc, IBM, ISS Product Line & Services Executive: Security and Intelligent Network - February 17th, 2009
- Leigh Purdie, InterSect Alliance, co-founder of Snare: Evolution of log analysis - January 28th, 2009
- Bill Worley, Chief Technology Officer, Secure64 Software Corporation - December 9th, 2008
- Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008
- Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
- Andrew Hay, Q1 Labs - May 13th, 2008
- Gene Schultz, CTO of High Tower - April 4th, 2008
- Tomasz Kojm, original author of ClamAV - April 3rd, 2008
- Bill Johnson, CEO TDI - April 2nd, 2008
- Gene Kim, Tripwire - March 14th, 2008
- Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
- Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
- Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
- Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
- Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
- Interview with Dr. Robert Arn, CTO of Itiva - November 1st, 2007
- Interview with Charles Edge - September 15th, 2007
- Ivan Arce, CTO of Core Security Technologies - Updated May 6th, 2009
- Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
- Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
- Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
- Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
- Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
- Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
- An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
Caleb Sima, CTO for SPI DynamicsStephen Northcutt - May 29th, 2007
Caleb Sima, the CTO for SPI Dynamics, has agreed to be interviewed for the security lab, and we certainly thank him for his time. Caleb, we understand you were a child prodigy; when did you first start looking "under the hood" with computers, and do you remember your first "aha" moment, the first time you went, "wow, this is cool"?
Well, first off, a child prodigy I was not. I was just really rebellious at a young age and was able to focus that on computers to get where I am today. Trust me, if I were to take the SATs now, I would fail miserably.
So, the first time I actually ended up playing with computers was when I was on restriction and my dad purchased a new PC; of course, the only thing I was allowed to do was to fiddle with it. I still remember the first joke I played on my dad by taking a screenshot of windows and putting it as the background, and then watching my dad complain about how the computer was frozen and would not work. So, at this point I was not into security as I really did not know it existed; I guess where I started getting into the so-called underground was when I logged into this BBS and read a file on how to make free payphone calls. That blew my mind - my first "aha" moment. I had no idea that you could subvert technology to do what you wanted and, from that point forward, I become obsessed with phone phreaking and hardware hacking which, of course, led me into software security.
We know you were one of the authors of Hacking Exposed Web Applications with Joel Scambray and Mike Shema, and I bet that was a lot of work; what do you find is the biggest benefit from the project?
I found two large benefits. The first is personal; I have always been a terrible writer (and really still am), but it was a real growing experience in getting my thoughts down on paper and working on writing a book. The 2nd benefit is that I really tried to put down attack methodology and thought process in the book, not just "here is XSS" and "here is SQL injection." I wanted to point out that web hacking was more then just a couple of attacks that get press, and I emphasized that a lot in the book. The feedback that I have received from people has been just that - they really liked that they learned something new; I think that is a huge benefit and, really, the goal of everything I put into that book.
We understand you co-founded SPI. Can you tell us just a bit about how it got started, what was the vision, what was the headache you wanted to be the aspirin for?
Well, this is a really long story which should be told over some beers, but, since we can’t do that, I will shorten it up as much as possible. I was doing a lot of pen testing and found that I could break into the web application in hours instead of days. I did not need to use any network scanners and EVERYONE was vulnerable because no one ever looked at the web application as a security concern. I had built a bunch of perl scripts to help automate some of my process and had ideas of writing an opensource web application scanner, which really was unheard of at the time since the closest thing to that was whisker, which is not an app scanner but, rather, a web server scanner. Well, I was contracting at a large telecom company and the head of security there said to me, "If you can automate this so I can use it, I will buy it from you". Thus, WebInspect was born.
Wow, Caleb, thank you for sharing that. And SPI has really grown, is it a fair assessment to say that since 2000, you are the market leader? What can you share about the web app security market segment, growing, shrinking, becoming more sophisticated?
Yes, since then SPI has grown rapidly. We now have over 1200 customers and over 140 people. We were rated number 4 in the fastest growing companies in Atlanta. The vision that started out just automating the web scanning process I used to do has grown into helping companies implement and manage a secure development lifecycle for web applications. It's funny you mention the app security market since I have been doing this for 9+ years and it seems old hat, but the web security market never really came around until about 2 years ago. SPI was educating the market and evangalizing to companies why web security was important and only in 2005 the light bulb finally really went on and people understood. So the market, as old as I might think it is, really is quite young and it will be exciting to see where the ride takes us.
So you realized that web applications were a primary Achilles heel from a security perspective for many organizations and you and your team developed WebInspect, what can you tell us about the directions it is expected to go in the next year or so?
Webinspect is but a small piece of the total solution for the websecurity problem. Webinspect is the "What problems do we have?" piece; then there is the "How do we solve this problem?" piece, which is devinspect; then "How can we ensure this does not happen again?" which is QAInspect; and, finally, the "How do I manage and control all of this?", which is AMP. So, as you can see, we have a lot of work to do in all parts of our product suite. Our goal has changed from what it was 7 years ago, which was to show people the problem. They understand that now, so our focus is to help customers with the solution, and that is the real key. Fixing software vulnerabilities from development through to production is the right solution and that is the direction the market has taken us.
One of the unique things about web applications is that one programming error can be referenced in hundreds of instances, often all of them Internet reachable. What do you think the number one error is, the mistake a programmer can make to guarantee a spot in the hall of shame?
There is one thing that I always tell developers - that is to VALIDATE INPUT.
Check out the book Security, Accuracy, and Privacy in computer systems written by James Martin in 1973; on page 54 he states, "A particular important set of checks, however, is that used at the start of the operation when new input is first received. Every effort should be made to detect any erroneous or invalid input before it is processed."
You would think after 34 years we would have followed this advice. If we did this one thing properly, it would remove the exploitability of XSS, SQL Injection, Command Execution, Path traversal, Buffer Overflows ... and the list goes on.
One simple step can instantly make your code 80% more secure.. geez, who would have thought?
Of course, we are all familiar with Johnny Long’s web site, but I needed an example for some courseware I was working on, and it is almost depressing how much system configuration information people leave unprotected. Do we need more than technology, is education part of the equation?
No matter what technology you try to put into place or any amount of education you attempt, people will always do stupid things. You will always find that system config information or the username password database in a directory because people will always do it. Even if you put controls into place in order to stop them, they will find ways around it so that they can do stupid things. It's life. *smile* So, unless Google prohibits you from doing these types of searches (doubtful, and almost impossible to do), then you can always play the "Let’s see what stupid stuff we can find with Google" trick. Which, by the way, had existed long before Google; remember doing this with Lycos web crawler and good ol' Altavista, back in the day?
Thanks Caleb, I am glad we agree on the importance of education; is SPI Dynamics involved in education on web security? And, if so, can you tell us a bit about that.
Education is always important and is something that SPI is heavily involved in. Ask anyone who has attended our presentations that we give; I go out of my way to ensure that everytime someone attends a SPI presentation, they walk away learning something new. No product pitches from us. I know that if we help educate the people, that, of course, will educate the market, and then those same people will come back to us wanting to learn more and trust that if we are the experts, then we put that expertise into our products. A lot of companies don’t realize that. You will always see us at security conferences giving presentations - we speak at almost every one of them.
I’ve written a book and so many articles I can’t count, *smile* and our engineering group has actually done the same. Educating the market is a primary goal for us and we will always continue to do so.
Caleb, the security market continues to change, new threats evolve, what are the hottest trends right now in attacking web applications and what can we do to prevent them?
What advice do you have for someone in the security field to stay current on web app security? What is your favorite newsgroup, mailing list or other information source?
I’m a mailing list guy so these are what I read in terms of being the most fun:
- WASC (Web application security consortium): Web security focused with all the experts reading and posting. Really good activity.
- Full Disclosure: Always has the latest events and issues happening and is really quite amusing (keeps me entertained)
- Daily Dave: More serious and always has a good thread going. Most of the people on the list are experts in the field and they talk about good issues
- PenTest: Decent
- Secure Coding: Decent
Listen to your customers. The rest of the advice requires about 6 hours and some drinks. *smile*
We really want to thank you for your time and have one last question: can you tell us just a bit about yourself? What do you like to do when you are not in front of a computer?
Well, I’m an addicted poker player and play regularly online, and I hold a small weekly game at my place. I also enjoy riding my bike, a black '05 Yamaha R6; one of these days I’ll get that thing on the track. Just recently I have started hosting SPI dodgeball and basketball games, which are a ton of fun. There is nothing like getting smacked in the head with a dodgeball. *smile*