Sub

What AV software do you use?

What Vulnerability Scanners /do you use/ ?

Interview hakin9 4/2007

Interview with Mr Caleb Sima

 

Mr Caleb Sim

Caleb Sima, Co-founder and CTO of S.P.I. Dynamics, Inc. is widely known in the Internet security community for his expertise in penetration testing and his ability to identify emerging security threats. He worked for the elite X-Force R&D team at Internet Security Systems, and as a security engineer for S1 Corporation.

hakin9 team: Mr Sima, could you

tell our readers how do you feel as a CTO and director of SPI Labs, SPI Dynamics' R&D security team?

CS: This is a very broad and open question which honestly is much better answered over some beers and about 5-6 hours worth of time. J Since we can't do that, though, I will try to give you the shortest answer. I feel like it's absolutely the best job you could ever have. In fact, I don't even consider it to be my job; I consider it to be my lifestyle. At the same time, though, it is one of the hardest things I have ever done in my life. SPI started as just me wanting to share a tool that automates web application hacking and over time it has grown to be such a huge market that it amazes me. I am required to not only direct and manage our company's technology and direction, but also stay ahead in the security industry and not let my skills get dull which is a tough job when you're so busy with the high level items. J So, how do I feel? I love it and cannot ask for any more. I work in a great company that I helped to build with fantastic people and that is what really matters.

h9: What kind of knowledge and experience you gained by working for the elite X-Force R&D team at Internet Security Systems?

CS: I pretty much grew up at ISS. I worked there when it was still a small company and worked with the best of the best and in an environment like that it's hard NOT to learn anything. I was young and was able to see a startup company grow from small to successful and IPO. I was able to see how the company worked and changed over those years. That experience was life changing. The one thing that I loved about ISS is that they allowed me to focus on the security research that I wanted to do. It really allowed me to become an expert in my field.

h9: What encouraged you to found SPI Dynamics?

CS: SPI Dynamics was founded in February 2000 by me and a couple other Internet security specialists whose focus was on network penetration testing. Through our research as skilled pen testers we realized that glaringly obvious was the lack of security at the web application layer - the least secure and most vulnerable entry point into a company's backend information infrastructure. In fact, there was not a security product in the market at the time that addressed the potentially destructive threats targeting this specific area of the corporate infrastructure. The traditional forms of Internet security such as firewalls and intrusion detection systems (IDS) did not, and still do not, stop such attacks because hackers using the web application layer are not seen as intruders.

h9: Did you expect such a success when you were in the beginning of your IT security career?

CS: Not at all. I just loved doing security; that was what started my career to begin with. Never did I even have in mind that I would start a successful security company and create a new market. All I ever wanted was to research and code. Leave me in a room with pizza , music and Redbull and I was a happy person.

h9: What sort of services your company offers? Can you do a short overview?

CS: SPI Dynamics' comprehensive suite of products and services identify and remediate web application and web services security vulnerabilities throughout the application development lifecycle. Our award-winning solutions also enable security professionals, QA testers, and developers to work together to verify compliance with 22 security policies such as SOX, HIPAA and PCI.

Our product offerings include

WebInspect(tm)

WebInspect is the first and only web application security assessment tool to be re-architected to thoroughly analyze today's complex web applications built on emerging Web 2.0 technologies. The new architecture delivers faster scanning capabilities, broader assessment coverage, and the most accurate results of any web application scanner available

Assessment Management Platform (AMP)

AMP is a distributed scalable security assessment platform enabling organizations to perform unlimited, automated application security assessments while consolidating all information into a real-time, high-level, dashboard view of an enterprise's current risk posture and policy compliance. This approach consolidates and summarizes all of the application security scanning efforts across the organization so that you can easily assess the security of your organization at the application layer.

DevInspect

DevInspect simplifies security for developers by automatically finding and fixing application vulnerabilities and enabling developers to build secure Web applications and Web services quickly and easily, without impacting schedules or requiring security expertise. DevInspect's unique Hybrid Analysis(tm) approach - source code analysis combined with black-box testing in a single cooperative process - reduces false positives and finds more security defects than either approach alone.

QAInspect

QAInspect applies the most innovative techniques to identify security defects from the hacker's perspective. QAInspect reports on those vulnerabilities with detailed security knowledge in a way that Quality Assurance professionals can understand with a concise prioritized list of vulnerabilities and thorough vulnerability descriptions. Analysis results yield detailed information on the types of attacks possible, such as Cross-Site Scripting (XSS) or SQL Injection.

SPI Dynamics' services offerings include:

WebInspect Direct(tm)

With WebInspect Direct, you can focus on fixing the security vulnerabilities in your Web applications while you eliminate the time and expense associated with installation, hardware and software maintenance costs. Powered by SPI Dynamics' AMP, WebInspect Direct brings you the most powerful assessment solution available. By using WebInspect Direct, you get the benefits of an enterprise solution without the complexities of an enterprise deployment.

Managed Assessment and Penetration Testing Services

Offered as subscription and packaged services, customers can rely on SPI Labs security experts to conduct comprehensive assessments of critical Web applications. Through an established and proven methodology which combines market-leading software with world-renowned expertise, SPI Labs will perform the site assessment, analyze and verify results and prioritize vulnerabilities. The resulting comprehensive reports provide companies with the information needed to verify and resolve critical issues. Detailed assessments include compliance reporting for more than 20 laws, regulations and best practices including PCI, SOX and HIPAA.

Implementation Services

SPI Dynamics' experts work with customers to understand their environment and define their deployment strategy, reducing the complexity often associated with distributed enterprise implementations. SPI Dynamics experts work with customers to design and execute an implementation strategy that will maximize the customer's investment and optimize the Web application security management processes.

Educational Services

SPI Dynamics' Educational Services offer regularly scheduled, instructor-led hands-on product certification training. These comprehensive and role specific training programs are designed to facilitate effective and consistent security knowledge transfer to all groups within the enterprise and can be customized to meet each company's specific needs.

Consulting Services

Web application security services can be customized to meet the unique needs of any organization, including a range of services that go beyond assessment & auditing. Comprehensive product and services offerings provide a unique foundation on which we build our renowned security expertise.

h9: AMP seems to be very interesting and extremely useful tool. Could you explain our readers what exactly that is?

CS: SPI Dynamics' AMP (Assessment Management Platform) is a distributed, scalable, platform used by information security professionals, CISOs, CIOs, line-of-business managers, compliance officers, developers, and QA professionals to assess and manage application security risk. The latest version of AMP, version 3 announced in March 2007, includes a web-based interface for multi-user lifecycle collaboration and control of application security risk throughout the enterprise in a consolidated global view.

h9: What do you think is the main goal of creating Phoenix architecture?

CS: SPI Dynamics' dedicated a team of researchers and developers to redesign our products to meet the needs of the new dynamic web environment. Several years ago, we foresaw the decreased effectiveness that traditional scanners would face when trying to interpret dynamic Web 2.0 applications, and we understood that a complete re-architecture was required. The new architecture, named Phoenix, announced in January of this year has become the foundation of all our products.

h9: You were one of the co-authors of Hacking Exposed:Web Applications 2. This book has educated millions of readers about hacking. Were you satisfied with the results after its publication?

CS: I was to a degree, but the one thing I hate about books is that they are always a year behind and written with strict deadlines. There was so much more that I wanted to put in the book that I could not. I have been told by many people that it was the best one they have read, which is a great feeling and an incredible personal accomplishment.

h9: In 2007, SPI Dynamics won two awards: Best Security Software Development Solution and Silver in Information Security Magazine's and SearchSecurity.com's 2007 Readers' Choice Awards. Which one was more important for you and why?

CS: Both are very important to us because they validate our success in creating robust, industry-leading and award-winning solutions, and show our depth and breadth with solutions that integrate security testing throughout the software development lifecycle.

h9: Your company is very innovative. Maybe you could reveal a secret of your next project?

CS: Our continued focus is on seamlessly integrating security throughout the development lifecycle and creating technology that enhances the security of web applications from the beginning of development.

h9: What do you think about current IT security situation in the world? What are the weakest and strongest points? Do you have a particular vision of IT security in the future?

CS: I think the biggest change that will happen is that it will no longer be called IT security. Security is expanding out of that organization to not just be in IT, but to cover development and policies. We can't think of security any longer as just being in the network space as it was in the 90's. Today all the attacks are occurring at the web application and every business is moving to the web.

Thank you very much for answering Mr Sima.