This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "User:Orysegal"
From OWASP
(Initial page) |
(Tag: Visual edit) |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[File:Ory Segal.png|thumb]] | ||
| + | |||
= ABOUT = | = ABOUT = | ||
== BIO == | == BIO == | ||
| − | Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec | + | Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit. |
| + | |||
| + | == Contact == | ||
| + | [https://www.linkedin.com/in/orysegal/ LinkedIn] | ||
| + | |||
| + | [https://twitter.com/orysegal Twitter] | ||
| + | |||
| + | Email: orysegal [ at ] gmail.com | ||
| − | == Contributions == | + | == Community / Industry Contributions & Participation == |
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]] | * [[WASC OWASP Web Application Firewall Evaluation Criteria Project]] | ||
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I | * OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I | ||
| Line 12: | Line 21: | ||
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html | * NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html | ||
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org | * W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org | ||
| + | * The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10 | ||
| + | |||
| + | == Experience == | ||
| + | 2017 - Present: CTO & co-founder at [https://www.puresec.io/ PureSec] (Serverless Security) | ||
| + | |||
| + | 2012 - 2017: Sr. Director, Threat Research at [https://www.akamai.com/ Akamai] | ||
| + | |||
| + | 2007 - 2012: Security Products Architect (AppScan) at [https://www.ibm.com/ IBM] | ||
| + | |||
| + | 2005 - 2007: Director of Security Research at [https://www.crunchbase.com/organization/watchfire Watchfire] (acquired by IBM) | ||
| + | |||
| + | 2000 - 2005: Senior Security Researcher at [https://www.crunchbase.com/organization/sanctum-inc Sanctum inc] (acquired by Watchfire) | ||
| + | |||
| + | 1997 - 2000: Penetration Testing Team Leader at [http://www.avnet-cyber.com/ Avnet] Cyber Security | ||
| + | |||
| + | == Notable Publications == | ||
| + | * [https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory.pdf Apache OpenWhisk Serverless 'Action' Mutability Weakness] (advisory / whitepaper) | ||
| + | * [https://www.puresec.io/hubfs/New%20Attack%20Vector_%20Serverless%20Crypto-Mining.pdf Serverless Crypto-Mining] (whitepaper) | ||
| + | * [https://www.akamai.com/us/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf HTTP/2.0 Passive Client Fingerprinting] (whitepaper) | ||
| + | * [https://www.akamai.com/jp/ja/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf SSHowDowN]: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper) | ||
| + | * [https://blogs.akamai.com/2014/02/hql-statement-tampering.html HQL Statement Tampering] (advisory / whitepaper) | ||
| + | * [http://blog.watchfire.com/wfblog/2008/06/javascript-code.html JavaScript Code Flow Manipulation] (blog/advisory) | ||
| + | * [https://www.slideshare.net/ibmrational/a-look-at-the-prevalence-of-clientside-javascript-vulnerabilities-in-web-applications Close Encounters of the Third Kind]: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper) | ||
| + | * [https://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities Client-Side JavaScript Vulnerabilities] (presentation) | ||
| + | * [https://packetstormsecurity.com/files/25903/Apache.Win32.txt.html Vulnerability in Apache for Win32 batch file processing] (Remote Command Execution, advisory) | ||
| + | * [https://packetstormsecurity.com/files/33006/msSharePointXSS.txt.html Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server] (advisory) | ||
| + | * [https://packetstormsecurity.com/files/34646/iis5x60.txt.html IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS] (with Amit Klein) | ||
| + | * [https://seclists.org/vuln-dev/2002/May/346 Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II)] (with Amit Klein) | ||
Latest revision as of 18:10, 13 September 2018
ABOUT
BIO
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit.
Contact
Email: orysegal [ at ] gmail.com
Community / Industry Contributions & Participation
- WASC OWASP Web Application Firewall Evaluation Criteria Project
- OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I
- CWE/SANS Top 25: https://www.sans.org/top25-software-errors
- WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria
- WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification
- WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria
- NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html
- W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org
- The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10
Experience
2017 - Present: CTO & co-founder at PureSec (Serverless Security)
2012 - 2017: Sr. Director, Threat Research at Akamai
2007 - 2012: Security Products Architect (AppScan) at IBM
2005 - 2007: Director of Security Research at Watchfire (acquired by IBM)
2000 - 2005: Senior Security Researcher at Sanctum inc (acquired by Watchfire)
1997 - 2000: Penetration Testing Team Leader at Avnet Cyber Security
Notable Publications
- Apache OpenWhisk Serverless 'Action' Mutability Weakness (advisory / whitepaper)
- Serverless Crypto-Mining (whitepaper)
- HTTP/2.0 Passive Client Fingerprinting (whitepaper)
- SSHowDowN: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper)
- HQL Statement Tampering (advisory / whitepaper)
- JavaScript Code Flow Manipulation (blog/advisory)
- Close Encounters of the Third Kind: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper)
- Client-Side JavaScript Vulnerabilities (presentation)
- Vulnerability in Apache for Win32 batch file processing (Remote Command Execution, advisory)
- Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server (advisory)
- IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS (with Amit Klein)
- Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II) (with Amit Klein)
