ABOUT

BIO

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit.

Contact

LinkedIn

Twitter

Email

Community / Industry Contributions & Participation

• WASC OWASP Web Application Firewall Evaluation Criteria Project
• OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I
• CWE/SANS Top 25: https://www.sans.org/top25-software-errors
• WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria
• WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification
• WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria
• NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html
• W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org
• The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10

Experience

2017 - Present: CTO & co-founder at PureSec (Serverless Security)

2012 - 2017: Sr. Director, Threat Research at Akamai

2007 - 2012: Security Products Architect (AppScan) at IBM

2005 - 2007: Director of Security Research at Watchfire (acquired by IBM)

2000 - 2005: Senior Security Researcher at Sanctum inc (acquired by Watchfire)

1997 - 2000: Penetration Testing Team Leader at Avnet Cyber Security

Notable Publications

• Apache OpenWhisk Serverless 'Action' Mutability Weakness (advisory / whitepaper)
• Serverless Crypto-Mining (whitepaper)
• HTTP/2.0 Passive Client Fingerprinting (whitepaper)
• SSHowDowN: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper)
• HQL Statement Tampering (advisory / whitepaper)
• JavaScript Code Flow Manipulation (blog/advisory)
• Close Encounters of the Third Kind: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper)
• Client-Side JavaScript Vulnerabilities (presentation)
• Vulnerability in Apache for Win32 batch file processing (Remote Command Execution, advisory)
• Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server (advisory)
• IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS (with Amit Klein)
• Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II) (with Amit Klein)