Hello, Welcome to my page where you can find more details about who I am and what I do at OWASP. You can contact me on dinis.cruz at owasp.org or dinis at ddplus.net
To see my wiki contributions, click here.
Current OWASP Involvement
I am currently involved in a number of OWASP areas:
- leader of the OWASP O2 Platform project
- published the Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation
Past OWASP involvement
- participant of the OWASP Global Projects Committee
- chair of the OWASP Connections Committee
- member of the OWASP Board
- Organized the OWASP Summit 2011 in Portugal
- leader of the OWASP London chapter (2006/2007) - but have passed the leadership to Ivan from ModSecurity, who passed it to Justin.
- leader of the OWASP .NET Project
- main developer of a number of OWASP .NET tools
- helped to organize the OWASP EU Summit 2008 in Portugal
- helped to organize the past OWASP Sponsorship programs:
Current version (2016)
Dinis Cruz is focused on creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions).
His focus is in the alignment of the business’s risk appetite with the reality created by the Applications developed by internal or outsourced development teams
Assurance and Testing are at the epicentre of his Application Security activities:
- Threat Modeling (security architecture, design review, asset discovery, attack surface mapping, authorisation/authentication visualisation),
- Application Security assessments (aka code-driven pen-tests)
- Static/dynamic code analysis tools customisation, deployment and use
- Developer Education
- Secure coding standards and best practices
- RISK management workflows (aka custom JIRA issue workflows)
- Finding sweet spots where security activities are aligned with development/business needs (for example: DevOps, stand-alone QA environments, application visualisation, performance/resilience)
- Creating and nurturing a network of Security Champions (across all teams), to allow the scaling and sharing of Application Security knowledge
- Managing Application Security services provided to the business (staffed in-house of via 3rd party consultancies)
- Increasing existing logging and visualisation solutions in order to monitor, report and react to security incidents
With professional development experience (.NET, Java, NodeJS) and management experience, Dinis is able to move from highly technical threads with developers, to design reviews with architects, all the way to business strategy sessions with senior C-Level executives.
Old version (Nov 2013)
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform and Security Innovation's TeamMentor (Dinis is the main developer and architect of both Applications).
Current day job is with Security Innovation where Dinis tries to promote openness, quality and sharing as part a core tenet of TeamMentor's application development environment.
After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives.
After failing to scale his own security knowledge, learned Git, created security vulnerabilities in code published to production servers, delivered training to developers, and building multiple CI (Continuous Integration) environments; Dinis had the epiphany that the key to application security is "Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating". This 'Immediate Connection/Feedback' concept is deep rooted in the development of the O2 Platform/TeamMentor, and is something that will keep Dinis busy for many years.
Old version (circa 2010)
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers).
Past industry experience include: running a small Software/Consultancy business, acting as CTO for a Portuguese University, being part of a Security Assessment team (Pentesting and Source Code Assessment) for a global Bank (ABN AMRO), taking the role of Directory of Advanced Technologies at Ounce Labs (acquired by IBM), performing Web Application security assessments on a large number of languages/technologies/frameworks and being a very active participant and enabler at OWASP.
Dinis is an active trainer on .Net security, having written and delivered courses for Ounce Labs, IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat). Dinis has also delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.
As a security researcher Dinis created a number of innovative tools and research documents, and has responsible disclosed a number of Critical vulnerabilities on Commercial Applications (for example Microsoft's Advisory MS07-040 on the .NET Framework, or the Spring MVC Auto-Binding issue)
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board (and has been a key driven on a number of major OWASP Initiatives: OWASP Seasons of Code, OWASP Summit 2008 in Portugal, OWASP Community building and OWASP Chapter-lead Training)
Security vulnerability research
Interviews & Media quotes
- Asked and Answered: More Secure .NET Development, Redmond Developer News, 24/Oct/07
- OWASP Preps Framework for Website Security Certification, Dark Reading, 08/Oct/07
- Security, .NET, and the OWASP Project , Dr.Dobb's Portal , 05/Oct/07
- Security Laboratory: Thought Leaders in Software Security Series, SANS, 11/Jun/07
- Reflection on Dinis Cruz, Anurag Agarwal Blog, 02/Jul/07
- The Value of Code Scanning, SANS, 24/Aug/07
- 'Live Demo Of An Web Application Security Review (And Source Code Analysis)' , OWASP Turkey Chapter, 31/Jul/07
- On OWASP , OWASP Turkey Chapter, 31/Jul/07
- Dinis Cruz @ BlackHat 2006 with FSTV, 30/Aug/06
This is more a reference for me (Dinis) but feel free to look around