Difference between revisions of "User:Dinis.cruz"

From OWASP
Jump to: navigation, search
(Working pages)
(CV)
 
(24 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Hello, Welcome to my page where you can find more details about who I am and what I do at OWASP. You can contact me on dinis.cruz at owasp.net or dinis at ddplus.net
+
Hello, Welcome to my page where you can find more details about who I am and what I do at OWASP. You can contact me on dinis.cruz at owasp.org or dinis at ddplus.net
  
== Chief Owasp Evangelist ==
+
To see my wiki contributions, [[:Special:Contributions/Dinis.cruz|click here]].
  
After much internal debate I decided to agree with Jeff's idea for my official OWASP title: Chief OWASP Evangelist.
+
My most updated [http://uk.linkedin.com/in/diniscruz CV is at LinkedIn] and here is the [http://dl.dropbox.com/u/12988346/Personal/Dinis%20Cruz%20%28CV%20-%20October%202010%29.pdf PDF version]
 +
 +
== Current OWASP Involvement ==
  
I don't like the religious connotations of that title, but technology evangelism does have a somewhat different meaning, and looking at the other 'technical evangelists' out there (and in the past) I do feel that I am following the footsteps of giants :).
+
I am currently involved in a number of OWASP areas:
  
I would like to offer my services to you (OWASP member or OWASP user) as a point of contact for OWASP related activities. One of my main objectives is to maximize the potential of OWASP and its community, so anything that I can do to help, just let me know.
+
* leader of the [[OWASP O2 Platform]] project
 +
* published the [[Summit_2011/Open_letter_to_WebAppSec_Tool_and_Services_vendors:_Release_your_schemas_and_allow_automation | Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation]]
  
A couple objectives for me:
+
== Past OWASP involvement ==
 +
* participant of the OWASP [[Global Projects Committee]]
 +
* chair of the [[OWASP Connections Committee]]
 +
* member of the [[About_The_Open_Web_Application_Security_Project#Global_Board_Members|OWASP Board]]
 +
* Organized the [[OWASP Summit 2011]] in Portugal
 +
* leader of the OWASP [[London]] chapter (2006/2007) - but have passed the leadership to Ivan from ModSecurity, who passed it to Justin.
 +
* leader of the OWASP .NET Project
 +
* main developer of a number of OWASP .NET tools
 +
* helped to organize the [[OWASP EU Summit 2008]] in Portugal
 +
* helped to organize the past OWASP Sponsorship programs:
 +
** [[OWASP Season of Code 2009]]
 +
** [[OWASP Summer of Code 2008]]
 +
** [[OWASP Spring Of Code 2007]]
 +
** [[OWASP Autumn Of Code 2006]]
  
* Promote OWASP to OWASP (the reality is that most of us have no idea of what projects there are at OWASP and what they have already created / delivered (see for example the list of current projects https://www.owasp.org/index.php/Category:OWASP_Project))
+
== Bio ==
* Promote collaboration and integration between OWASP projects (there are tons of potential synergies between OWASP projects out there)
+
* Promote OWASP to the world, and let them know the great stuff that we are doing
+
* Work with the OWASP chapters, so that what happens locally is exposed to the rest of us (I also would like to see collaboration between chapters, and the re-use of its  materials)
+
* Review the current OWASP tools and content and work with its creators to make it even better
+
* Follow the final stages of the "OWASP Autumn of Code"  sponsorships https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Selection and start working on the OWASP Spring of Code :)
+
* Increase OWASP membership numbers
+
  
So remember, I am here to help and if I don't respond to your email in a couple days, just keep resending it until you get an answer (my inbox sometimes behaves like a black hole:  "the email goes in and never returns" :) )
+
===Current version (circa Nov 2013)===
  
 +
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform and Security Innovation's TeamMentor (Dinis is the main developer and architect of both Applications).
  
== OWASP Chapters ==
+
Current day job is with Security Innovation where Dinis tries to promote openness, quality and sharing as part a core tenet of TeamMentor's application development environment.
  
I used to be the leader of the OWASP [[London]] chapter (2006/2007), but have passed the leadership to Ivan from ModSecurity. These days I spend my energy in organizing events like the [[OWASP Day]]
+
After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives.  
  
== Short CV ==
+
After failing to scale his own security knowledge, learned Git, created security vulnerabilities in code published to production servers, delivered training to developers, and building multiple CI (Continuous Integration) environments; Dinis had the epiphany that the key to application security is "Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating". This 'Immediate Connection/Feedback' concept is deep rooted in the development of the O2 Platform/TeamMentor, and is something that will keep Dinis busy for many years.
  
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development.
+
=== Old version (circa 2010) ===
 +
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
  
Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.
+
For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the [[OWASP O2 Platform]] which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers).
  
Dinis is the current [[http://www.owasp.org/index.php/Category:OWASP_.NET_Project Owasp .Net Project]] and [[http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006 OWASP Autumn of Code]] project's leader and the main developer of several of OWASP .Net tools ([[http://www.owasp.org/index.php/SAM%27SHE SAM'SHE]], [[http://www.owasp.org/index.php/ANBS ANBS]], [[http://www.owasp.org/index.php/Owasp_SiteGenerator SiteGenerator]], Owasp Report Generator, [[http://www.owasp.org/index.php/ASP.NET_Reflector Asp.Net Reflector]]).
+
Past industry experience include: running a small Software/Consultancy business, acting as CTO for a Portuguese University, being part of a Security Assessment team (Pentesting and Source Code Assessment) for a global Bank (ABN AMRO), taking the role of Directory of Advanced Technologies at Ounce Labs (acquired by IBM), performing Web Application security assessments on a large number of languages/technologies/frameworks and being a very active participant and enabler at OWASP.
  
Dinis is a active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG . His latest course is the two day training course [[http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-io-net.html Advanced Asp.Net Exploits and Countermeasures], which was delivered at the Black Hat 2006 conference and will be presented on the fortcomming [[http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference OWASP AppSec Conference]] in Seattle.
+
Dinis is an active trainer on .Net security, having written and delivered courses for Ounce Labs, IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat). Dinis has also delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.  
  
 +
As a security researcher Dinis created a number of innovative tools and research documents, and has responsible disclosed a number of Critical vulnerabilities on Commercial Applications (for example Microsoft's Advisory [http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx MS07-040] on the .NET Framework, or the [http://www.springsource.com/security/spring-mvc Spring MVC Auto-Binding] issue)
  
== Presentations ==
+
At OWASP, Dinis is the leader of the [[OWASP O2 Platform]] project, member of the OWASP [[Global Projects Committee]], chair of the [[OWASP Connections Committee]] and member of the OWASP Board (and has been a key driven on a number of major OWASP Initiatives: OWASP Seasons of Code, OWASP Summit 2008 in Portugal, OWASP Community building and OWASP Chapter-lead Training)
  
* [http://video.google.com/url?docid=-4836024642453442602&esrc=sr2&ev=v&q=web%2Bg%C3%BCvenli%C4%9Fi&srcurl=http%3A%2F%2Fvideo.google.com%2Fvideoplay%3Fdocid%3D-4836024642453442602&vidurl=%2Fvideoplay%3Fdocid%3D-4836024642453442602%26q%3Dweb%2Bg%25C3%25BCvenli%25C4%259Fi%26total%3D6%26start%3D0%26num%3D10%26so%3D0%26type%3Dsearch%26plindex%3D1&usg=AL29H23PXBm-gR5WWSGCLqDWTg0siKQFXg Presentation in Turkey Chapter on 'Live Demo Of An Web Application Security Review (And Source Code Analysis)']
+
== Security vulnerability research==
* [http://video.google.com/url?docid=7782803854278645697&esrc=sr4&ev=v&q=web%2Bg%C3%BCvenli%C4%9Fi&srcurl=http%3A%2F%2Fvideo.google.com%2Fvideoplay%3Fdocid%3D7782803854278645697&vidurl=%2Fvideoplay%3Fdocid%3D7782803854278645697%26q%3Dweb%2Bg%25C3%25BCvenli%25C4%259Fi%26total%3D6%26start%3D0%26num%3D10%26so%3D0%26type%3Dsearch%26plindex%3D3&usg=AL29H23k8WMP3rS7_CGlpdnaVhBQk5UJ_A Presentation in Turkey Chapter on OWASP]
+
* [http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx Microsoft Security Bulletin MS07-040 - Critical]
 +
*  [http://www.springsource.com/security/spring-mvc Spring MVC Auto-Binding]
 +
== Interviews & Media quotes ==
 +
 
 +
* [http://reddevnews.com/blogs/weblog.aspx?blog=1473  Asked and Answered: More Secure .NET Development], Redmond Developer News, 24/Oct/07
 +
* [http://www.darkreading.com/document.asp?doc_id=135797&WT.svl=news1_1 OWASP Preps Framework for Website Security Certification], Dark Reading, 08/Oct/07
 +
* [http://www.ddj.com/security/202300130 Security, .NET, and the OWASP Project] , Dr.Dobb's Portal , 05/Oct/07
 +
* [http://www.sans.edu/resources/securitylab/dinis_cruz.php Security Laboratory: Thought Leaders in Software Security Series], SANS, 11/Jun/07
 +
* [http://myappsecurity.blogspot.com/2007/07/reflection-on-dinis-cruz.html Reflection on Dinis Cruz], Anurag Agarwal Blog, 02/Jul/07
 +
 
 +
== Videos ==
 +
 
 +
* [http://www.youtube.com/watch?v=nHHDXMcrYgs The Value of Code Scanning], SANS,  24/Aug/07
 +
* [http://video.google.com/videoplay?docid=-4836024642453442602 'Live Demo Of An Web Application Security Review (And Source Code Analysis)'] , OWASP Turkey Chapter, 31/Jul/07
 +
* [http://video.google.com/videoplay?docid=7782803854278645697| On OWASP] , OWASP Turkey Chapter, 31/Jul/07
 +
* [http://video.google.co.uk/videoplay?docid=941077664562737284 Dinis Cruz @ BlackHat 2006 with FSTV], 30/Aug/06
  
 
== Working pages ==
 
== Working pages ==
Line 49: Line 77:
 
* [[Members Comments On OWASP membership]]
 
* [[Members Comments On OWASP membership]]
 
* [[Dinis Cruz Research - Draft Notes]]
 
* [[Dinis Cruz Research - Draft Notes]]
 +
* [[OWASP_Spring_Of_Code_2007]]
 +
* [[OWASP_Winter_Of_Code_2008]]

Latest revision as of 06:30, 6 November 2013

Hello, Welcome to my page where you can find more details about who I am and what I do at OWASP. You can contact me on dinis.cruz at owasp.org or dinis at ddplus.net

To see my wiki contributions, click here.

My most updated CV is at LinkedIn and here is the PDF version

Contents

Current OWASP Involvement

I am currently involved in a number of OWASP areas:

Past OWASP involvement

Bio

Current version (circa Nov 2013)

Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform and Security Innovation's TeamMentor (Dinis is the main developer and architect of both Applications).

Current day job is with Security Innovation where Dinis tries to promote openness, quality and sharing as part a core tenet of TeamMentor's application development environment.

After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives.

After failing to scale his own security knowledge, learned Git, created security vulnerabilities in code published to production servers, delivered training to developers, and building multiple CI (Continuous Integration) environments; Dinis had the epiphany that the key to application security is "Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating". This 'Immediate Connection/Feedback' concept is deep rooted in the development of the O2 Platform/TeamMentor, and is something that will keep Dinis busy for many years.

Old version (circa 2010)

Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.

For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers).

Past industry experience include: running a small Software/Consultancy business, acting as CTO for a Portuguese University, being part of a Security Assessment team (Pentesting and Source Code Assessment) for a global Bank (ABN AMRO), taking the role of Directory of Advanced Technologies at Ounce Labs (acquired by IBM), performing Web Application security assessments on a large number of languages/technologies/frameworks and being a very active participant and enabler at OWASP.

Dinis is an active trainer on .Net security, having written and delivered courses for Ounce Labs, IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat). Dinis has also delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences.

As a security researcher Dinis created a number of innovative tools and research documents, and has responsible disclosed a number of Critical vulnerabilities on Commercial Applications (for example Microsoft's Advisory MS07-040 on the .NET Framework, or the Spring MVC Auto-Binding issue)

At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board (and has been a key driven on a number of major OWASP Initiatives: OWASP Seasons of Code, OWASP Summit 2008 in Portugal, OWASP Community building and OWASP Chapter-lead Training)

Security vulnerability research

Interviews & Media quotes

Videos

Working pages

This is more a reference for me (Dinis) but feel free to look around