Interview hakin9 4/2007
Interview with Mr Caleb Sima
Caleb
Sima, Co-founder and CTO of S.P.I. Dynamics, Inc. is widely known in
the Internet security community for his expertise in penetration
testing and his ability to identify emerging security threats. He
worked for the elite X-Force R&D team at Internet Security
Systems, and as a security engineer for S1 Corporation.
hakin9 team: Mr Sima, could you
tell our readers how do you feel as a CTO and director of SPI Labs,
SPI Dynamics' R&D security team?
CS: This is a very broad and
open question which honestly is much better answered over some beers
and about 5-6 hours worth of time. J Since we can't do that, though,
I will try to give you the shortest answer. I feel like it's
absolutely the best job you could ever have. In fact, I don't even
consider it to be my job; I consider it to be my lifestyle. At the
same time, though, it is one of the hardest things I have ever done
in my life. SPI started as just me wanting to share a tool that
automates web application hacking and over time it has grown to be
such a huge market that it amazes me. I am required to not only
direct and manage our company's technology and direction, but also
stay ahead in the security industry and not let my skills get dull
which is a tough job when you're so busy with the high level items. J
So, how do I feel? I love it and cannot ask for any more. I work in a
great company that I helped to build with fantastic people and that
is what really matters.
h9: What kind of knowledge and
experience you gained by working for the elite X-Force R&D team
at Internet Security Systems?
CS: I pretty much grew up at
ISS. I worked there when it was still a small company and worked with
the best of the best and in an environment like that it's hard NOT to
learn anything. I was young and was able to see a startup company
grow from small to successful and IPO. I was able to see how the
company worked and changed over those years. That experience was life
changing. The one thing that I loved about ISS is that they allowed
me to focus on the security research that I wanted to do. It really
allowed me to become an expert in my field.
h9: What encouraged you to found
SPI Dynamics?
CS: SPI Dynamics was founded in
February 2000 by me and a couple other Internet security specialists
whose focus was on network penetration testing. Through our research
as skilled pen testers we realized that glaringly obvious was the
lack of security at the web application layer - the least secure and
most vulnerable entry point into a company's backend information
infrastructure. In fact, there was not a security product in the
market at the time that addressed the potentially destructive threats
targeting this specific area of the corporate infrastructure. The
traditional forms of Internet security such as firewalls and
intrusion detection systems (IDS) did not, and still do not, stop
such attacks because hackers using the web application layer are not
seen as intruders.
h9: Did you expect such a
success when you were in the beginning of your IT security career?
CS: Not at all. I just loved
doing security; that was what started my career to begin with. Never
did I even have in mind that I would start a successful security
company and create a new market. All I ever wanted was to research
and code. Leave me in a room with pizza , music and Redbull and I was
a happy person.
h9: What sort of services your
company offers? Can you do a short overview?
CS: SPI Dynamics' comprehensive
suite of products and services identify and remediate web application
and web services security vulnerabilities throughout the application
development lifecycle. Our award-winning solutions also enable
security professionals, QA testers, and developers to work together
to verify compliance with 22 security policies such as SOX, HIPAA and
PCI.
Our product offerings include
WebInspect(tm)
WebInspect is the first and only web
application security assessment tool to be re-architected to
thoroughly analyze today's complex web applications built on emerging
Web 2.0 technologies. The new architecture delivers faster scanning
capabilities, broader assessment coverage, and the most accurate
results of any web application scanner available
Assessment Management Platform (AMP)
AMP is a distributed scalable security
assessment platform enabling organizations to perform unlimited,
automated application security assessments while consolidating all
information into a real-time, high-level, dashboard view of an
enterprise's current risk posture and policy compliance. This
approach consolidates and summarizes all of the application security
scanning efforts across the organization so that you can easily
assess the security of your organization at the application layer.
DevInspect
DevInspect simplifies security for
developers by automatically finding and fixing application
vulnerabilities and enabling developers to build secure Web
applications and Web services quickly and easily, without impacting
schedules or requiring security expertise. DevInspect's unique Hybrid
Analysis(tm) approach - source code analysis combined with black-box
testing in a single cooperative process - reduces false positives and
finds more security defects than either approach alone.
QAInspect
QAInspect applies the most innovative
techniques to identify security defects from the hacker's
perspective. QAInspect reports on those vulnerabilities with detailed
security knowledge in a way that Quality Assurance professionals can
understand with a concise prioritized list of vulnerabilities and
thorough vulnerability descriptions. Analysis results yield detailed
information on the types of attacks possible, such as Cross-Site
Scripting (XSS) or SQL Injection.
SPI Dynamics' services offerings include:
WebInspect Direct(tm)
With WebInspect Direct, you can focus
on fixing the security vulnerabilities in your Web applications while
you eliminate the time and expense associated with installation,
hardware and software maintenance costs. Powered by SPI Dynamics'
AMP, WebInspect Direct brings you the most powerful assessment
solution available. By using WebInspect Direct, you get the benefits
of an enterprise solution without the complexities of an enterprise
deployment.
Managed Assessment and Penetration Testing
Services
Offered as subscription and packaged
services, customers can rely on SPI Labs security experts to conduct
comprehensive assessments of critical Web applications. Through an
established and proven methodology which combines market-leading
software with world-renowned expertise, SPI Labs will perform the
site assessment, analyze and verify results and prioritize
vulnerabilities. The resulting comprehensive reports provide
companies with the information needed to verify and resolve critical
issues. Detailed assessments include compliance reporting for more
than 20 laws, regulations and best practices including PCI, SOX and
HIPAA.
Implementation Services
SPI Dynamics' experts work with
customers to understand their environment and define their deployment
strategy, reducing the complexity often associated with distributed
enterprise implementations. SPI Dynamics experts work with customers
to design and execute an implementation strategy that will maximize
the customer's investment and optimize the Web application security
management processes.
Educational Services
SPI Dynamics' Educational Services
offer regularly scheduled, instructor-led hands-on product
certification training. These comprehensive and role specific
training programs are designed to facilitate effective and consistent
security knowledge transfer to all groups within the enterprise and
can be customized to meet each company's specific needs.
Consulting Services
Web application security services can
be customized to meet the unique needs of any organization, including
a range of services that go beyond assessment & auditing.
Comprehensive product and services offerings provide a unique
foundation on which we build our renowned security expertise.
h9: AMP seems to be very
interesting and extremely useful tool. Could you explain our readers
what exactly that is?
CS: SPI Dynamics' AMP
(Assessment Management Platform) is a distributed, scalable, platform
used by information security professionals, CISOs, CIOs,
line-of-business managers, compliance officers, developers, and QA
professionals to assess and manage application security risk. The
latest version of AMP, version 3 announced in March 2007, includes a
web-based interface for multi-user lifecycle collaboration and
control of application security risk throughout the enterprise in a
consolidated global view.
h9: What do you think is the
main goal of creating Phoenix architecture?
CS: SPI Dynamics' dedicated a
team of researchers and developers to redesign our products to meet
the needs of the new dynamic web environment. Several years ago, we
foresaw the decreased effectiveness that traditional scanners would
face when trying to interpret dynamic Web 2.0 applications, and we
understood that a complete re-architecture was required. The new
architecture, named Phoenix, announced in January of this year has
become the foundation of all our products.
h9: You were one of the
co-authors of Hacking Exposed:Web Applications 2. This book has
educated millions of readers about hacking. Were you satisfied with
the results after its publication?
CS: I was to a degree, but the
one thing I hate about books is that they are always a year behind
and written with strict deadlines. There was so much more that I
wanted to put in the book that I could not. I have been told by many
people that it was the best one they have read, which is a great
feeling and an incredible personal accomplishment.
h9: In 2007, SPI Dynamics won
two awards: Best Security Software Development Solution and Silver in
Information Security Magazine's and SearchSecurity.com's 2007
Readers' Choice Awards. Which one was more important for you
and why?
CS: Both are very important to
us because they validate our success in creating robust,
industry-leading and award-winning solutions, and show our depth and
breadth with solutions that integrate security testing throughout the
software development lifecycle.
h9: Your company is very
innovative. Maybe you could reveal a secret of your next project?
CS: Our continued focus is on
seamlessly integrating security throughout the development lifecycle
and creating technology that enhances the security of web
applications from the beginning of development.
h9: What do you think about
current IT security situation in the world? What are the weakest and
strongest points? Do you have a particular vision of IT security in
the future?
CS: I think the biggest change
that will happen is that it will no longer be called IT security.
Security is expanding out of that organization to not just be in IT,
but to cover development and policies. We can't think of security any
longer as just being in the network space as it was in the 90's.
Today all the attacks are occurring at the web application and every
business is moving to the web.
Thank you very much for answering Mr
Sima.
