Introduction to Dennis Groves

Dennis Groves here.....

Hello, my name is Dennis Groves and I am a Program Manager in the CISG (Connected Information Security Group) at Microsoft.

Before joining Microsoft I was a Security Consultant with IBM Security and Privacy Services. At IBM my roles was an IT Security Architect and Consultant in assessing and developing secure solutions addressing the security and privacy concerns of clients, both internal and external to IBM. I further specialized in Service Oriented Architectures (SOA); Identity Management and integrating security into infrastructure and application design. While there I contributed to an IBM Redbook on Security and Service Oriented Architectures.

I discovered web application security back in 1999 when I was hired by a company known as Perfecto Technologies, at the time we were working on the worlds first web application firewall; AppShield (obviously we couldn't sell them...) where I had the fortunate opportunity to go overseas for the first time and live in Israel, (I have also lived in Mexico, Thailand, the USA and I currently reside in England) and work on their second product "Appscan" that was eventually sold to IBM for a small fortune. After leaving Perfecto/Sanctum; I started OWASP with Mark Curphey. One of my early contributions to OWASP include the "OWASP Guide" downloaded over 2 million times; now a reference document in the PCI DSS standard, and the de-facto standard for securing web applications.

I have played a number of roles oven the years including:

  • Ethical Hacker
  • Web Application Security Consultant
  • IT Security Consultant
  • System Administrator
  • Network Administrator
  • Software Engineer

I was destined to be a Security professional, ever since I was young boy my father was constantly telling me if I would spend half my time doing what I was supposed to instead of gaming the system I could go twice as far.

Bibliophile

I am an autodidact with a ravenous appetite for knowledge and books. My love of books is matched only by my love of exercise; but I will save that for another post. I just completed reading "Little Brother" last night, it is a modern retelling of George Orwell's "1984" set in San Francisco, and although its target demographic is adolescence; and thus an easy read; it is a rare book about our occupation and the main character is definitely a security thinker. Some of the other books I have recently read are Brain RulesLiving the 80/20 way, &  Do It Tomorrow. I am planning on completing Keeping Found Things Found next and then reading Making things happen, mastering project management. I am also keen to read Motion Mountain.

However, every once in a while a book comes a long that really stays with you. For me it is the The Medici Effect. The Medici Effect describes exactly how to reproduce the creativity that leads to world-changing insights. Not surprisingly one of the important mechanisms is diversity, we have long known that diversity strengthens species through evolution; this is after the cornerstone of Darwin's Theory. And in fact Dan Geer wrote a great article looking at what evolution tells us about managing risk. Diversity is what allows you to take fresh perspective to difficult problems and solve them in unexpected was. This is but one of the eight keys to locating the intersection where creativity happens.

Another book I read recently about Marketing is "The Pirate's Dilemma". This is a fantastic book about what happens when you don't give customers what they want and how to spot market opportunities that your customers are dying for. A marketing opportunity exists when customers start creating solutions for themselves.

Anti-XSS

"Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police." -- Gene Spafford

Back in 2002 I spoke at BlackHat about Cross Site Scripting (XSS). So interestingly enough, you could say my career is coming full circle. Here at Microsoft my role is program manager for the Anti-XSS library. This is a server side library that filters http data according to a whitelist sanitizing the output; so that cross site scripting attacks are not possible. This library was written around the time of Samy. Samy was a wake up call; like the Morris Worm of the two decades prior. Two years later in 1988 the first packet filters were arrived and the 'firewall' industry was born. Interestingly enough I used to write packet filters back then for companies around the Puget Sound. Interestingly the litmus test of security as set forth by Stephen Northcutt; is the recognition of the Morris worm; not a single firewall product; nor network device and even most Humans would be able to recognize or mitigate the risks of this attack today! Indeed, the mechanisms were different, but Samy demonstrated that little has changed in terms of security; in fact Samy marched right on through the firewalls unnoticed as predicted by Northcutt. Ken Thompson; wrote papers about IT security in 1984 - “Reflections on Trusting Trust“; in it he identified the problem of "Data Validation" the cause of both of the above worms and most Dancing Pigs.

Anti-XSS remains the leading solution to solving cross-site scripting in .NET applications. I am excited because I am working alongside some of the most amazing people I have ever had the fortune to work with, and we are working on a very difficult historical problem that has been lingering around for at least 24 years, and I have been chartered with updating the library - and let me tell you we have some very exciting stuff up our sleeves - so watch this blog.

With some hard work; cross site scripting will become a footnote in the history books, instead of a continuation of a theme.

Comments