Application Security

7/12/2018
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

What's Cooking With Caleb Sima

Security Pro File: Web app security pioneer dishes on his teenage security career, his love of electric scooters, Ace Ventura - and a new baby food business venture with his wife and famed chef, Kathy Fang.

A garbled pager message was how Caleb Sima learned that he had landed his first interview for a security position. It was the mid-'90s, before online job sites – when job boards were all the rage and pagers, not iPhones, served as personal mobile communicators.

Sima, then a teenager, had spotted a job opening for a security engineer at a company called SecurityFirst in Atlanta. "It was super-unusual. Nobody had positions called 'security'" then, he recalls. Sima's pager had broken, so the callback number didn't display fully on the device. As a result, he had to painstakingly dig through his call logs to find the phone number to respond and set up the interview.

He got the job, where his main responsibility was firewall management for the company's data center. It was there he got his hands on the intrusion detection system (IDS) tool RealSecure by Internet Security Systems (ISS). "I was constantly finding ways to bypass it. I was on the phone with ISS all the time with their engineering team," he recalls.

ISS (now part of IBM) eventually hired Sima, where his first position was on the quality assurance team. A few months later, he was recruited to ISS's elite X-Force white-hat hacking team. Of note, he was only 17 years old. Sima, who had dropped out of high school during the Internet boom, says ISS became his real-world school. "There were guys sitting in a room reverse-engineering software, and I was writing code for signatures, finding exploits, and all of the rest of that stuff," he says.

This was where the renowned pioneer of Web application security first started finding security holes in Web applications. Web pen testing wasn't really a thing yet in the mid- to late-'90s, so Sima and his colleagues were charting new territory.

"I started finding SQL injection before they called it [that]," Sima says.

Photo: Caleb Sima
Photo: Caleb Sima

In one of his first pen-test engagements, he was able to gain admin access to the Web server – with less than a day of hacking. "There was a login form only, nothing else, so that was the only thing I could target," Sima recalls.

But he hit the mother lode after noticing the Web page source included a thread of comments between the Web admin and developer that showed the admin page information. "I was like, 'Holy crap, who puts that stuff in Web pages?" he recalls. So he got admin access and uploaded his own scripts to the server.

During a client pen-testing engagement for ISS at BellSouth, Sima demonstrated to the head of security how an attacker could hack into the company's website and grab customer information, such as billing. BellSouth was sold and wanted Sima to create a tool. Sima recalls the manager's reaction: "'Dude, you need to make a product that automates that stuff; I would buy it.'"  

With the blessing of ISS, Sima built the Web testing tool as a freelance project for the former regional telco. He made $20,000.

Sima took the basic automated scripts he had and then rolled them into an automated hacking tool that ultimately evolved into his first commercial product, WebInspect, and the core of his first startup, SPI Dynamics. "At first it was just me working on this thing with scripts and doing consulting on my own to bring in cash," he says of his startup's early days. He later brought in his co-founders, Brian Christian and Wade Malone, to officially launch the company.

"No one would give us money" at first, he says. The team worked out of a dingy, one-room office located behind a strip club in downtown Atlanta. "We would find needles, bullet-shell casings in the parking lot," he says, and they'd see cops on stakeouts there during the day. "We couldn't pay the bills at times." 

But by 2002, SPI Dynamics finally began to take off and raise capital. In 2007 the company was acquired by HP, which had been competing with IBM for a Web app-scanning tool purchase. Sima became chief technologist for HP's Application Security Center, where he headed up its security solutions and led development of a cloud-based security service.

His flair for demonstrating website vulnerabilities shocked a few HP software employees during a presentation he gave for them. Sima showed how he could hack into the HP Expense and HR system via a Web application. "I could get all the execs' comp; I was able to [theoretically] fire or give them raises," he says. Of course, "I blacked out the comp information," he adds, and had received permission from management beforehand for the demo he hoped would help hit home the importance of Web security.

Sima once even hacked into his dentist office's Internet kiosk via a cross-site scripting (XSS) flaw to show how he could pivot into sensitive systems. "I pointed out to my dentist office that I was able to get access to the patient records through their kiosk via XSS," he told Dark Reading in a 2007 interview.

After three years at HP, Sima departed for code analysis firm Armorize and, later, CodeSecure, where he served as CEO for over a year.

Enterprise Bug
All that was missing from Sima's resume was an enterprise gig. That came in 2016, when he joined Capital One as its managing vice president of cybersecurity. Frustrated that there were too many security startups flooding the market and spreading hype, he saw the Capital One position as an opportunity to get up close and dig into the actual problems organizations were facing with security. Vendors don't typically know the whole picture of security challenges companies face, he says.

Among the projects Sima spearheaded at the bank was a vendor relationship program aimed at streamlining and improving communications with security vendors pitching their wares. Not surprisingly, large organizations such as Capital One get inundated with vendor pitches and contacts. Among the requirements of the project: that vendors in their initial outreach give an elevator pitch about their products and the problems they solve, as well as a video link to a demo. Then the bank would respond quickly regarding whether to set up a meeting.

It provided the firm with basic "rules of engagement" for vendors: "If you want to pitch to us, here's what I need from you," Sima explains.

As part of the process, Sima also helped set up at Capital One a "cyber test kitchen," a designated test lab for the proof-of-concept phase of testing vendor products by the security teams assigned to certain vendor products.

Sima left Capital One last November. "I was traveling two weeks out of the month" between his home in San Francisco and the company's home offices in the Washington, D.C., area, he says. "My daughter was born, and I said, 'I gotta call it.'"

In the Real Kitchen
Sima has since moved from the cyber test kitchen to a side business out of his real kitchen (not to mention he completed Harvard Biz School's Program for Leadership Development). He's currently teaming with his wife – famed chef Kathy Fang – to launch a new baby-food business that evolved out of Fang's personal experience of making her own baby food for their eight-month-old daughter Ava. Fang, head chef and owner of Fang restaurant in San Francisco, had been making her own baby food for Ava for a healthier and broader palate option than commercial baby foods. "We started like many parents, buying our vegetables ... blending and turning them into puree that you would freeze and melt and feed to your baby," Sima says.

After watching a chef on a cooking show freeze-dry a ramen broth that maintained both the taste and nutrients, Fang, who also holds a champion title on the Food Network's popular "Chopped" series, decided to test the process out on her homemade baby food. It worked, and the couple started carrying the freeze-dried powder food with them on outings and social events with Ava. Their friends began asking Fang if they could buy the freeze-dried meals, which are prepared with warm water or breast milk.

"Now it's in demand," Sima says of the baby food, which has names like "My Sweet Pea" (sugar snap peas, baby spinach, and baby kale), "Goldilocks Chicken Porridge" (chicken breast broth, koshihikari rice), and "Smashing Pumpkins" (kabocha, pumpkin, and carrots). The couple is in the process of setting up the new side business.

Even for a veteran entrepreneur like Sima, doing so has been a whole new experience, including meeting with a food lawyer (yes, there is such thing). "What are the laws with baby food, getting a co-packer, what it looks like to scale" and how to get licenses are some of the legal issues, he says.

Photo: Caleb Sima
Photo: Caleb Sima

He's also helping security startups. Sima, CEO and co-founder of Bluebox Security, currently serves on the board of pen-testing-as-a-service firm Cobalt.io. In addition, he is working with venture capital firms as well as what he describes as an "offensive wireless gig" for a client using a product he built "that's not quite public yet."

Sima has some unfinished business in enterprise security, though. "I want to go back to the enterprise side again. I feel like there's more for me to learn," he says.

PERSONALITY BYTES

First hack: Figuring out how to run the first version of Doom on only 2MB of RAM by not loading the audio driver.

What Sima's co-workers don't know about him that would surprise them: I have the entire dialogue for the first "Ace Ventura" movie memorized.

Security must-haves: Single sign-on and the sentry from the first "Robocop" movie.

Fun fact: I could walk into a kitchen at a Long John Silver's today and immediately be their best cook.

On the state of WebAppSec: I don't think it's evolved that much at all.

Quotable: I was never a foodie, and I'm still not a foodie.

Comfort food: Portuguese sausage, scrambled eggs, and rice-spam musubi.

In his music playlist right now: Tool, Korn, Disturbed, Linkin Park

Ride: Electric scooters until SF decided to ban them.

R&R: Playing with my daughter!

Next career: Bartender at a bar on the beach.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSindone
50%
50%
MarkSindone,
User Rank: Apprentice
7/17/2018 | 4:46:15 AM
Re: Great Story!
This is how we can get to know that technology has evolved. Security risks have grown and thus needing security experts who are more proficient in the field. Back then, this isn't a major concern so the jobscope of such a personnel does not really entail that much. Today, everyone is afraid and is concerned about the security of their online activities and it is a market that needs professionals.
franscella
100%
0%
franscella,
User Rank: Apprentice
7/12/2018 | 11:49:05 PM
Great Story!
I had the privilege of working with Caleb when he was with Armorize, helping him to establish the company in the US. I learned a ton about security in a short time for sure. Great to be able to catch up on what he's doing. Good luck to him and the wife on the new venture. 
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8584
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.
CVE-2018-8588
PUBLISHED: 2018-11-14
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8...
CVE-2018-8589
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys, aka "Windows Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.
CVE-2018-8592
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists in Windows 10 version 1809 when installed from physical media (USB, DVD, etc, aka "Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows Server 2019.
CVE-2018-8600
PUBLISHED: 2018-11-14
A Cross-site Scripting (XSS) vulnerability exists when Azure App Services on Azure Stack does not properly sanitize user provided input, aka "Azure App Service Cross-site Scripting Vulnerability." This affects Azure App.