About
Articles by Jeff
-
If you're building an appsec team, you need a "Carol"
If you're building an appsec team, you need a "Carol"
By Jeff Williams
-
Don't fall for "Quiet Cricket" application security tools
Don't fall for "Quiet Cricket" application security tools
By Jeff Williams
Contributions
Activity
-
I'm on a mission to ensure that the lost and found at hotels across the globe are fully stocked with chargers and adapters.
I'm on a mission to ensure that the lost and found at hotels across the globe are fully stocked with chargers and adapters.
Posted by Jeff Williams
-
In Listen to the Whispers, I'm going to prove timing attacks don't have to be difficult with an on-stage live demo of a manual multi-stage timing…
In Listen to the Whispers, I'm going to prove timing attacks don't have to be difficult with an on-stage live demo of a manual multi-stage timing…
Liked by Jeff Williams
Experience & Education
Publications
-
The Continuous Application Security Handbook
This handbook explores how to structure a modern application security program. We reject the old paradigm of periodic and serial scanning, hacking, and patching, which has proven expensive and ineffective. Instead, Continuous Application Security (CAS) relies on security instrumentation in every application. This instrumentation provides security visibility, assessment, and protection in real time and in parallel across the entire application portfolio. CAS is a unified program covering the…
This handbook explores how to structure a modern application security program. We reject the old paradigm of periodic and serial scanning, hacking, and patching, which has proven expensive and ineffective. Instead, Continuous Application Security (CAS) relies on security instrumentation in every application. This instrumentation provides security visibility, assessment, and protection in real time and in parallel across the entire application portfolio. CAS is a unified program covering the entire software lifecycle, including both development and production, designed to create a clear line of sight from the threat to strong defenses, and ultimately to assurance.
-
Rugged Software Handbook
Whether we choose to or not, we all trust software with our lives, our finances, our safety, our
government, our communication, our businesses, and even our happiness. This increasing dependence demands that we build our software to survive and thrive despite any threats and challenges we might face, now or in the future. While many brilliant minds have pursued this goal and discovered many powerful techniques and technologies, the complexity, connectivity, and criticality of our software is…Whether we choose to or not, we all trust software with our lives, our finances, our safety, our
government, our communication, our businesses, and even our happiness. This increasing dependence demands that we build our software to survive and thrive despite any threats and challenges we might face, now or in the future. While many brilliant minds have pursued this goal and discovered many powerful techniques and technologies, the complexity, connectivity, and criticality of our software is unquestionably increasing faster than our ability to understand the risks associated with that growth. We envision a world where software can be trusted with the most important activities of humanity, where software enables us to fulfill a higher purpose without enabling those who would profit by harming others, and where the power of software benefits everyone. -
The Unfortunate Reality of Insecure LIbraries
Jeff Williams and Arshan Dabirsiaghi
More than half of the Global 500 use software built using components with vulnerable code. 80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. The authors analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central (“Central”) Repository…
More than half of the Global 500 use software built using components with vulnerable code. 80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. The authors analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central (“Central”) Repository and discovered that 26% of these have known vulnerabilities. Every organization should be concerned about the security of the components that they use and trust to run their business.
Other authorsSee publication -
OWASP Application Security Verification Standard (ASVS)
OWASP
The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as…
The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.
Other authorsSee publication -
Java Enterprise Rootkits
How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? In many ways, malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. What's really scary is that a trojaned Struts or Log4j library could affect most of the financial…
How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? In many ways, malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. What's really scary is that a trojaned Struts or Log4j library could affect most of the financial industry all at once.
In this paper, we examine the techniques that malicious developers can use to insert and hide these attacks in an enterprise Java application. We examine techniques for bootstrapping external attacks, avoiding code review, avoiding vulnerability analysis, trojaning libraries, and trojaning an enterprise build server. The point here is not to show how complex these attacks are, but rather how many opportunities there are and how simple and obvious they are to most developers. -
OWASP XSS Prevention Cheat Sheet
Open Web Application Security Project
A compilation of research into defending against XSS vulnerabilities. This document was the first to introduce the concept of different "contexts" into which a malicious XSS payload might land in an XSS document, and detailed the specific escaping techniques to use in each.
-
OWASP Code Review Guide
OWASP Foundation
Application Security code review guide. Principles of reviewing code for technical and logical vulnerabilities.
Other authorsSee publication -
OWASP Top 10 2007
OWASP
This is the second update of the OWASP Top 10, and the one that was included in the PCI DSS as section 6.5!
Other authorsSee publication -
System Security Engineering Capability Maturity Model (SSE-CMM) (ISO-21827)
International Standards Organization
The SSE-CMM is a process model for system security based on the Software CMM from the SEI. The model covers Security Engineering, Risk, and Assurance in a unified process. I served as the Chair of the Author Group of the SSE-CMM and wrote the majority of the model. It was later turned into an ISO Standard and has been used by thousands of organizations to improve their ability to reliably produce secure systems.
-
Just Sick About Security
The New Security Paradigms Workshop
A comparison of human defenses to computer security
-
The New 'Civic Virtue' of the Internet: A Complex Systems Model for the Governance of Cyberspace
[Published in:The Emerging Internet (1998 Annual Review of the Institute for Information Studies) (C. Firestone, ed. 1998)
Americans have been fond of saying that representative democracy is the worst form of government except for all the other alternatives. In the special context of a need to govern the online world, however, there may indeed be a better alternative. Participants in online spaces cannot readily make use of the basic ideas of geographically defined representative democracy. There is no way to meaningfully provide equal votes to online "citizens," who are not for this purpose whole people entirely…
Americans have been fond of saying that representative democracy is the worst form of government except for all the other alternatives. In the special context of a need to govern the online world, however, there may indeed be a better alternative. Participants in online spaces cannot readily make use of the basic ideas of geographically defined representative democracy. There is no way to meaningfully provide equal votes to online "citizens," who are not for this purpose whole people entirely located in particular territorially defined "places." Law-making for diverse online spaces should not be centralized in any single global government, even a democratic one, much less one created by the slow, incomplete, and undemocratic treaty process. Legitimacy cannot be preserved by allowing existing geographical sovereigns to assert an inconsistent and asymmetrical control over all online activities that might have any impact on their citizens. But the task of setting rules for online spaces can be cut into workable pieces. And the collective-action and liberty problems can be solved simultaneously for online spaces by relying on the decisions of participants to join (or leave) those areas with rules they find empowering (or oppressive).
The new science of complex systems gives reason to hope that an overall system of governance of the Internet that reconnects rule-making for online spaces with those most affected by those rules--and that also allows online groups to make decentralized decisions that have some impact on others, and that therefore elicit disparate responsive strategies--will create a new form of civic virtue. The old hope that rational debate among wise elected representatives will result in the overall public good may be replaced, online at least, by a new certainty that dispersed and complex interactions among groups of individuals taking unilateral actions to serve "local" goals will be best for everyone, overall, over time.
Patents
-
Detection of vulnerabilities in computer systems
Issued US 9,268,945
Continuation in part of Contrast patents, adding capabilities and enhancements to the underlying work.
-
Detection of vulnerabilities in computer systems
Issued US 8844043
Additional refinement and advancement of our methods for using instrumentation to detect vulnerabilities in a software application.
Other inventorsSee patent -
Detection of vulnerabilities in computer systems
Issued US 8458798
A method for using instrumentation to detect vulnerabilities in a software application in realtime, without any changes to the way the software is built, tested, or deployed.
Other inventorsSee patent
Honors & Awards
-
National Champion - 50+ Masters Basketball Association, 2021 and 2022
Masters Basketball Association
The Balt-Wash team is a two time National Champion. Personally awarded Championship MVP and points leader awards. Balt-Wash won the Senior World Games in Utah.
-
CTO of the Year
InfoSecurity Products Guide
CTO of the Year (Chief Technology Officer)
Gold Winner
http://www.infosecurityproductsguide.com/world/ -
Java Rock Star
JavaOne
JavaOne Rock Stars are developers who have given highly rated sessions at JavaOne.
Recommendations received
3 people have recommended Jeff
Join now to viewMore activity by Jeff
-
For all my DC, MD, and Northern VA friends! Come join James Kovach and our team at Contrast Security at a HANDS ON application security workshop with…
For all my DC, MD, and Northern VA friends! Come join James Kovach and our team at Contrast Security at a HANDS ON application security workshop with…
Liked by Jeff Williams
-
Are you a woman in tech? Are you headed to Black Hat in Las Vegas? Please plan to join us for a special breakfast focused on wellness and resilience…
Are you a woman in tech? Are you headed to Black Hat in Las Vegas? Please plan to join us for a special breakfast focused on wellness and resilience…
Liked by Jeff Williams
-
We are excited to have Contrast Security as a Disrupter Presenter TOMORROW, July 17 at the National Transformation Assembly, hosted in New York City.…
We are excited to have Contrast Security as a Disrupter Presenter TOMORROW, July 17 at the National Transformation Assembly, hosted in New York City.…
Liked by Jeff Williams
-
So honored to have been elected to the Financial Services Information Sharing and Analysis Center (FS-ISAC) Board of Directors and could not be more…
So honored to have been elected to the Financial Services Information Sharing and Analysis Center (FS-ISAC) Board of Directors and could not be more…
Liked by Jeff Williams
-
This team has truly laid new ground in the industry, and I couldn’t be happier that they have been recognized for their hard work. Congratulations to…
This team has truly laid new ground in the industry, and I couldn’t be happier that they have been recognized for their hard work. Congratulations to…
Liked by Jeff Williams
Other similar profiles
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore MoreOthers named Jeff Williams in United States
3934 others named Jeff Williams in United States are on LinkedIn
See others named Jeff Williams