Vulnerabilities / Threats

03:30 PM
Connect Directly

Unsung (And Under-Sung) Heroes Of Security

You've heard of the cybersecurity rock stars, but there are plenty of other major contributors to the industry who deserve kudos. In celebration of Dark Reading's 10th anniversary, meet a few of these folks.

Even when it was tiny, the cybersecurity field had no shortage of big personalities. When the industry was altered by a new, outstanding piece of work, sometimes it would also herald the birth of a new security rock star (who might also be an outstanding piece of work).

Other times, the people who carried out tremendous feats go largely unrecognized by history, even as their work lives on. Brilliant discoveries and creations. Better ways of doing the same old thing. Or simply the support or mentorship someone needed to create do those revolutionary things.

Here are just a handful of people of the people who've made big impacts on information security, who we feel haven't quite enough credit from security professionals. Some of them we doubt you'll know. Others you may recognize, but we wouldn't call them "household names," not if we were only counting the nerdiest of homes. 

However, you most definitely know their work. 


The Team That Discovered Cross-site Scripting

Back when most people in IT were obsessed with Y2K -- now just a sidebar in the history books -- a team of security researchers at Microsoft and elsewhere gave a name to something that would have a far longer, far darker life: cross-site scripting.

XSS is still a security nightmare, ranked number three on the latest OWASP Top 10 Web Application Vulnerabilities List. Although it's the Microsoft Security Research that claims credit for picking the common name, there's a longer list of contributors who are officially credited in CERT's original advisory, recorded as "malicious HTML tags embedded in client Web requests." Credit goes to "Marc Slemko, Apache Software Foundation member; Iris Associates; iPlanet; the Microsoft Security Response Center, the Microsoft Internet Explorer Security Team, and Microsoft Research."


Jeff Forristal

If there is a vulnerability class that is perhaps more pernicious than cross-site scripting, it would have to be injection attacks -- currently reigning at number 1 on the OWASP Top 10. And the Big Daddy of them all, of course, is SQL injection.

The world learned about SQL injection in 1998 thanks to Jeff Forristal, then known more commonly as rain.forest.puppy. Forristal went on to be among the leaders in establishing "responsible disclosure" policies, and made his mark on everything from web apps, to mobile, and physical device security. He's now CTO of Bluebox Security.


Shari Steele, John Perry Barlow, John Gilmore, & The Whole EFF Crew 

All the way back in 1990, two concerned citizens -- Sun Micrososystems employee John Gilmore and poet/essayist/lyricist/cattle rancher John Perry Barlow -- came to the legal aid of a man they felt was being wronged by the US Secret Service's electronic surveillance practices. From there, the Electronic Frontier Foundation (EFF) was born.

Since then, the attorneys and staff at EFF have made it their job to know the ins and outs of every technology, online privacy, cybersecurity, and surveillance law the world can throw at us. 

Shari Steele came on board early, serving as legal director for eight years, executive director for 15 years, and now board member. She led the way on some of the issues that hit infosec pros closest to home -- advising the US Sentencing Commission on sentencing guidelines for the Computer Fraud and Abuse Act and the National Research Council on US encryption policy.  


Special Agent Elliott Peterson & The Rest Of The Operation Tovar Crew 

The disruption of CryptoLocker and the GameOver Zeus botnet in spring 2014 -- dubbed Operation Tovar by law enforcement -- was revolutionary, because it created a brand new model for the way organized cybercrime groups are taken down. 

It was remarkable for to reasons. First, law enforcement made it a higher priority to disrupt/dismantle the cybercriminals' infrastructure than to capture the criminals themselves; they made only one indictment. Second, the effort was an enormous collaborative effort between both public and private entities in many countries.

Special Agent Elliott Peterson of the FBI was one key member of the team that led the operation, but certainly everyone involved in uniting the forces of good across 11 countries deserves accolades. 


John Reed & Citigroup's Executive Team In The Mid-90s 

You might have heard of Steve Katz, "the world's first CISO." But how about a shout-out for the people who had the idea of hiring him in the first place?

As Katz explained to Tom Field of Bank Info Security, he was working for JP Morgan in the mid-1990s when another financial services organization, Citigroup, experienced a security incident. (This was back when such things were taboo and kept very hush-hush.)

Citigroup CEO John Reed put together a committee of executives, which, according to Katz, realized that security was not just a technological issue but a business issue. They created the position of chief information security officer (CISO), and after months of interviews, Katz landed the job, with support from Citi that was "absolutely incredible."


The US Postal Service (!)

When sifting through applicants for new information security staff, employers often look for five letters: CISSP. 

ISC(2) created the CISSP certification back in the early 90s, but if it hadn't been for a timely influx of cash from the US Postal Service, it might never have survived to become what it is today. As Harold "Hal" Tipton explained in an ISC(2) interview


Carey Nachenberg

Hardly any security products have made it to "household name" status, but Norton Antivirus indubitably has. Norton's co-creator Carey Nachenberg -- now Symantec's senior-most engineer -- is also a name you should know.

In addition to Norton AV, Nachenberg conceived Symantec Insight, the industry's first reputation-based endpoint security tool. He also holds a whopping 85 patents.

Steve Christey Coley

Researchers love to dig up vulnerabilities -- tens of thousands of them. Left to themselves, vuln researchers might treat bugs much like kids treat toys -- have unreasonable arguments about whose were the coolest, then lose track of them entirely once they got a bit old.

Someone needs to bring order to this chaos, and create systems for prioritizing, rating, and cataloguing these bugs. Steve Christey Coley has been one of the foremost of these appsec entymologists. He was co-creator and editor of the Common Vulnerabilities and Exposures (CVE) list and chair of the CVE editorial board for 16 years. He  was technical lead for CWE, the Common Weakness Scoring Scoring System and an active contributor to related community-driven efforts like CVSS and CVRF.

Now taking on the next frontier in infosec challenges, Coley is a principal information security engineer at The MITRE Corporation, supporting the FDA's Center for Devices and Radiological Health efforts to improve medical device security. 

Related Content:



Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.