United Kingdom: Freelancer profile Matthias Rohr from Hamburg, Web Security Consultant, Profiles from freelancers and companies
Register now
Search freelancers
Statistic
The facewall
Do you know someone?
New projects
freelancermap Vidcast (EN)
Discussions
|
|
|
|||||||||||||||||||||||||||
|
Skills |
References |
Temporal and spatial availability. |
Other |
Contact
|
||||||||||||||||||||||||||||
Abilities, knowledge, experiences:
Products
- Web Application Firewalls (WAFs): ModSecurity, F5 ASM, HyperGuard, Visonys Airlock
- Static Code Analysis: Fortify 360 (SCA, PTA, 360 Server), Ounce, Checkmarx
- Scanner: IBM AppScan, HP WebInspect, Accunetix, Nessus, w3af
- Server: IIS, Apache, Tomcat, JBoss, IBM WebSphere
- Development: Eclipse, Visual Studio, Subversion
Standards
- OWASP ASVS (Application Security Verification Standard)
- PCI-DSS (Payment Card Industry Data Security Standard)
- CWE, CVE (Common Weakness Enumeration, Common Vulnerabilities and Exposure)
- BSI (German Federal Office for Information Security): Baseline Protection Manual \"IT-
Grundschutz\", BSI 100-x, ISO 27001
- BDSG (German Federal Data Protection Act \"Bundesdatenschutzgesetz\")
- X.509 (digital signatures, PKI)
- IETF, RFC
Best Practices
- ITIL (IT Infrastructure Library)
- BSI Best Practices for Secure Web Applications (\"Best Practices für sichere
Webanwendungen\")
- Cigital Touch Points, Cigital BSIMM (Building Security In Maturity Model)
- OWASP (Open Web Application Security Project) OpenSAMM, OWASP Testing Guide, OWASP Code
Review Guide, OWASP Top 10, OWASP Developer Guide
- OSSTMM
Experiences
- Application security tests and security verifications (pentests)
- Rollout and use of dynamic and static code analysis tools (in particular Fortify 360)
- Hardening of web and application servers
- Implementation and configuration of web application firewalls (WAFs)
- Secure Development Lifecycle (SDL)
- Secure coding guidelines and security policies
- Integration of software security into development and QA processes
- Threat Modeling & Architectural Risk Analysis
- Security workshops and trainings for developers, QA tester and management
- Software development: methodologies, J2EE/Java EE, ASP.NET, PHP, SOA / Web Services,
JavaScript, Perl, Shell
References:
General Projects Related to Application Security
================================================
11/07 - 03/09 On-Site Security Officer on a Project to Develop a Web-Mailer with high Security Requirements
Role: Security requirement engineering, workshops, code reviews, pentests,
threat modeling
Technologies: F5 ASM, PKI, Fortify, Eclipse, various open source tools
Customer: Major logistics service provider
On-site project accompanying security officer for a web-mailer pilot with particular high
security requirements and features (such as qualified digital signature and non-
repudiation).
In addition to the definition of appropriate security requirements, much different kind of
security tests and analysis had to be carried out on different levels. This included
threat modeling, as well as static code analysis (using Fortify SCA), manual code review,
and in particular, penetration tests. For the use of Fortify SCA, some specific extensions
(e.g. JIRA integration and integration into the build environment) had to be written.
The platform was protected using F5 ASM as a web application firewall. In addition to this,
the Apache and PHP installation were strongly hardened (for instance by using the Suhosin
security patch).
---
07/07 - 07/09 J2EE Training and Workshops
Tasks: Trainer
Technologies: -
Customer: SIGS-DATACOM (professional IT training supplier)
In cooperation with a professional IT training supplier, various workshops where designed
as well as conducted several times. These included topics such as \"Secure Coding with Java
EE\", \"Best Practices for Secure Web Applications\" and \"Professional Web Security Testing\".
---
07/06 - 07/09 Various In-House Security Workshops
Role: Trainer
Technologies: -
Customer: Various enterprise companies such as insurance, e-commerce , public and other sectors
Conduction of approx. 15 workshops on secure web application development, awareness
trainings as well as trainings for security testers.
Target audience was developers, QA testers and project managers.
---
03/09 - 07/09: Fortify 360 Installation and Rollout
Role: Security Analyst
Technologies: Fortify 360, Visual Studio
Customer: Insurance Company
In order to identify security problems and to increase the overall software quality,
Fortify 360 was integrated into the customer’s development environment and development
processes. In addition to Fortify SCA (the source code analysis component) Fortify 360
Server was set-up as the major management component.
---
04/08 - 06/08: OWASP Best Practices Paper: Use of Web Application Firewalls (WAFs)
Role: Co-Author
Technologies -
Customer: OWASP (non-profit web security organization)
The paper outlines best practices for the enterprise use of web application firewalls. It
was written by the OWASP German Chapter and presented on various OWASP conferences.
---
10/09 Analysis of the Role and Authorization Scheme of a Content Management System
Role: Security Analyst
Technologies: -
Customer: Media Company
Target of this evaluation was the role and authorization scheme of a content management
system which was used for many major magazine productions. The main challenge was here to
consider workflow sensitive permissions. Furthermore, the effective permissions had to be
tested in regard to the security principles of \"need to know\" as well as \"separation of
privileges\".
Security Testing Experience
========================================
07/07 - 07/09 Periodic Security Tests (penetration tests) of a Central E-Commerce Web Portal
Role: Black box tests, risk assessment, reporting and presentation
Technologies: Acunetix, Nessus, w3af, various open source products
Customer: Major logistics service provider
Security tests of minor portal applications as well as major platform releases were performed periodically.
• Testing of specific security requirements
• Abuse case tests (business layer)
• State-of-the art security tests (OWASP TOP 10),e.g.
o Privilege Escalation
o Cross-site Scripting (XSS)
o SQL Injection
• Fuzzing
• OpenSSL cipher analysis
• Web service tests
In addition to the example given above, more than 90 enterprise web applications of other
companies where analyzed by me between 2005 and 2009.
---
05/06 - 08/06 Penetration Tests (On-Site) at a Worldwide ICT Provider
Role: Security Analyst
Technologies: Nessus, Nmap, Metasploit Framework, various open source tools
Customer: Worldwide ICT Provider
Execution of technical audits of multiple branches of a worldwide ICT Provider. This
included external as well as internal black-box penetration tests.
• Execution of network and port scans
• In-depth black-box-tests (manual and tool-based)
o Identification of legacy and test systems
o Known vulnerabilities (unpatched systems)
o Insecure services
o Insecure system and firewall configuration
o Denial-of-Service
• Fuzzing tests
• OpenSSL cipher analysis
---
05/09 - 06/09 Secure Code Analysis (SCA) of a Banking Application
Role: Security Analyst
Technologies: Fortify 360 (PTA and SCA), various open source tools
Customer: IT service provider within financial sector
Target of evaluation was an application for processing highly sensitive financial data
(with approx. 450.000 lines of code).
• Kick-off workshop
• Static security code analysis with Fortify SCA
• Dynamic security code analysis with Fortify PTA
• Manual code review and code inspections
• Integrative security test (pentest)
• Closing workshop
• Regression tests
---
09/09 - 09/09 Threat Modeling of an E-Commerce Web Application
Role: Threat Modeling, Workshops
Technologies -
Customer: Media Company
The task of this project was to create a threat model of a newly designed e-commerce
application for digital paid content. Conceptual security analysis of a newly designed e-
commerce application for digital paid content using threat modeling.
This approach was used to identify relevant threats and vulnerabilities in the application
security design and help to application\'s security design and helped to define relevant
countermeasures (within architecture, implementation and operating).
The threat model where later used as the basis for an integrative application security
test (pentest).
---
07/09 - 08/09 Architectural Risk Analysis of a Major SAP Application
Tasks: Security Analyst
Technologies: -
Customer: Media Company
Target of this evaluation was a distributed SAP HCM (human resources) application. The
focus of this assessment was to identify the correct processing of all personal data in
particular the correct use of cryptography.
Development Experience
==================================
08/07 - 02/08 Development of a Web-Based Supplier Portal
Role: Developer
Technologies: J2EE 1.5, Spring MVC, Acegi / Spring Security, Hibernate
Customer: Automotive Sector
Development of a web-based portal for central administration of supplier and customer
orders as well as master data.
Since this kind of highly confidential information was made available over the Internet,
security was considered a key issue during the complete development cycle. This included
security requirements, role and access concepts, static code analysis as well as security
testing.
---
01/08 - 11/08 OWASP Skavenger Project
Role: Design and development
Technologies: C#, MS.NET 2.0, Windows Forms, Perl
Customer: OWASP (non-profit web security organization)
During the Summer of Code 2008 sponsorship of the OWASP, a framework for passive
identification of security flaws was developed. This, in many ways new approach, basically
analyzes web traffic data of a man-in-the middle proxy such as WebScarab or Burp. The
project was presented on OWASP Summit 2008 in Portugal.
The framework itself consists of two major components:
• An analysis component (written in Perl) which analyzes traffic data of different
sources (Burp, WebScarab proxy caches) on the fly. The application was therefore strongly
object-oriented designed and offered different kinds of internal adapters as well as a
full APIs for easy enhancement of new functionality and input sources.
• A GUI component (written in C# and Windows Forms) for controlling the analysis
component and for helping users to interpret the output data.
---
01/01 - 04/01 Development of a Web-Based Call Center Client
Role: Developer
Technologies: PHP, Sybase, XML
Customer: Online Service Provider
Implementation of a web-based client application for processing Payback data by call
center employees. Access was restricted to authorized users using a role-based
authorization concept.
Temporal and spatial availability.:
22 Feb 2010 at 100%, availability on-site: 100%
Other:
Products
- Web Application Firewalls (WAFs): ModSecurity, F5 ASM, HyperGuard, Visonys Airlock
- Static Code Analysis: Fortify 360 (SCA, PTA, 360 Server), Ounce, Checkmarx
- Scanner: IBM AppScan, HP WebInspect, Accunetix, Nessus, w3af
- Server: IIS, Apache, Tomcat, JBoss, IBM WebSphere
- Development: Eclipse, Visual Studio, Subversion
Standards
- OWASP ASVS (Application Security Verification Standard)
- PCI-DSS (Payment Card Industry Data Security Standard)
- CWE, CVE (Common Weakness Enumeration, Common Vulnerabilities and Exposure)
- BSI (German Federal Office for Information Security): Baseline Protection Manual \"IT-
Grundschutz\", BSI 100-x, ISO 27001
- BDSG (German Federal Data Protection Act \"Bundesdatenschutzgesetz\")
- X.509 (digital signatures, PKI)
- IETF, RFC
Best Practices
- ITIL (IT Infrastructure Library)
- BSI Best Practices for Secure Web Applications (\"Best Practices für sichere
Webanwendungen\")
- Cigital Touch Points, Cigital BSIMM (Building Security In Maturity Model)
- OWASP (Open Web Application Security Project) OpenSAMM, OWASP Testing Guide, OWASP Code
Review Guide, OWASP Top 10, OWASP Developer Guide
- OSSTMM
Experiences
- Application security tests and security verifications (pentests)
- Rollout and use of dynamic and static code analysis tools (in particular Fortify 360)
- Hardening of web and application servers
- Implementation and configuration of web application firewalls (WAFs)
- Secure Development Lifecycle (SDL)
- Secure coding guidelines and security policies
- Integration of software security into development and QA processes
- Threat Modeling & Architectural Risk Analysis
- Security workshops and trainings for developers, QA tester and management
- Software development: methodologies, J2EE/Java EE, ASP.NET, PHP, SOA / Web Services,
JavaScript, Perl, Shell
References:
General Projects Related to Application Security
================================================
11/07 - 03/09 On-Site Security Officer on a Project to Develop a Web-Mailer with high Security Requirements
Role: Security requirement engineering, workshops, code reviews, pentests,
threat modeling
Technologies: F5 ASM, PKI, Fortify, Eclipse, various open source tools
Customer: Major logistics service provider
On-site project accompanying security officer for a web-mailer pilot with particular high
security requirements and features (such as qualified digital signature and non-
repudiation).
In addition to the definition of appropriate security requirements, much different kind of
security tests and analysis had to be carried out on different levels. This included
threat modeling, as well as static code analysis (using Fortify SCA), manual code review,
and in particular, penetration tests. For the use of Fortify SCA, some specific extensions
(e.g. JIRA integration and integration into the build environment) had to be written.
The platform was protected using F5 ASM as a web application firewall. In addition to this,
the Apache and PHP installation were strongly hardened (for instance by using the Suhosin
security patch).
---
07/07 - 07/09 J2EE Training and Workshops
Tasks: Trainer
Technologies: -
Customer: SIGS-DATACOM (professional IT training supplier)
In cooperation with a professional IT training supplier, various workshops where designed
as well as conducted several times. These included topics such as \"Secure Coding with Java
EE\", \"Best Practices for Secure Web Applications\" and \"Professional Web Security Testing\".
---
07/06 - 07/09 Various In-House Security Workshops
Role: Trainer
Technologies: -
Customer: Various enterprise companies such as insurance, e-commerce , public and other sectors
Conduction of approx. 15 workshops on secure web application development, awareness
trainings as well as trainings for security testers.
Target audience was developers, QA testers and project managers.
---
03/09 - 07/09: Fortify 360 Installation and Rollout
Role: Security Analyst
Technologies: Fortify 360, Visual Studio
Customer: Insurance Company
In order to identify security problems and to increase the overall software quality,
Fortify 360 was integrated into the customer’s development environment and development
processes. In addition to Fortify SCA (the source code analysis component) Fortify 360
Server was set-up as the major management component.
---
04/08 - 06/08: OWASP Best Practices Paper: Use of Web Application Firewalls (WAFs)
Role: Co-Author
Technologies -
Customer: OWASP (non-profit web security organization)
The paper outlines best practices for the enterprise use of web application firewalls. It
was written by the OWASP German Chapter and presented on various OWASP conferences.
---
10/09 Analysis of the Role and Authorization Scheme of a Content Management System
Role: Security Analyst
Technologies: -
Customer: Media Company
Target of this evaluation was the role and authorization scheme of a content management
system which was used for many major magazine productions. The main challenge was here to
consider workflow sensitive permissions. Furthermore, the effective permissions had to be
tested in regard to the security principles of \"need to know\" as well as \"separation of
privileges\".
Security Testing Experience
========================================
07/07 - 07/09 Periodic Security Tests (penetration tests) of a Central E-Commerce Web Portal
Role: Black box tests, risk assessment, reporting and presentation
Technologies: Acunetix, Nessus, w3af, various open source products
Customer: Major logistics service provider
Security tests of minor portal applications as well as major platform releases were performed periodically.
• Testing of specific security requirements
• Abuse case tests (business layer)
• State-of-the art security tests (OWASP TOP 10),e.g.
o Privilege Escalation
o Cross-site Scripting (XSS)
o SQL Injection
• Fuzzing
• OpenSSL cipher analysis
• Web service tests
In addition to the example given above, more than 90 enterprise web applications of other
companies where analyzed by me between 2005 and 2009.
---
05/06 - 08/06 Penetration Tests (On-Site) at a Worldwide ICT Provider
Role: Security Analyst
Technologies: Nessus, Nmap, Metasploit Framework, various open source tools
Customer: Worldwide ICT Provider
Execution of technical audits of multiple branches of a worldwide ICT Provider. This
included external as well as internal black-box penetration tests.
• Execution of network and port scans
• In-depth black-box-tests (manual and tool-based)
o Identification of legacy and test systems
o Known vulnerabilities (unpatched systems)
o Insecure services
o Insecure system and firewall configuration
o Denial-of-Service
• Fuzzing tests
• OpenSSL cipher analysis
---
05/09 - 06/09 Secure Code Analysis (SCA) of a Banking Application
Role: Security Analyst
Technologies: Fortify 360 (PTA and SCA), various open source tools
Customer: IT service provider within financial sector
Target of evaluation was an application for processing highly sensitive financial data
(with approx. 450.000 lines of code).
• Kick-off workshop
• Static security code analysis with Fortify SCA
• Dynamic security code analysis with Fortify PTA
• Manual code review and code inspections
• Integrative security test (pentest)
• Closing workshop
• Regression tests
---
09/09 - 09/09 Threat Modeling of an E-Commerce Web Application
Role: Threat Modeling, Workshops
Technologies -
Customer: Media Company
The task of this project was to create a threat model of a newly designed e-commerce
application for digital paid content. Conceptual security analysis of a newly designed e-
commerce application for digital paid content using threat modeling.
This approach was used to identify relevant threats and vulnerabilities in the application
security design and help to application\'s security design and helped to define relevant
countermeasures (within architecture, implementation and operating).
The threat model where later used as the basis for an integrative application security
test (pentest).
---
07/09 - 08/09 Architectural Risk Analysis of a Major SAP Application
Tasks: Security Analyst
Technologies: -
Customer: Media Company
Target of this evaluation was a distributed SAP HCM (human resources) application. The
focus of this assessment was to identify the correct processing of all personal data in
particular the correct use of cryptography.
Development Experience
==================================
08/07 - 02/08 Development of a Web-Based Supplier Portal
Role: Developer
Technologies: J2EE 1.5, Spring MVC, Acegi / Spring Security, Hibernate
Customer: Automotive Sector
Development of a web-based portal for central administration of supplier and customer
orders as well as master data.
Since this kind of highly confidential information was made available over the Internet,
security was considered a key issue during the complete development cycle. This included
security requirements, role and access concepts, static code analysis as well as security
testing.
---
01/08 - 11/08 OWASP Skavenger Project
Role: Design and development
Technologies: C#, MS.NET 2.0, Windows Forms, Perl
Customer: OWASP (non-profit web security organization)
During the Summer of Code 2008 sponsorship of the OWASP, a framework for passive
identification of security flaws was developed. This, in many ways new approach, basically
analyzes web traffic data of a man-in-the middle proxy such as WebScarab or Burp. The
project was presented on OWASP Summit 2008 in Portugal.
The framework itself consists of two major components:
• An analysis component (written in Perl) which analyzes traffic data of different
sources (Burp, WebScarab proxy caches) on the fly. The application was therefore strongly
object-oriented designed and offered different kinds of internal adapters as well as a
full APIs for easy enhancement of new functionality and input sources.
• A GUI component (written in C# and Windows Forms) for controlling the analysis
component and for helping users to interpret the output data.
---
01/01 - 04/01 Development of a Web-Based Call Center Client
Role: Developer
Technologies: PHP, Sybase, XML
Customer: Online Service Provider
Implementation of a web-based client application for processing Payback data by call
center employees. Access was restricted to authorized users using a role-based
authorization concept.
Temporal and spatial availability.:
22 Feb 2010 at 100%, availability on-site: 100%
Other:
![Freelancer Projektbörse Deutschland [DE]](/images/flags/de.png "Freelancer Projektbörse Deutschland [DE]"){kind=small}
![Freelancer Projektbörse Österreich [AT]](/images/flags/at.png "Freelancer Projektbörse Österreich [AT]"){kind=small}
![Freelancer Projektbörse Schweiz [CH]](/images/flags/ch.png "Freelancer Projektbörse Schweiz [CH]"){kind=small}
![Freelancers Projects United Kingdom [UK]](/images/flags/uk.png "Freelancers Projects United Kingdom [UK]"){kind=small}
![Freelancers Projects USA [US]](/images/flags/us.png "Freelancers Projects USA [US]"){kind=small}
![Список фрилансеров Каталог проектов Russian Federation [RU]](/images/flags/ru.png "Список фрилансеров Каталог проектов Russian Federation [RU]"){kind=small}
![Freelancer Proyectos España [ES]](/images/flags/es.png "Freelancer Proyectos España [ES]"){kind=small}
![Freelance Borsa dei progetti Italy [IT]](/images/flags/it.png "Freelance Borsa dei progetti Italy [IT]"){kind=small}
![Список фрилансеров Каталог проектов Ukraine [UA]](/images/flags/ua.png "Список фрилансеров Каталог проектов Ukraine [UA]"){kind=small}
![Freelancer Projektbörse Liechtenstein [LI]](/images/flags/li.png "Freelancer Projektbörse Liechtenstein [LI]"){kind=small}
![Freelancer Projektbörze Hungary [HU]](/images/flags/hu.png "Freelancer Projektbörze Hungary [HU]"){kind=small}
![Freelancers Projects New Zealand [NZ]](/images/flags/nz.png "Freelancers Projects New Zealand [NZ]"){kind=small}
![Travailleur indépendant (freelancer) Bourse des projets France [FR]](/images/flags/fr.png "Travailleur indépendant (freelancer) Bourse des projets France [FR]"){kind=small}
![Freelancers Projects Slovakia [SK]](/images/flags/sk.png "Freelancers Projects Slovakia [SK]"){kind=small}
Themenrelevante Websites:
php | java | oracle | sap | abap | .net | c# | sql | windows | server | linux | berlin | iphone | hamburg | sharepoint | business | sps | entwickler | payment | marketing
freelancermap © ist ein eingetragenes Warenzeichen der freelancermap GmbH. Alle Rechte vorbehalten.