Over the last few years AppSec Labs has been building a strong reputation for excellence in the field of Application Security. We offer services including pen-testing and full code review. As we’ve grown we’ve increased our experience, branching not only from pen-testing, but to in-company training and e-learning. We’ve developed a product line in e-learning which we are selling world-wide, and we’re expanding our market.
So, it’s about time that we show you who we are and what motivates us to do what we do. This will be the start to a few blog interviews letting you (our community) get to know us (your community) BETTER. We hope you enjoy hearing more about us and we look forward to hearing more from you.
Keep in touch with us via Twitter and Facebook!
Author: Jessie A. Pincus, International Sales Director and Academic Director, AppSec Labs
Getting to Know our Experts:
Chilik Tamir, Chief Scientist, AppSec Labs
Question: How did you originally get into the field of Cyber Security?
Chilik: It was a hobby that became a job. I saw the WarGames movie back in the 1980’s and it intrigued me.
Question: Since you focus your research on the Apple iOS platform, what do you see as its main vulnerabilities, and where has it improved or made changes to compensate?
Chilik: Apple is beginning to implement security features that are set to ‘ON’ as the default setting, instead of relying on developers to officially turn them on. The pairing notification message and the protection class encryption are enabled by default. Until iOS 7 they weren’t enabled by default.
Question: What aspect of the field of Cyber Security initially grabbed your attention and made you say “I want to work in that field.”?
Chilik: I wanted to exploit new technologies. The research of new technologies and the process of discovering their new vulnerabilities had so far been overlooked. The knowledge and know-how that you accumulate during the research efforts for the clients is translated into tools. This is the frontal role in the global area of application security and branches forward to a whole new continent through the identification of vulnerabilities, and the solution of problems that haven’t even yet been found. For me, it’s intriguing to think about new ways to uncover new vulnerabilities and the development of tools that enable the process to continue in the best possible way.
Question: What professional contribution do you hope to add to the field with your work? Do you have long-range goals for contribution?
Chilik: I believe that the key point of research is making it useful for end-users. Their acceptance and usage is the pass-rate for these tools. The users prove their worth. The key goal in security research is to produce tools that any security professional can use in a quicker and more efficient way.
Cyber Security Trends:
Question: What are you focusing your attention and activities on this month?
Chilik: I’m currently looking into Gap Analysis of iOS 7.02 and trying to map out updates for the iNalyzer framework know-how on to the iOS 7.2 operating system.
Question: What are the recent research topics and interesting findings that have caught your eye this month?
Chilik: I’m overwhelmed with Barnaby Jack’s sudden death several days before his talk at BlackHat concerning pacemaker vulnerabilities. In 2012 he published research about the remote exploitation potential of insulin pumps and heart pacemakers. The slides aren’t available online. From what I understand, the exploitation potential is completed via the Internet on a wirelessly connected pacemaker. I think medical device security is the next big thing and I find it funny that it’s in this way that my degree in Biomedical Engineering will end up being useful to me in my career.
Question: What are some new changes you’ve seen in the field of cyber and application security over the last year?
Chilik: I see how Awareness has grown. Development groups want more specific know-how about the security trade and what are the Do’s and Don’ts. Now we’re seeing it earlier and earlier during the development stages. That is, they want a black box test, and we are more and more integrated into the early stages of the development lifecycle. It’s an excellent change in perspective over the last few years.
Question: As of this month, what do you think is the top threat worth solving, and why?
Chilik: Consumer privacy is the hot topic for the upcoming months because all of the press on the NSA in the news and the misinformation that’s being aired. For example, Apple said they cannot read user messages, and that has been proven incorrect (i.e. “It seems that their deceleration was inaccurate”). Privacy for the end-user and mobile user will be a crucial element over the coming months.”
That’s all for now! Tune in next time to read the latest installment in our feature blog series, “Getting to Know the Experts.”
Have a productive week!