Software Security Specialist
Ricardo Patino, TELUS Security Solutions
Five years vulnerability research, application development and software security analysis
Ricardo Patino started working on development of a commercial Web Application Firewall for his company, Assurent Security Solutions (acquired in 2006 by TELUS), back in 2003. It was then he realized that Web-enabled applications were going to explode, which got him thinking about how these public-facing applications might be broken.
"When I started looking at Web application vulnerabilities, I started seeing major problems with Cross-Site Scripting (XSS), SQL injection, and Cross-Site Request Forgery (XSRF) vulnerabilities," he says. "That's when I started paying attention to secure coding practices to make sure the products we were developing didn't have the same vulnerabilities we're trying to protect against."
Patino gained his knowledge from direct research while interacting with Web-based applications, reading the latest books, and keeping up on bugtraks and vulnerability lists. He also learned by using his company's own, underground resources, ferreting out information on the latest bugs being released in the wild.
A year ago, his company created a Secure Software Team, which developed a practice methodology for application testing and secure development, including its own software development model. "Passing the GSSP and adding that credential to our Secure Coding Group confirms to our clients that we have the skill sets in-house to perform a variety of application security analysis tasks, and that we are qualified to give sound development advice," he notes.
With its secure software development model, TELUS's Secure Software Team is also enabling its clients to include security testing within their own testing cycles, and, ultimately, to develop continued secure development lifecycle methodologies around their Web applications.
"I'm most excited about pursuing the path of training clients on secure development practices in Web applications," Patino adds. "Integrating security into pre-development, development and production cycles ensures that there are no vulnerabilities from the beginning."