Berend-Jan Wever EN | NL

Download resume.pdf

berendj@nwever.nl (PGP)

linkedin.com/in/skylined

twitter.com/berendjanwever

github.com/SkyLined

skylined.nl

Introduction

Berend-Jan Wever is an Offensive Information Security Researcher who specializes in research, pen-testing, fuzzing and automation, vulnerability and risk analysis, and Proof-of-Concept exploit development. His focus has been on finding security issues in threat models, designs and implementations of systems. He has reported of hundreds of security issues in Operating Systems, Web Browsers, Web Servers, and many other products for many different high-profile vendors, impacting billions of end-users. He has helped move the industry forward by publishing various novel attack vectors, exploitation techniques, and mitigation bypasses.

Two decades of experience working with dedicated security team at some of the largest companies in the industry allows Berend-Jan to see the bigger picture and predict the next move. He takes into account the entire system, not just individual components. He will chain together minor issues and design quirks across multiple systems to provide a holistic threat assessment. He determines the maximum impact an advanced threat actor might achieve, where the whole is greater than the sum of its parts.

He looks for patterns in the vulnerabilities found in systems to group them in classes and finds the root cause for each class. He develops automation, suggests process changes, and creates training to help the development team remove every instance of such a class from the product, and prevent re-introduction, to eliminate threats completely. He focusses on the long term, thinking ahead and planning for the next few years. His develops solutions on developing solution that scale, so they can keep up with relentless growth and do not become a bottleneck for productivity.

Berend-Jan creates actionable reports and presents these to the development team to allow them to address issues promptly and completely. He also provides high level overviews for management to assess risk and overall state of security. He advises the development team on how to fix issues and what mitigations to consider to reduce the potential impact of vulnerabilities. He relishes in the opportunity to work less experienced team members to help them get the maximum out of their unique potential and help them grow in their career. He enjoys giving presentations about his work and discussing new ideas to share information and foster innovation.

Technology

Over the decades, Berend-Jan has reviewed projects that use a very long list of different programming languages, protocols, data and file formats, and systems. He has developed programs and scripts using many of these as well. The full list is hard to reconstruct, so only the commonly useful ones are mentioned below.

Operating Systems and Cloud

Microsoft Windows, Linux, Amazon Web Services (AWS).

Languages

Java, Python, PHP, Perl, JScript/JavaScript/ECMAScript/TypeScript, C, C++, C#, IA32 and AMD64 assembly, SQL, Bash, Batch, PowerShell.

Protocols

DHCP, DNS, FTP, HTTP, MQTT, TCP/UDP, IP, ARP, and a long list of custom/internal application layer protocols.

File/Data Formats

Web: XML, HTML, XHTML, SVG, CSS, RSS, JSON, YAML
Media: ANI, BMP, GIF, ICO, JPEG, RIFF, WAV
Documents: DOC, DOCX, PDF, RTF
Windows Binaries: DLL, EXE

Recent Work History

Senior Security Engineer in Holistic Testing Team at AWS

Company: Amazon Web Services (AWS)
Location: Work from home in the Netherlands
Period: 2021-2024
Position: Security Engineer III, L6
Activities: Tech lead, process management, training, pen-tests, design & implement automation, reverse engineering, job applicant interviews

Within the Holistic Testing Team, Berend-Jan led 4-5 person teams on 2-3 months security reviews and testing of various AWS Services. As one of the most senior engineers on the team, he represented the engineers in discussions with manager about ongoing activities, and short- and long-term planning.

As a tester and testing lead, he performed the follow activities:

Collecting of information relevant to the security of the Service, including a review of the Threat Models, identification of critical components and potential attack vectors, and ranking identified risks by potential impact and feasibility.
Discuss under-documented components with the Service Team and/or reverse-engineer systems to create the required documents and store everything in a single, well-structured location for future use.
Developing a test plan that fits the team's size, expertise, schedule and takes into account the level of support the Service Team is capable of providing, as well as distributing the required tasks among the team members.
Using the collected information to focus on the most vital areas for the security of the Service and create a targeted pen-testing scope that covers the most relevant areas.
Working with the Holistic Testing team members and the Service Team to perform pen-tests of scope-items to identify, analyze and report security vulnerabilities. Helping the Service Team design and deploy fixes and mitigations for the identified risks. Adjusting the scope as needed when a new high risk area outside our scope was identified during testing.
Designing and implementing tools to help automate parts of the pen-testing process, such as scanning and collecting information about the Service's components, automated testing of components, fuzzing, and the creation of Proof-of-Concept exploits.
Identifying trends/patterns in security issues to detect their underlying root-causes and work with the Service Team. Based on this, the team would be advised to go through training to address knowledge gaps, use tools to detect or prevent issues, consider system design changes, and/or process changes to reduce/remove the risk of introducing more similar issues in the future.
Writing and presenting a report both detailing the technical results of our tests for engineers as well as providing a high-level overview of our findings for management. These reports always included suggestions for future areas of improvement and future security reviews.

Berend-Jan worked to standardize the design and implementation of the team's in-house tools, as well as their output formats with the aim of making the tools more compatible/interoperable. He introduced a generic modular design to make the tools easier to maintain and expand with new features. This included tools for scanning text for sensitive or security-relevant information, tools to scan for and detect configuration issues that have security impact, and tools to test specific components and/or confirm the existence of theoretical issues (aka. Proof-of-Concept code).

As a security-minded user, he identified security issues in internal systems and processes that he came in contact with, and worked with the relevant team to explain the potential impact, assess priority, and help create a plan to address the issue in a reasonable time-frame. He worked with the team to make sure that the implemented changes completely removed the threat.

Berend-Jan reviewed and improved internal security training for developers. He presented on various security topics to explain how he approaches certain problems, how he designs tools to be generic, modular, and interoperable, and how he discovered various security issues and worked with development teams to help them address issues quickly, and how to avoid causing friction to make sure security engineers and developers cooperate effectively.

Offensive Security Researcher and head of Fuzzing Community at Intel

Company: Intel
Location: Work from home in the Netherlands
Period: 2019-2021
Position: Senior Security Researcher
Activities: Tech lead, training, design & implement automation

Berend-Jan set up and led a cross Intel effort to automate security research with a strong focus on fuzzing. Through meetings and presentations, he strived to adapt specialized custom tools to test hardware, firmware and drivers to make them more generic and useful to others teams, raising awareness of their existence and improving their documentation to foster adoption across Intel. He connected people with similar goals and ideas to work together and achieve results faster.

He architected a modular framework for running automated tests on arbitrary targets, both virtual and running real hardware, and detect and analyze issues triggered through these tests, group and de-duplicate similar issues, and create actionable reports. He worked with various teams across Intel to refine this design to make sure it would be easy to get started, possible to fuzz notoriously hard-to-fuzz products with minimal efforts, and requiring limited or no knowledge of fuzzing to do so. The design continuous fuzzing to start early in development and continuing after the product has been released.

Make it easy to implement custom fuzzers for specific features, and share these with teams developing other products with similar features.

Allow the collection of meaningful information about fuzzer deployment that can be used to assess effectiveness and check SDL requirements.

Allow security researchers to easily create, test and deploy new fuzzing engines.

Owner of SkyLined Security

Company: SkyLined Security
Location: Work from home in the Netherlands
Period: 2011-2019
Position: Owner
Activities: fuzzing, design & implement automation, Proof-of-Concept development, pen-tests, reverse engineering

Developed automated security tests (fuzzers) that found a large number of issues in high-profile targets, including Microsoft Windows, Microsoft Internet Explorer, Microsoft Edge, Google Chrome, and Mozilla Firefox.
Reported a large enough number of security issues to Microsoft to be included in the Microsoft Security Research Center Top 100 Security Researchers list 3 years in a row starting from its inception in 2015.
Worked as an external consultant on a wide-range of projects from pen-testing, code-, and design-reviews, through fuzzer development and integration to writing whitepapers and guidance documents.

Security Researcher in Chrome Security Team at Google

Company: Google
Location: Work from home in the Netherlands
Period: 2008-2011
Position: Senior Software Security Engineer
Activities: pen-tests, design & implement automation, fuzzing, developing patches and mitigations

Hired as an initial member of the Google Chrome Security Team. Hit the ground running to make sure the software did not ship with any major security issues three months later.

Developed tools to look for and analyze security issues in nearly all parts of the codebase, which are still actively used to this date.
Found large numbers of vulnerabilities, analyzed externally reported vulnerabilities and guided the patch process to release comprehensive fixes to customers at record speeds.
Improved security by mitigating or preventing exploitation of issues through design and implementation changes and offered guidance and advise to Chromium project members on security related topics.
Participated in setting up and maintaining the Google Chrome Vulnerability Reward Program.
Developed fuzzers that are still being used and finding issues in Google Chrome today.

Security Researcher in Security Windows Initiative Attack Team at Microsoft

Company: Microsoft
Location: Work from home in the United Kingdom
Period: 2005-2008
Position: Security Software Engineer
Activities: pen-tests, design & implement automation, fuzzing, analyzing external security reports, checking patches, job interviews

Joined a newly formed team of two security researchers working from home in Cheltenham, UK, as the European branch of the larger SWI-AT team.
Developed better tools to automate the detection of security issues, such as fuzzers and compiler plug-ins that detect vulnerable design and implementation patterns.
Reviewed code and patches and analyzed external reports of vulnerabilities in Microsoft products.
Researched new attack vectors and techniques and shared knowledge with developers working on various product teams.
Took part in the hiring and on-boarding of additional team members in the UK.

Skills and Experience

Key skills

Experience in security on a wide range of products, including hardware, firmware, drivers, server software, client software and websites, as well as process improvement and security education.
Individual contributor and tech lead. Enjoys guiding junior team members to help them exploit their strengths and avoid/improve their weaknesses. Loves explaining techniques and tricks and giving tips on how to find, analyze and address security weaknesses to anyone who will listen.
20 years of experience in fuzzing, both in creating fuzzers, using them to find issues and processing the results to improve the security of a wide range of products. Knows how to avoid overwhelming a development team with new findings by prioritizing and filtering based on severity/impact and development team size.
Thinks far outside the box and has a history of published innovative and creative security techniques to prove it.
A wide range of projects has provided experience in a large number of topics. From user-land applications to operating system kernels, firmware, and hardware. From design to implementation and configuration reviews, in a wide-range in programming, scripting and markup languages. From client to cloud, through front-end, back-end, proxies and servers, as well as the network layer. From protocols and file-formats to memory layout and CPU features.
Comfortable and experienced with learning new programming languages, applications, frameworks and systems on the job. The only think I have avoided is cryptography.

Historically Notable Publications

A small selection of contributions to the information security community:

BugId is a Python script that automatically analyzes crashes and determine their security impact. It reduces the need for a large and costly team of specialized security engineers. It reduce time-to-patch and window of exploitability by prioritize important issues and speeding up analysis. It can create detailed reports containing both concise management-level information and extensive technical details.
Browser Security Whitepaper that collects all relevant information on the security of a number of different web browsers. It covers everything from high-level configuration management to low-level security technologies. IT managers can use it to make an informed decision about which browser is best suited for their specific needs. It offers security experts evidence based data on which browser protects best against specific risks.
Released technical analysis of a large number of vulnerabilities and techniques.
Illustrated the fragility of state-of-the-art web browser code in 2016 through daily Tweets about a new way to crash a web browser.
Introduced heap-spraying in web browsers, a technique that facilitates exploitation of vulnerabilities in application. This technique has been widely adopted and built upon to bypass mitigations and create sophisticated and reliable exploits.
Main author of the world's smallest Windows shellcode.
Inventor of the concept of Omelette shellcode.
Creator of the first practical alphanumeric shellcode encoder, which was ported to the Metasploit framework and author of ASCII art shellcode.
Created the first Proof-of-Concept XSS worm in 2002 to warn of their potential danger; the first publicly released XSS worms proved they can causing serious damage 3 years later.

Spoken languages

Dutch - native
English - Fluent
German - Proficient
French - Basic