Berend-Jan Wever (PGP)

Senior Information Security Researcher

Berend-Jan has made his career in offensive security. His work focuses on looking for holes in the threat model, design and/or implementation of systems. He creates actionable reports for the development team to address these issues promptly, and provides high level overviews for management to assess overall state of security. He advises the development team on how to fix such issues and what mitigations to consider to reduce the impact of such vulnerabilities. He constantly looks for patterns in the vulnerabilities in a product to group them in classes. He will find the root cause and symptoms for each class. Through automation, process changes, and training he helps the development team remove every instance of such a class from the product, to eliminate the threat completely.
Extensive experience allows him to sees the bigger picture and determine the maximum impact an advanced threat actor might achieve. He can chain together issues and design quirks across a system to provide a holistic threat assessment that takes into account the entire system, not just individual components. He focuses mainly on the long term, thinking ahead and planning for the next few years.

Recent Work History

Senior Security Engineer in Holistic Testing Team at AWS

Company: Amazon Web Services (AWS)
Location: Work from home in the Netherlands
Period: 2021-2024
Position: Security Engineer III, L6
Activities: Tech lead, process management, training, pen-tests, design & implement automation, reverse engineering, job interviews

Within the Holistic Testing Team, I led 2-3 months security reviews and testing of AWS Services aimed at helping the Service Team improve their security in the long term. I took ownership of (re-)designing and developing various tools to help automate our work. I reported security issues in other system and processes I came into contact with, outside of my day-to-day work to improve overall security of AWS. As a senior engineers on the team, I represented the engineers with management when discussing our teams ongoing activities, and short- and long-term planning. I gave various presentations on security related topics to educate others within AWS and helped review and rewrite security training material.

As a testing lead, I performed the follow activities:

  1. I distributed the tasks of collecting information relevant to the security of the service, reviewing the Threat Model for the service, identifying critical components and potential attack vectors, and ranking identified risks by potential impact and feasibility. Where this information was not yet fully available or well organized, I made sure it was collected in a single location for future use.
  2. I used the collected information to select the most important areas for security and translate these into a targeted pen-testing scope, with each scope item assigned to one or more individual team members for a specific duration, taking into account the skills and interests of individual team members.
  3. I worked with the my team and the service team to perform pen-tests of scope-items to identify, analyze and report security vulnerabilities. We helped the service team design and deploy fixes and mitigations for the identified risks. I adjusted the scope as needed when we identified a new high risk area outside our scope during testing.
  4. I designed and implemented tools to help automate parts of the pen-testing process, such as scanning and collecting information about the service's components, automated testing of components, fuzzing, and to create Proof-of-Concept exploits.
  5. Identify trends/patterns in security issues to detect deeper root-causes and work with the team to select training to address knowledge gaps. Help the team select or design tools, consider system design changes, and/or process changes to reduce/remove the risk of introducing new issues.
  6. Write a report detailing the technical results of our tests as well as a high-level overview of our findings, including suggestions for future areas of improvement and future security reviews.
  7. Present the results to Senior management of the service.

For our tools, I worked to standardize their design and implementation, and their output format(s) with the aim of making the tools compatible/interoperable. I introduced a generic modular design to make the tools easier to maintain and expand with new features. This included tools for scanning text for sensitive or security-relevant information, tools to scan for and detect configuration issues that have security impact, and tools to test specific components and/or confirm the existence of theoretical issues (aka. Proof-of-Concept code).

As a security minded user, I identified security issues in internal systems and processes that I used, and worked with the relevant team to explain the potential impact, assess priority, and help create a plan to address the issue in a reasonable time-frame. I made sure that the implemented changes completely removed the threat.

I reviewed and improved internal security training for our developers. I gave various presentations on security related topics to explain how I approached certain problems, how I designed various tools, how I discovered various security issues, how to work with development teams to help them address issues quickly, and avoid causing friction to make sure security engineers and developers cooperate effectively.

Offensive Security Researcher and head of Fuzzing Community at Intel

Company: Intel
Location: Work from home in the Netherlands
Period: 2019-2021
Position: Senior Security Researcher
Activities: Tech lead, training, design & implement automation

Leading the effort to automate security research with a strong focus on fuzzing. Many of Intel's products are hardware based with custom firmware and drivers, which do not easily lend themselves to fuzzing with existing tools. The existing tools are often under-documented, hard to setup and deploy at scale for anyone who is not a security researchers with experience in fuzzing. Choosing which fuzzers to apply, how to apply them correctly and collect meaningful and actionable information about their effectiveness is currently too complex. I am leading an effort to create a modular fuzzing framework that resolves these issues. This project has multiple goals:

  1. Make it easier for product teams to start effectively using continuous fuzzing during development to catch security issue early, without requiring these developers to have a thorough understanding of fuzzing and the various possible techniques/engines that can be deployed.
  2. Make it easier to fuzz anything, including currently hard-to-fuzz products such as hardware and firmware. From the start of development all the way through the development process and continuing after the product has been released.
  3. Allow the collection of meaningful information about fuzzer deployment that can be used to implement and check SDL requirements.
  4. Allow security researchers to easily create, test and deploy new fuzzing engines.

Owner of SkyLined Security

Company: SkyLined Security
Location: Work from home in the Netherlands
Period: 2011-2019
Position: Owner
Activities: fuzzing, design & implement automation, Proof-of-Concept development, pen-tests, reverse engineering

Security Researcher in Chrome Security Team at Google

Company: Google
Location: Work from home in the Netherlands
Period: 2008-2011
Position: Senior Software Security Engineer
Activities: pen-tests, design & implement automation, fuzzing, developing patches and mitigations

Hired as an initial member of the Google Chrome Security Team. Hit the ground running to make sure the software did not ship with any major security issues three months later.

Security Researcher in Security Windows Initiative Attack Team at Microsoft

Company: Microsoft
Location: Work from home in the United Kingdom
Period: 2005-2008
Position: Security Software Engineer
Activities: pen-tests, design & implement automation, fuzzing, analyzing external security reports, checking patches, job interviews

Skills and Experience

Key skills

Historically Notable Publications

A small selection of contributions to the information security community:

Spoken languages

Dutch - native
English - Fluent
German - Proficient
French - Basic