The 15 Most Influential People in Security Today

As goes Google, so goes Web 2.0 security. Tavis Ormandy, one of the most visible hackers/researchers on the Google Security Team, faces the unenviable responsibility of making sure all of Google’s products pass the security smell test. An open-source security guru, Ormandy is tasked with identifying and analyzing vulnerabilities and exploits–and with getting them fixed before the bad guys can do damage. He is also co-lead of the Gentoo Security Team, shoring up the security of the Linux distribution.

The XO laptop (previously known as the $100 laptop) is poised to create a computing monoculture, and it-

Chris Paget’s demonstration of an RFID cloner at last year’s Black Hat and RSA Security conferences helped to draw attention to major weaknesses in a technology that’s becoming more and more mainstream. He showed how easy it is to build a working RFID tag cloner as part of a larger effort to underscore the insecurity of wireless technology.

The frontier of computer security isn’t the next Windows operating system; it’s the tiny computers embedded into everything we make, from cell phones to microwaves to alarm clocks. And the most visible person working out in the Wild West of hardware hacking is Bunnie Huang. Huang is an MIT PhD, founder of Chumby, breaker of the original Xbox and referee of the monthly “Name That Ware” contest. What-

Before joining the search marketing giant as an information security engineer, Michal Zalewski launched an all-out assault on the security models of modern Web browsers, exposing critical vulnerabilities in Microsoft’s Internet Explorer and Firefox. His public disclosure of those flaws went a long way to hardening the browsers. Now a member of Google’s security team, he continues to find and report bugs in Apple’s Mac OS X and to use his hacking skills to help secure Google’s long list of Internet-facing products.

A former Microsoft security strategist, Window Snyder borrowed a page from Redmond’s playbook and introduced a comprehensive-threat modeling and penetration-testing routine to Mozilla, where she now works as “Chief security something or other…” Snyder’s behind-the-scenes security efforts–which include outside hacker teams conducting simulated attacks on Firefox 3–are sure to pay off for the open-source alternative Web browser.

Spurred on by apathy–some would say arrogance–of the Mac faithful toward security, a group of hackers decided to document and disclose vulnerabilities in the Apple ecosystem every day throughout the month of January. What followed was the “Month of Apple Bugs,” an eye-opening effort that forced Apple’s security response team into action and helped speed up the delivery of security updates from Cupertino.

Where the “Month of Apple Bugs” exposed Mac OS X security holes in a theoretical way, New York-based researcher Dino Dai Zovi took it a step further, launching a remote code execution attack against a fully patched MacBook Pro as part of a contest at the CanSecWest security conference. Dai Zovi’s attack confirmed for many that malware-delivery attacks against Apple’s OS are a reality.

No list of this sort is complete without the inclusion of Michael Howard, co-author of Microsoft’s SDL (Security Development Lifecycle), the mandatory software coding approach that builds security into every conceivable layer. Howard’s work helped make Windows Vista Microsoft-

A rock star in hacker circles, HD Moore continues to push the vulnerability research envelope with his free Metasploit exploit development and penetration testing framework. The freely available point-and-click hacking tool is constantly refreshed to keep pace with security research, and now includes built-in support for breaking into Apple’s iPhone, full support for the Windows platform (including GUI) and more than 450 modules and about 265 remote exploits.

Founder of the widely read Daily Dave mailing list and a skilled hacker in his own right, Dave Aitel’s delivery of proof-of-concepts and exploits in the commercial CANVAS attack tool go a long way toward helping businesses and IDS (intrusion detection system) vendors determine risk from known–and unknown–vulnerabilities.

A key part of Microsoft’s mandatory SDL process is Bronwen Matthews’ responsibility. A Trustworthy Computing security program manager, Matthews manages the vendor selection process for security researchers, penetration testers and expert instructors. In this role, she controls the budget for outside hacking teams hired to break Microsoft’s products, spreading her influence in two parts: security of the Windows ecosystem and, more importantly, funding the startups that promote the best in security research.

You could say that John Pescatore, a vice president and research fellow at Gartner, owns and controls the venture capital pipeline for security. In many ways, Pescatore’s work determines enterprise spending at a very high level, influencing the delivery of Internet-facing products.

When it comes to tracking malicious Internet activity worldwide, no one does it better–or is more respected–than Rob Thomas and Team Cymru. A U.S. non-profit, Team Cymru is seen as the Tier 1 ISP honeynet project, conducting in-depth research into the –

If there’s a security hole in PHP, chances are it was found by Stefan Esser, an open-source security specialist. Esser’s advisories about flaws in Linux, NetBSD, Samba, Ethereal, CVS, Subversion, MySQL and PHP are legendary. He is also known as the first hacker to completely break the DRM (digital rights management) scheme of the Microsoft Xbox with software-only exploits. His “Month of PHP Bugs” project thoroughly exposed the insecure nature of the widely deployed PHP language and forced a rethink about security in the open-source world.