Short Bio

John Wilander is a Product Security Researcher at an American corporation. He holds a PhD in computer science with focus on software security and has been researching and working in application security since 2001. He is also an active leader in OWASP, the Open Web Application Security Project where he's "done it all" – founded and lead a chapter, charied a global AppSec conference, shipped a project, served on a global committee, and given numerous talks. During his years in academia he was elected best computer science teacher twice.

Photos (1200x800)

Product Security Researcher

2013 - now, employed by an American corporation

Member of the Proactive Product Security team at an American corporation in California.

Frontend Architect, Developer, and Security Coordinator, Online Banking

2011 - 2013, employed by Svenska Handelsbanken

Member of the frontend team. Responsible for architecture, infrastructure, and security in a RIA for online banking.

Software Developer, Authentication & Payments

2010, consultant at Aftonbladet, employed by Omegapoint

Member of the Paid Services Team at Sweden’s most popular web site (>2 million visitors per day). Developing, testing and maintaining authentication and payment systems. As an example the team designed and implemented backend services for mobile device Digest Access Authentication.

Security Development Lifecycle Implementation

Fall 2009, consultant at Posten, employed by Omegapoint

Project leader with the assignment to implement processes and routines for secure development and testing in a large developing organization with more than 100 active systems.

Developer of National Medication Services

Fall 2008 - Fall 2009, consultant for Sjukvårdsrådgivningen+SLL+VGR+RS, employed by Omegapoint

Part of a scrum team which designed and developed a national system for data retrieval regarding prescripted medications for Swedish healthcare patients. Web application and web service. I had special focus on non-functional security requirements such as intrusion prevention and log protection.

Research Publications (peer-reviewed)

Contributions to Specification, Implementation, and Execution of Secure Software
Doctorate thesis by John Wilander, defended on April 22nd, 2013. Opponent was Prof. Benjamin Livshits from Microsoft Research and University of Washington. Committee consisted of Prof. Mads Dam from Royal Institute of Technology, Stockholm, Sweden, Prof. Andrei Sabelfeld from Chalmers University of Technology, Gothenburg, Sweden, and Prof. Simin Nadjm-Tehrani from Linköping University, Sweden.

RIPE: Runtime Intrusion Prevention Evaluator
by John Wilander, Nick Nikiforakis, Yves Younan, Mariam Kamkar and Wouter Joosen. In the Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), December 5-9, 2011, in Orlando, Florida.

The Impact of Neglecting Domain-Specific Security and Privacy Requirements
by John Wilander and Jens Gustavsson. In the Proceedings of the 12th Nordic Workshop on Secure IT Systems (Nordsec 2007), October 11-12, 2007, in Reykjavík, Iceland. Pages 153--163.

Policy and Implementation Assurance for Software Security
Licentiate thesis by John Wilander, defended on November 18th, 2005. Opponent was Dr. Andrei Sabelfeld from Chalmers University of Technology.

Pattern Matching Security Properties of Code using Dependence Graphs
by John Wilander and Pia Fåk. In Proceedings of the 1st International Workshop on Code Based Software Security Assessments (CoBaSSA 2005), November 7, 2005, in Pittsburgh, Pennsylvania, USA. Pages 5--8.

Modeling and Visualizing Security Properties of Code using Dependence Graphs
by John Wilander. In Proceedings of the 5th Conference on Software Engineering Research and Practice in Sweden (SERPS'05), October 20-21, 2005, in Västerås, Sweden. Pages 65--74.

Security Requirements---A Field Study of Current Practice
by John Wilander and Jens Gustavsson. In E-Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS 2005), August 29, 2005, in Paris, France.

A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention
by John Wilander and Mariam Kamkar. In Proceedings of the 10th Network and Distributed System Security Symposium (NDSS'03), February 5-7, 2003, in San Diego, California. Pages 149--162.

A Comparison of Publicly Available Tools for Static Intrusion Prevention
by John Wilander and Mariam Kamkar. In the Proceedings of the 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), November 7-8, 2002, in Karlstad, Sweden. Pages 68--84.

Education

PhD in Computer Science, defended April 22, 2013, Linköping University

Licentiate in Computer Science, defended November 18, 2005, Linköping University

M Sc Computer Science and Engineering, Linköping Institute of Technology, Sweden and Nanyang Technological University, Singapore (1996-2002, one year on leave)

Certificates

Sun Certified Programmer for the Java2 Platform

ISC2 Certified Secure Software Lifecycle Professional (expired)

Positions of Trust

2007–2010 Technology evangelist in application security, Omegapoint
2005-2006 Responsible for gender and equality issues at Division of Software and Systems, Department of Computer Science, Linköping University
1999-2000 President of the Student Union at Linköping University, Institute of Technology. Elected representative, working fulltime one year. Included being Member of The University Board, Linköping University and Member of The Institute of Technology Board, Linköping University
1998-1999 President of the Computer undergraduates section, Linköping University

Awards

2011 Best speaker (attendees' choice), NFI conference "From Requirements To Systems"
2010 Best speaker (attendees' choice), NFI conference "From Requirements To Systems"
2008 Best speaker (attendees' choice), NFI conference "From Requirements To Systems"
2007 Best Computer Science & Engineering teacher of Linköping University (students' choice), Institute of Technology
2006 Best Computer Science & Engineering teacher of Linköping University (students' choice), Institute of Technology

Recent & Upcoming Talks

2013, May Javaforum Stockholm. Topics: 1) How To Migrate an Online Bank, 2) Software and Security – Experience from research, consultancy, and employment.
2013, May OpKoKo, Nyköping. Topic: How To Succede With Software and Security – Lessons learned for research, consultancy, and employment.
2013, April Espressoinfo, Stockholm. 4 hour tutorial: Ways to Build a Modern Web Application.
2013, Feb Jfokus 2013, Stockholm. 4 hour tutorial: Ways to Build a Modern Web Application. Together with @joakimkemeny.
2013, Jan GeekMeet, Stockholm. Topics: 1) Integration Patterns For Legacy And Third Party Web Apps, 2) Web Application Security 2013
2012, Nov OWASP BeNeLux Day, Brussels. Topics: 1) Secure Web Integration Patterns in the Era of HTML5 2) Panel on pentesting
2012, Nov Framtidsdagen, Swedish Parliament IT, Stockholm. Topic: Being Successful On the Future Web
2012, Oct Dagstuhl Seminar 12401, Web Application Security, Schloss Dagstuhl, Germany. Topics: 1) Security Pains in Online Banking, 2) Stateless Anti-CSRF and Cookie Jar Overflow
2012, Jul OWASP AppSec Research 2012, Athens. Topic: Advanced CSRF and Stateless Anti-CSRF
2012, Mar Rugged Summit, Washington DC. A full week's workshop on a new, updated Rugged Software manifesto.
2012, Feb Jfokus 2012. Topics: 1) JavaScript for Java Developers, 2) Application Security for RIAs
2012, Feb HackPra, Ruhr-Universität Bochum. Topic: Application Security in Six Parts (intrusion prevention, static analysis, security requirements, modeling and visualizing security properties of code, CSRF against RESTful services, multi-step and semi-blind CSRF).
2011, Dec ACSAC 2011, Orlando, FL. Topic: RIPE: Runtime Intrusion Prevention Evaluator (full-paper)
2011, Oct SenchaCon 2011, Austin, TX. Topic: Application Security for RIAs
2011, Oct NFI, From Requirements to System. Topic: How To Handle Requirements for Rich Internet Applications
2011, May Royal Institute of Technology. Topic: Application Security for CS Students.
2011, April WebSand. Topic: Will New HTTP Headers Save Us? About CSP, HSTS, and XFO.
2011, Jan OWASP Sweden. Topic: Will New HTTP Headers Save Us? About CSP, HSTS, and XFO.
2010, Dec IBWAS. Topics: OWASP Top 10 From a Developer's Perspective + Will New HTTP Headers Save Us?
2010, Oct NFI, From Requirements To System. Topics: Application Security Requirements + The History of the Web
2010, June The New Digital Threats. Topic: Application Security and the Dynamic Threats on the Web
2010, May Royal Institute of Technology. Topic: Application Security for CS Students.
2010, May SIS, Right Security. Topic: Application Security and the Dynamic Threats on the Web
2010, Feb Stockholm University. Topic: Application Security for Computer and Systems Science students

IT Community Efforts

FOSS projects on GitHub

Founder & Chapter co-leader OWASP Sweden 2007-2013 (The Open Web Application Security Project)

Conference chair, OWASP AppSec Research 2010

OWASP Global Conferences Committee member 2009-1012

OWASP Global Summit 2011 co-organizer, responsible for Browser Security track

Co-organizer of Community Hack, an open hackathon

Programming Languages

Current focus: JavaScript and Objective-C

Much time spent with: Java

The research years: C

Teenage memories: M68000 assembler

Frameworks & Libraries

JavaScript: jQuery, ExtJS, require.js, Backbone, Underscore, Node.js, Express

Java: Spring DI, Struts 2, Hibernate, JAXB/JAX-RS, Bouncy Castle, Joda-Time, Log4J

Development Tools

IDEs: WebStorm, IntelliJ, Eclipse, Xcode

Debugging & Testing: Chrome dev tools, Firebug, Jasmine, Selenium, Burp Suite, JUnit, Mockito

Build: Ant, Maven, Ivy, Closure Compiler, YUI Compressor, Yeoman, require.js

Blogs

appsandsecurity.blogspot.com My own blog on software development and application security

Contact Info

Email john @ wilander . net
Twitter @johnwilander