Yuji Kosuga

Profile

Highly skilled Security Engineer with expertise in web application security. Proven track record of detecting multiple security vulnerabilities on a variety of popular websites such as Google, Facebook, Twitter, and Amazon. Recognized by the Japanese government for innovative programming skills and was awarded the prestigious Super Creator certification. Native Japanese speaker and business-level English skill.

Technical Skills

Languages: Java(10 years), C/C++, JavaScript, JSP, Perl, PHP, Python, Scheme, SQL

Platforms: Android, FreeBSD, iOS, Linux, Mac OS X, Windows

Middlewares: Apache, GWT, JAX-RS, MySQL, PostgreSQL, Tomcat

Work Experience

February 2013 - Present
Tokyo, Japan

Information Security Analyst for LinkedIn

TMF Group Limited (Japan)

Dispatched to LinkedIn Japan and worked with the security team in the US as an Information Security Analyst.

November 2011 - January 2013
Tokyo, Japan

Chief Technology Officer

Everforth Co., Ltd.

Built and maintained a BigData management system to integrate a wide variety of commercial products. Designed the database schema on MySQL and implemented its REST API in Java.

October 2011 - March 2012
Tokyo, Japan

Research Fellow (PD)

The Japan Society for the Promotion of Science

Created a novel technique to detect cross-domain vulnerabilities in web applications through academic research.

April 2009 - September 2011
Tokyo, Japan

Research Fellow (DC1)

The Japan Society for the Promotion of Science

Created a novel technique to detect cross-domain vulnerabilities in web applications through academic research.

Education

September 2011
Keio University, Japan

Ph.D. in Engineering

Dissertation: "A Study on Dynamic Detection of Web Application Vulnerabilities"

March 2009
Keio University, Japan

Master of Science in Engineering

Master Thesis: "A Study on Automatic Detection of SQL Injection Vulnerabilities"

March 2007
Keio University, Japan

Bachelor of Engineering

Bachelor Thesis: "Dynamic Analysis for Discovering Improper Sanitization against SQL Injection"

Other Experience

June 2009 - January 2013
Tokyo, Japan

Founder and Chief Architect

AMBERATE.ORG

Recruited members for AMBERATE.ORG, a group that works toward the development of the web application security scanner, Amberate, and makes various web applications more secure by using Amberate to detect vulnerabilities.

March 2010 - April 2010
Memphis, TN, USA

Classroom Assistant

Memphis City Schools

Visited Japanese classes at Craigmont High School and provided native-speaker instruction to help students prepare for the Japanese festival at University of Memphis.

February 2006 - March 2006
Marburg, Germany

Volunteer Worker

Pro International e.V.

Worked with an international team of 10 people from 8 countries to prepare a campsite to open for the summer months.

Achievements

Amberate

During a 7-month period of the Mitoh (Exploratory Software) Youth Project of the Information-Technology Promotion Agency Japan, I developed security software called Amberate, which is composed of approximately 60,000 lines of Java code. Amberate detects vulnerabilities in web applications. By analyzing request and response data, it dynamically generates attacks tailored to individual web applications. Currently, Amberate has not been made public to avoid additional insecurities in accordance with guidelines set by the Japanese government.
Ref. http://www.amberate.org

Sania

When I was an undergraduate student, I developed security software called Sania, which operates an efficient penetration testing for detecting SQL injection vulnerabilities. Since it is designed to be used by web application developers in situations where it can intercept SQL queries, by analyzing the SQL queries, it can automatically generate elaborate attacks and assess the security according to the context of the potentially vulnerable spots in the SQL queries.

Vulnerability Reports

Reported many security vulnerabilities in a variety of popular websites, including Google, Twitter, Amazon, and Facebook. Some outstanding reports are mentioned on their web pages as below.

Microsoft - Security Researcher Acknowledgments for Microsoft Online Services - October and November 2012, January and February 2013 Security Researchers
http://technet.microsoft.com/en-us/security/cc308575
Facebook - White Hats
https://www.facebook.com/whitehat/
Twitter - Twitter Whitehats 2012 & 2013
https://twitter.com/about/security
Google - Security Hall of Fame - Honorable Mention - "April - June 2011"
http://www.google.com/about/appsecurity/hall-of-fame/distinction/
Tuenti - Security Hall of Fame
http://corporate.tuenti.com/en/dev/hall-of-fame
Nokia Siemens Networks - Security Hall of Fame - "November 2012"
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
Constant Contact - Security Acknowledgement
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
OwnCloud - Security Hall of Fame 2012 & 2013
http://owncloud.org/security/hall-of-fame/
iFixit - Security Acknowledgement 2012 & 2013
http://www.ifixit.com/Info/responsible_disclosure
Zynga - Whitehats 2012 & 2013
http://company.zynga.com/security/whitehats
Redhat - Vulnerability Acknowledgements for Redhat online services -"2012 Acknowledgements"
https://access.redhat.com/knowledge/articles/66234
Adobe - Security Acknowledgments
http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
SoundCloud - Whitehat Thanks List
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
GitLab - Vulnerability Acknowledgements
http://blog.gitlab.com/vulnerability-acknowledgements/
Collective Idea - HarmonyApp Security Thank-you List
http://get.harmonyapp.com/security/
Yandex - THE YANDEX BUG BOUNTY - Hall of Fame
http://company.yandex.com/security/hall-of-fame.xml
eBay - Responsible Disclosure Acknowledgements
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Netflix - Thanks to Security Researchers List
http://support.netflix.com/en/node/6657
OwnCloud - OwnCloud Issues on our webservices 2013
http://owncloud.org/about/security/issues-on-our-webservices/
Zendesk - Zendesk Responsible Disclosure
https://www.zendesk.com/company/responsible-disclosure-policy
Barracuda Networks - Barracuda Networks Security Hall of Fame
https://www.barracudalabs.com/bugbounty/halloffame.html
Apple - Credits on Apple Web Server notifications
http://support.apple.com/kb/HT1318
Dropbox - Special Thanks List
https://www.dropbox.com/special_thanks

Awards & Honors

November 2010

Incentive Award in Computer Science

Information Processing Society of Japan

May 2009

Super Creator Certification

Information-Technology Promotion Agency (IPA), Japan

April 2009

Best Student Presentation Award

SIGOS, Information Processing Society of Japan

March 2007

Poster Award

SPA-SPRING Workshop Committee

Talks

October 2011
Shiga, Japan

Ritsumeikan University

Gave a presentation titled "Technologies towards Web Application Security".

December 2010
Tokyo, Japan

ESPer2010

Proposed a new organization formed by alumni of the Mitou project.

June 2009
Tokyo, Japan

Venture BEAT Project

Introduced and demonstrated Amberate to entrepreneurs and venture capitalists.

May 2009
Tokyo, Japan

IPAX2009

Gave a presentation titled "An Automated and Optimized Audit Testing Framework for Web Applications". Introduced and demonstrated Amberate to the convention attendees.

Publications

Transaction / Journal Publications

Amberate: A Framework for Automated Vulnerability Scanners for Web Applications

Yuji Kosuga, Kenji Kono
JSSST Trans. on Computer Software, Vol.28, No.4, pp.175--195, Nov. 2011.

Generating Effective Attacks for Efficient and Precise Penetration Testing against SQL Injection

Yuji Kosuga, Miyuki Hanaoka, Kenji Kono
IPSJ Trans. on Advanced Computing Systems (ACS 32), Vol.4, No.1, pp.68--82, Nov. 2010.

Conferences

Automated Detection of Session Management Vulnerabilities in Web Applications

Yusuke Takamatsu, Yuji Kosuga, Kono Kenji
In Proc. of Tenth Annual Conference on Privacy, Security and Trust (PST 2012), pp.112--119, Paris, France, Jul. 2012.

Automated Detection of Session Fixation Vulnerabilities

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono
In Proc. of the 19th international conference on World Wide Web (POSTER SESSION in WWW 2010) , pp.1191--1192, Raleigh, NC, USA, Apr. 2010.

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection

Yuji Kosuga, Kenji Kono, Miyuki Hanaoka, Miho Hishiyama, Yu Takahama
In Proc. of the 23rd Annual Computer Security Applications Conference (ACSAC 2007) , pp.107--117, Miami Beach, FL, USA, Dec. 2007.

Workshops

Detection of Session Fixation Vulnerabilities with Session ID Monitoring

Masataka Utsumi, Yuji Kosuga, Kenji Kono
In IPSJ Technical Report (SWoPP 2010), 2010-OS-115, Kanazawa, Japan, Aug. 2010.

An Effective Audit Testing for Detecting Vulnerabilities in Web Applications

Yuji Kosuga, Kenji Kono
In IPSJ Technical Report, 2009-OS-111, Okinawa, Japan, Apr. 2009.

Amberate: An Automated and Optimized Audit Testing Framework for Web Applications

Yuji Kosuga
In Proc. of the IPSJ 50th Programming Symposium, pp.73--80, Hakone, Japan, Jan. 2009.

Effective Automated Testing for Detecting SQL Injection Vulnerabilities

Yuji Kosuga, Miyuki Hanaoka, Kenji Kono
In Proc. of the IPSJ SIGNotes Computer Security (2008-CSEC-41), pp. 103--108, Yokohama, Japan, May 2008.

Dynamic Analysis for Discovering Improper Sanitization against SQL Injection Vulnerabilities

Yuji Kosuga
The Fifth Spring Workshop on Systems for Programming and Applications (SPA-SPRING 2007), Japan, March 2007.