A Tripwire Milestone: ASPL – 1000 is here | The State of Security
When I joined nCircle as a security researcher in 2006, ASPL 117 had just been released. I missed the ASPL-100 release celebration, which included custom sweatshirts, but there was still one unclaimed shirt in the office and I brought it home, my first piece of company swag. That shirt still hangs in my closet all these years later.
For those of you that are unaware, ASPL, Advanced Security Profiling Language, is the name of the language that was originally used to write rules for IP360. These days, we tend to use Python, but ASPL still exists. The database that stores all of these rules was typically called ontology, but packages of ASPL rules were released via the ASPL package. Today, you may download the latest “ontology update”, but at heart, it is still just an ASPL package.
My first celebratory swag was a hockey jersey for the release of ASPL-200 in 2007. It hangs in my closet next to my “stolen” ASPL-100 shirt. Over the years, we’ve continued to celebrate the occasional milestone release including ASPL-900 in August, 2020.
Today, however, we’re announcing a huge milestone. Soon, ASPL-1000 will be released. That’s right! We move to 4-digit numbers. The part that blows my mind is that I’ve been a part of this team for 883 releases. We went from nCircle to Tripwire to Tripwire, a Belden Brand to Tripwire by HelpSystems. We went from VERT, a team focused on content for IP360, to TACTIC, a team producing content for a half-dozen products, working on cutting-edge research, speaking at conferences, and contributing to the global security community. I went from the junior member of the team to the senior manager. When I started with the company, people said make sure you stay 3-5 years before you move to a new company and I just started my 17th year with the company. I can remember the names and faces and great times I’ve had with all the members of this team over the years. For those of you that worry about the loss of the VERT name, do not fret! VERT will always exist as a sub-team within TACTIC that remains responsible for IP360 content.
Over the years, we’ve added so many capabilities to IP360 from WMI support to Web Application Scanning. We spent several years as a PCI Approved Scanning Vendor and even contributed to the ASV guidance documentation. We’ve discovered and reported vulnerabilities with Microsoft, Apple, Nvidia, and more. We’ve had team members speak in North America, Europe, and Asia and we founded the IoT Hack Lab at SecTor.
For fun, I asked our tools lead to pull the date of the oldest item in our development system. Vulnerability ID #1 was inserted at 5:06PM on March 6, 2002. We have been generating content as a team effort for more than 20 years. Our content can legally drink in Canada and is less than a year away from being able to do so in the United States.
Knowing this, one thing that I wanted to take a look at was the way that the numbers have changed over the years. I dug into my email and pulled out the stats for the first ASPL package released after I joined the team and wanted to compare them to our current statistics.
As you can see, things have changed drastically over the years. One thing that hasn’t changed is the dedication of the team and the desire to continue to improve and I couldn’t be more proud of the work that TACTIC, the team formerly known as VERT, has done over the years. So, this post accomplishes two things. First, to let you all know about our most recent content milestone, but, more importantly, to congratulate my team and all the past members of the team whose shoulders we stand on, for reaching this milestone. Congratulations to everyone involved!
Speaking of everyone involved, let’s wrap with the names of all those that have ever contributed to an ASPL package:
Abe Weston, Abiola Fayemi, Adam Henry, Albert Hui, Alicia Gumtie, Allan Zhang, Amit Borate, Amrit Williams, Amruta Patki, Andrew Swoboda, Ariane Carurucan, Art Mackiewicz, Ary Widdes, Avinash Kalambe, Azeem Qureshi, Bob Thomas, Brian Buchannan, Brian Sheppard, Bruce Zhang, Byron Sonne, Cedric Lam, Chinh Nguyen, Chris Abad, Chris Gahan, Chris Merey, Chris Pawlukowsky, Chris Searles, Christian Hunt, Craig Young, Dang Hong Quan, Daniel Nobuto, Darlene Hibbs, Darren Mankasingh, Dave Suffling, David Henderson, Dinh Thi Huyen, Duong Dang Thinh, Dylan D’Silva, Ed Bull, Eric Anderson, Eric Scheibling, Eric Hoffmann, Eric Pattenden, Eric Scheibling, Farhan Jiva, Felicia Carter, Gauthaman Ravindran, Graham Bignell, Ian Turner, Isaac Mui, James Li, James Reid, Jamie Gamble, Jason Minshull, Jay Graver, Jay Muskat, Jeremy Cooper, Jeremy Richards, Jesse Smith, Joel Weisz, John Wenning, Jon Erickson, Jordan Powers, Joseph Leake, Josha Bronson, Josh Swartzell, Julian Dunn, Kyle Guillette, Lamar Bailey, Lane Thames, Le Xuan Lam, Martin Quiroga, Matthew Condren, Matthew Jerzewski, Meg Bartelt, Michael Nearing, Michael Perklin, Mike Luu, Mike Murray, Minoo Hamilton, Mo Hijazi, Murphy Anton, Nguyen Tien Manh, Noah Salzman, Oliver Lavery, Paul Miseiko, Paul Walker, Peter McPhee, Peter Melse, Pham Thanh Thao, Pham Thi Hien, Quyen Thi Nguyen, Raymond Wu, Ricardo Patino, Rob Brockway, Ross Barrett, Ryan Poppa, Ryan Stafford, Samantha Zeigler, Sam Chen, Scott Rushton, Sebastien Doucet, Sheldon Malm, Skip Stellhorn, Stephanie DePompa, Tang Huy Luong, Than Thi Cham, Tim Erlin, Tom Stracener, Toufiq Zari, Tran Duy Kien, Tran Thanh Chien, Travis Vanos, Tyler Reguly, Vrushali Rao Ugale, Vuk Vujevic, Yazhi Wang