Yuji Kosuga

Profile

Highly skilled Security Engineer with expertise in web application security. Proven track record of detecting multiple security vulnerabilities on a variety of popular websites such as Google, Facebook, Twitter, and Amazon. Recognized by the Japanese government for innovative programming skills and was awarded the prestigious Super Creator certification. Has experience performing security reviews as part of a security team in a top tech company and creating vulnerability scanning tools to detect web application vulnerabilities.

Specialties: Web Application Security & Attacks.

Work experience includes security code review, architecture review, security analysis, vulnerability analysis, testing tool development with static analysis and dynamic analysis.

Technical Skills

• Languages: C/C++, Java, JavaScript, JSP, Go, Node, Perl, PHP, Python, Ruby, Scheme, SQL
• Platforms: Android, FreeBSD, iOS, Linux, Mac OS X, Windows
• Middlewares: Apache, GWT, Hadoop, Hive, JAX-RS, MySQL, PhantomJS, Pig, Play, PostgreSQL, Presto, Selenium, Teradata, Tomcat

Work Experience

• Staff Engineer, Information Security at LinkedIn from October 2016 to October 2019 in Sunnyvale, CA, USA.
  • Developed a system that promptly updates Content-Security-Policy (CSP) site-wide.
  • Reviewed/Worked with various teams to tighten the frontend security of their services.
  • Improved security without loosing performance in close collaboration with Performance Team.
  • Completed HTTPS-by-default on all services in all countries after solving technical and legal struggles.
  • Designed a system to handle cookies to be compliant with new regulations in Europe and California.
• Senior Security Engineer at LinkedIn from May 2014 to September 2016 in Dublin, Ireland & Mountain View, CA, USA.
  • Developed a standalone tool that tests SSL compliance for online ads.
  • Developed a web application that tests ads for various compliances.
  • Reviewed and fixed 1000+ XSS flaws.
  • Worked in Dublin from May to December in 2014 and relocated to Mountain View, CA in January 2015.
• Information Security Analyst at LinkedIn from February 2013 to May 2014 in Tokyo, Japan & Dublin, Ireland.
  • Developed dynamic and static scanners that automatically discover XSS flaws.
  • Developed dynamic and static scanners that automatically discover insecure HTTP contents over HTTPS web pages.
  • Worked in Tokyo from February to August in 2013 and in Dublin from September 2013 to May 2014.
• Chief Technology Officer at Everforth Co., Ltd. from November 2011 to January 2013 in Tokyo, Japan.
  • Built and maintained a Big Data management system that integrate a wide variety of commercial products.
  • Developed Android and iOS applications, and various web applications for other companies.
  • Stayed as a board member until the company was acquired by WingArc1st Inc. in March, 2018.
• Research Fellow (DC1, PD) at The Japan Society for the Promotion of Science from April 2009 to March 2012 in Tokyo, Japan.
  • Created a novel technique to detect cross-domain vulnerabilities in web applications.
  • Worked as Research Fellow (DC1) from April 2009 to September 2011 and as Research Fellow (PD) from October 2011 to March 2012.

Education

• Ph.D. in Engineering at Keio University, Japan in September 2011. The dissertation title was "A Study on Dynamic Detection of Web Application Vulnerabilities".
• Master of Science in Engineering at Keio University, Japan in March 2009. The master thesis title was "A Study on Automatic Detection of SQL Injection Vulnerabilities",
• Bachelor of Engineering at Keio University, Japan in March 2007. The bachelor thesis title was "Dynamic Analysis for Discovering Improper Sanitization against SQL Injection".

Other Experience

• Founder and Chief Architect at AMBERATE.ORG from June 2009 to January 2013 in Tokyo, Japan. Recruited members for AMBERATE.ORG, a group that works toward the development of the web application security scanner, Amberate, and makes various web applications more secure by using Amberate to detect vulnerabilities.
• Classroom Assistant at Memphis City Schools from March 2010 to April 2010 in Memphis, TN, USA. Visited Japanese classes at Craigmont High School and provided native-speaker instruction to help students prepare for the Japanese festival at University of Memphis.
• Volunteer Worker at Pro International e.V. from February 2006 to March 2006 in Marburg, Germany. Worked with an international team of 10 people from 8 countries to prepare a campsite to open for the summer months.

Achievements

• Amberate -- During a 7-month period of the Mitoh (Exploratory Software) Youth Project of the Information-Technology Promotion Agency Japan, I developed security software called Amberate, which is composed of approximately 60,000 lines of Java code. Amberate detects vulnerabilities in web applications. By analyzing request and response data, it dynamically generates attacks tailored to individual web applications. Currently, Amberate has not been made public to avoid additional insecurities in accordance with guidelines set by the Japanese government. Ref. https://www.amberate.org
• Sania -- When I was an undergraduate student, I developed security software called Sania, which operates an efficient penetration testing for detecting SQL injection vulnerabilities. Since it is designed to be used by web application developers in situations where it can intercept SQL queries, by analyzing the SQL queries, it can automatically generate elaborate attacks and assess the security according to the context of the potentially vulnerable spots in the SQL queries.
• Vulnerability Reports -- Reported many security vulnerabilities in a variety of popular websites, including Google, Twitter, Amazon, and Facebook. Some outstanding reports are mentioned on their web pages as below.
  • United States Department of Defense - 6th place on "Hack the Pentagon"​ https://hackerone.com/deptofdefense/thanks/hackthepentagon
  • Microsoft - Security Researcher Acknowledgments for Microsoft Online Services - October and November 2012, January and February 2013 Security Researchers http://technet.microsoft.com/en-us/security/cc308575
  • Facebook - White Hats https://www.facebook.com/whitehat/thanks/
  • Twitter - Twitter Whitehats 2012 & 2013 https://hackerone.com/twitter/thanks/prior
  • Google - Security Hall of Fame - Honorable Mention - "April - June 2011" https://www.google.com/about/appsecurity/hall-of-fame/archive/
  • Tuenti - Security Hall of Fame http://corporate.tuenti.com/en/dev/hall-of-fame
  • Nokia Siemens Networks - Security Hall of Fame - "November 2012" http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
  • Constant Contact - Security Acknowledgement http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
  • OwnCloud - Security Hall of Fame 2012 & 2013 http://owncloud.org/security/hall-of-fame/
  • iFixit - Security Acknowledgement 2012 & 2013 http://www.ifixit.com/Info/responsible_disclosure
  • Zynga - Whitehats 2012 & 2013 http://company.zynga.com/security/whitehats
  • Redhat - Vulnerability Acknowledgements for Redhat online services -"2012 Acknowledgements" https://access.redhat.com/knowledge/articles/66234
  • Adobe - Security Acknowledgments http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
  • SoundCloud - Whitehat Thanks List http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
  • GitLab - Vulnerability Acknowledgements http://blog.gitlab.com/vulnerability-acknowledgements/
  • Collective Idea - HarmonyApp Security Thank-you List http://get.harmonyapp.com/security/
  • Yandex - THE YANDEX BUG BOUNTY - Hall of Fame http://company.yandex.com/security/hall-of-fame.xml
  • eBay - Responsible Disclosure Acknowledgements http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
  • Netflix - Thanks to Security Researchers List http://support.netflix.com/en/node/6657
  • OwnCloud - OwnCloud Issues on our webservices 2013 http://owncloud.org/about/security/issues-on-our-webservices/
  • Zendesk - Zendesk Responsible Disclosure https://www.zendesk.com/company/responsible-disclosure-policy
  • Barracuda Networks - Barracuda Networks Security Hall of Fame https://www.barracudalabs.com/bugbounty/halloffame.html
  • Apple - Credits on Apple Web Server notifications http://support.apple.com/kb/HT1318
  • Dropbox - Special Thanks List https://www.dropbox.com/special_thanks
  • MailChimp - Security Contributor http://mailchimp.com/about/security-response/
  • BlackBerry - Security Acknowledgements 2013 http://ca.blackberry.com/business/topics/security/incident-response-team/collaborations.html
  • Snappy - Security Contributor http://besnappy.com/security
  • Pocket - Security Thanks List http://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview
  • Evernote - Security Hall of Fame http://evernote.com/security/
  • Base - Responsible Disclosure Thank-you List https://getbase.com/security/
  • Splitwise - Responsible Disclosure / Special Thanks http://blog.splitwise.com/about/responsible-disclosure-special-thanks/
  • Deutsche Telekom - Acknowledgements http://www.telekom.com/security/acknowledgements
  • Acquia - Thanks list of Responsible Disclosure http://www.acquia.com/how-report-security-issue
  • Vzaar - Security Contributor https://vzaar.com/help/kb/administrative-pages/responsible-disclosure
  • 123ContactForm - Security Acknowledgements http://www.123contactform.com/security-acknowledgements.htm
  • Braintree Payment Solutions, LLC - Security Hall of Fame https://www.braintreepayments.com/developers/disclosure
  • GitHub - Bounty Hunters https://bounty.github.com/bounty-hunters.html
  • Viadeo - Security Security Contributor http://www.viadeo.com/aide/security/
  • Uber - Security Acknowledgements https://www.uber.com/security
  • Meldium - Security Hall of Fame https://www.meldium.com/security
  • PayPal - Honorable Mention https://www.paypal.com/in/webapps/mpp/security-tools/wall-of-fame-honorable-mention
  • Nokia - Nokia Responsible disclosure Hall of Fame http://nsn.com/responsible-disclosure

Awards & Honors

• Computer Software Paper Award from JSSST, Japan Society for Software Science and Technology in 2012.
• IPSJ Computer Science Research Award for Young Scientists from Information Processing Society of Japan in November 2010.
• Super Creator Certification from Information-Technology Promotion Agency (IPA), Japan in May 2009.
• Best Student Presentation Award from SIGOS, Information Processing Society of Japan in April 2009,
• Poster Award from SPA-SPRING Workshop Committee in March 2007.

Talks

• Technologies towards Web Application Security at Ritsumeikan University in Shiga, Japan in October 2011.
• A new organization formed by alumni of the Mitou project in an event "ESPer2010" held in Tokyo, Japan in December 2010.
• Amberate demonstration for entrepreneurs and venture capitalists in Venture BEAT Project Tokyo in June 2009.
• An Automated and Optimized Audit Testing Framework for Web Applications in an event IPAX2009 held in Tokyo, Japan in May 2009.

Publications

• Transaction / Journal Publications
  • Automatically Checking for Session Management Vulnerabilities in Web Applications. Yusuke Takamatsu, Yuji Kosuga, and Kenji Kono. IPSJ Trans. on Advanced Computing Systems (ACS 41), Vol.6, No.1, pp.45--55, Jan. 2013.
  • Amberate: A Framework for Automated Vulnerability Scanners for Web Applications. Yuji Kosuga, Kenji Kono. JSSST Trans. on Computer Software, Vol.28, No.4, pp.175--195, Nov. 2011.
  • Generating Effective Attacks for Efficient and Precise Penetration Testing against SQL Injection. Yuji Kosuga, Miyuki Hanaoka, Kenji Kono. IPSJ Trans. on Advanced Computing Systems (ACS 32), Vol.4, No.1, pp.68--82, Nov. 2010.
• Conferences
  • Automated Detection of Session Management Vulnerabilities in Web Applications. Yusuke Takamatsu, Yuji Kosuga, Kono Kenji. In Proc. of Tenth Annual Conference on Privacy, Security and Trust (PST 2012), pp.112--119, Paris, France, Jul. 2012.
  • Automated Detection of Session Fixation Vulnerabilities. Yusuke Takamatsu, Yuji Kosuga, Kenji Kono. In Proc. of the 19th international conference on World Wide Web (POSTER SESSION in WWW 2010) , pp.1191--1192, Raleigh, NC, USA, Apr. 2010.
  • Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Yuji Kosuga, Kenji Kono, Miyuki Hanaoka, Miho Hishiyama, Yu Takahama. In Proc. of the 23rd Annual Computer Security Applications Conference (ACSAC 2007) , pp.107--117, Miami Beach, FL, USA, Dec. 2007.
• Workshops
  • Automated Testing of Session Management Vulnerabilities. Yusuke Takamatsu, Yuji Kosuga, Kenji Kono. In Proc. of the 14th Computer Security Symposium (CSS 2011), Niigata, Japan, Oct. 2011.
  • Automated Detection of Session Management Vulnerabilities. Yusuke Takamatsu, Yuji Kosuga, Kenji Kono. In IPSJ Technical Report (SWoPP 2011), 2011-OS-118, Kagoshima, Japan, Jul. 2011.
  • Detection of Session Fixation Vulnerabilities with Session ID Monitoring. Masataka Utsumi, Yuji Kosuga, Kenji Kono. In IPSJ Technical Report (SWoPP 2010), 2010-OS-115, Kanazawa, Japan, Aug. 2010.
  • An Effective Audit Testing for Detecting Vulnerabilities in Web Applications. Yuji Kosuga, Kenji Kono. In IPSJ Technical Report, 2009-OS-111, Okinawa, Japan, Apr. 2009.
  • Amberate: An Automated and Optimized Audit Testing Framework for Web Applications. Yuji Kosuga. In Proc. of the IPSJ 50th Programming Symposium, pp.73--80, Hakone, Japan, Jan. 2009.
  • Effective Automated Testing for Detecting SQL Injection Vulnerabilities. Yuji Kosuga, Miyuki Hanaoka, Kenji Kono. In Proc. of the IPSJ SIGNotes Computer Security (2008-CSEC-41), pp. 103--108, Yokohama, Japan, May 2008.
  • Dynamic Analysis for Discovering Improper Sanitization against SQL Injection Vulnerabilities. Yuji Kosuga. The Fifth Spring Workshop on Systems for Programming and Applications (SPA-SPRING 2007), Japan, March 2007.
• Magazine
  • IT Talents Who Sprang Out of the Mitoh-Youth : Amberate : A Framework for Web Application Security Scanners. Yuji Kosuga. Monthly Magazine of Information Processing Society of Japan, Vol.52, No.12, pp. 1503--1503, November 2011.