Texas Military Department Web Team

John J Gately

Webmaster / Programmer V

Starting as a teenager clacking away on his Commodore VIC20, John has always had a strong interest in technology. In 1990 John founded a company that allowed law enforcement to locate stolen property by connecting agencies across the country using dialup internet and custom-made software. He later created the first-ever connected jail system software. He sold those companies and went to work for SECURUS Technologies in Dallas, TX. After his departure from SECURUS, he helped create new technology that was awarded a patent by the USPTO. In 2010, John joined the Texas State Guard. Currently a Master Sergeant, John serves as the NCOIC for the T6 shop where he has led a team of officers and enlisted to win three Best of Texas Awards for creating new technologies, at no cost to the public. In 2014 John became the Texas Military Webmaster. As part of this position, he also created the Texas Military Department App and on a dare, TMDTV, which can be found on Roku and Amazon Fire. (John is the current basketball champion for the 2020 and 2021 seasons and currently leading the 2022 season against Orrin Spence.)

Orrin Spence

WebMaster / Programmer IV

In 2009, Staff Sergeant Spence, Orrin joined the U.S. Army as a 92A (Automated Logistics Specialist) stationed in Texas. Orrin did four years of active duty with a deployment to Iraq. In 2013 he left active duty and joined the Texas National Guard being stationed in San Antonio for one year then moved to San Marcos. In 2015 Orrin started working for the Texas Comptroller as a programmer where he worked on IBM mainframes to ensure taxes were handled correctly. In 2015, Orrin reclassed to 25B (Information Technology) stationed in Round Rock where he worked on setting up communication systems for missions. After a year and a half, he moved to Fort Hood to work with the 136th Regional Training Institute (RTI) where he works on setting up the IT for classrooms for reclassing soldiers. Orrin Left the Comptroller in 2016 to join the Texas Military Department family to work for Public Affairs office where he works on the Award-winning TMD website. Also, the web team has created TMDAPP, TMDTV on the platform for Roku and Amazon Fire. Currently, Orrin enjoys beating John Gately in basketball daily. (2016 Winner, 2017 Winner, 2018 Winner, 2019 Winner)

Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE): Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access to other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security Misconfiguration: Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting XSS: XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.
Insecure Deserialization: Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.