Joel Scambray is Managing Principal at Cigital, the leading software security company founded in 1992. He has assisted companies ranging from members of the Fortune 50 to newly minted startups with information security challenges and opportunities over a dozen years. In addition to Hacking Exposed Web Apps, Joel is co-author of Hacking Exposed: Network Security Secrets & Solutions, the international best-selling Internet security book that first appeared in 1999. He is also lead author of the Hacking Exposed Windows series. He has spoken widely on information security at forums including Black Hat, I-4, and The Asia Europe Meeting (ASEM), as well as organizations including CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and government agencies, such as the Korean Information Security Agency (KISA), FBI, and the RCMP.

Joel's background includes roles as an executive, consultant, and entrepreneur. He co-founded and led strategic security consultancy Consciere from 2008 to its acquisition by Cigital in 2011. He has been a Senior Director at Microsoft Corporation, where he led Microsoft's online services security efforts for three years before joining the Windows platform and services division to focus on security technology architecture. He co-founded security software and services startup Foundstone Inc. and helped lead it to acquisition by McAfee for $86M. In 2007, he helped lead US-based Leviathan Security from start-up to well-recognized boutique security consultancy. He previously held positions as a Manager for Ernst & Young, security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and Director of IT for a major commercial real estate firm. Joel's academic background includes advanced degrees from the University of California at Davis and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

-Joel can be reached at: [joel at webhackingexposed dot com].

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. Vincent is a sought sought-after speaker and has presented his research at conferences, including Black Hat, ToorCon, and Microsoft BlueHat. Vincent holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.

Caleb Sima is the CEO of Armorize Technologies, the Santa Clara--based provider of integrated Web application security solutions. He previously founded SPI Dynamics in 2000, and, as CTO, oversaw the development of WebInspect, a solution that set the bar in Web application security testing tools. When Hewlett-Packard (HP) acquired SPI Dynamics in 2007, Sima took on the role of Chief Technologist at HP's Application Security Center, where he directed the company's security solutions' lifecycles and spearheaded development of its cloud-based security service. In this role, he also managed a team of accomplished security experts who successfully identified new security threats and devised advanced countermeasures. Prior to co-founding SPI Dynamics, Caleb worked for Internet Security Systems'' elite X-Force research and development team where he drove enterprise security assessments for the company. A thought leader and technical visionary in the Web application security field, Sima holds five patents on web security technology and has co-authored textbooks on the subject, is a frequent media contributor, and regularly speaks at key industry conferences such as RSA and Black Hat. He is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC).

About the Contributing Authors

Hernan Ochoa is a security consultant and researcher with over 14 years of professional experience. Hernan began his professional career in 1996 with the creation of Virus Sentinel, a signature-based file/memory/mbr/boot sector detection/removal antivirus application with heuristics to detect polymorphic viruses. Hernan also developed a detailed technical virus information database and companion newsletter. He joined Core Security Technologies in 1999 and worked there for 10 years in various roles, including security consultant and exploit writer. As an exploit writer, he performed diverse types of security assessments, developed methodologies, shellcode, and security tools, and contributed new attack vectors. He also designed and developed several low-level/kernel components for a multi-OS security system that was ultimately deployed at a financial institution, and he served as "technical lead" for ongoing development and support of the multi-OS system. Hernan has published a number of security tools, including Universal Hooker (runtime instrumentation using dynamic handling routines written in Python), Pass-The-Hash Toolkit for Windows, and WifiZoo. He is currently working as a security consultant/researcher at Amplia Security, performing network, wireless, and web applications penetration tests, standalone/client-server application black-box assessments, source code audits, reverse engineering, vulnerability analysis, and other information security-related services.

Justin Hays is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Justin served as an enterprise support engineer for PTC Japan where his responsibilities included application debugging, reverse engineering, and mitigating software defects in PTC's flagship Windchill enterprise server J2EE software. Prior to PTC, Justin held a software development position with Lexmark, Inc., where he designed and implemented web application software in support of internal IT operations. Justin holds a BS from the University of Kentucky with a major in Computer Science and a minor in Mathematics.

Carl Livitt is a Managing Security Associate at Stach & Liu. Prior to joining Stach & Liu, Carl led the network security services group for a well-respected UK security company and provided network security consultancy for several of the largest pharmaceutical companies in the world. Carl has also worked with UK police counterterrorism units, lecturing on technological security issues to specialist law-enforcement agencies.

Rob Ragan is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Rob served as a software engineer at Hewlett-Packard's Application Security Center, where he developed web application security testing tools and conducted application penetration testing. Rob actively conducts web application security research and has presented at Black Hat, Defcon, InfoSec World, and Outerz0ne. Rob holds a BS from Pennsylvania State University with a major in Information Sciences and Technology and a focus on System Development.

About the Technical Editor

Robert Hensing is a Senior Consultant at Microsoft, where he has worked in various security roles for over 12 years. Robert previously worked with the Microsoft Security Response Center with a focus on providing root cause analysis and identifying mitigations and workarounds for security vulnerabilities to help protect customers from attacks. Prior to working on the MSRC Engineering team, Robert was a senior member of the Customer Support Services Security team, where he helped customers with incident response response-related investigations. Robert was also a contributing author on Hacking Exposed: Windows Security Secrets & Solutions, Third Edition.

Copyright © 2003. All Rights Reserved. Designed by HTMLfx