Joel Scambray is an independent information security consultant located in the Seattle area. He has assisted companies ranging from members of the Fortune 50 to newly minted startups with information security challenges and opportunities over a dozen years. In addition to Hacking Exposed Web Apps, Joel is co-author of Hacking Exposed: Network Security Secrets & Solutions, the international best-selling Internet security book that first appeared in 1999. He is also lead author of the Hacking Exposed Windows series. He has spoken widely on information security at forums including Black Hat, I-4, and The Asia Europe Meeting (ASEM), as well as organizations including CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and government agencies, such as the Korean Information Security Agency (KISA), FBI, and the RCMP.

Most recently, Joel was Chief Strategy Officer at Leviathan Security Group, a security consultancy located in Seattle and Denver. Before joining Leviathan, Joel was a Senior Director at Microsoft Corporation, where he led Microsoft's online services security efforts for three years before joining the Windows platform group to focus on security technology development. Prior to Microsoft, Joel co-founded security software and services startup Foundstone Inc. and helped lead it to acquisition by McAfee for $86.5M. He previously held positions as a Manager for Ernst & Young, security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and Director of IT for a major commercial real estate firm. Joel's academic background includes advanced degrees from the University of California at Davis and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

-Joel can be reached at joel@webhackingexposed.com.

Mike Shema was formerly Chief Security Officer at NTOBJECTives. Prior to joining NT OBJECTives, Mike was a Principal Consultant of Foundstone Inc. where he performed dozens of Web application security reviews for clients including Fortune 100 companies, financial institutions, and large software development companies. He has field-tested methodologies against numerous Web application platforms, as well as developing support tools to automate many aspects of testing. His work has led to the discovery of vulnerabilities in commercial Web software. Mike has also written technical columns about Web server security for Security Focus and DevX. He has also applied his security experience as a co-author for The Anti-Hacker Toolkit. In his spare time, Mike is an avid role-playing gamer. He holds B.S. degrees in Electrical Engineering and French from Penn State University.

-Mike can be reached at mike@webhackingexposed.com.

Caleb Sima is the co-founder and CTO of SPI Dynamics, a web application security products company, and has over 12 years of security experience. His pioneering efforts and expertise in web security have helped define the direction the web application security industry has taken. Caleb is a frequent speaker and expert resource for the press on Internet attacks and has been featured in the Associated Press. He is also a contributing author to various magazines and online columns. Caleb is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC).

About the Contributing Authors

Nishchal Bhalla, founder of Security Compass, is a specialist in product, code, web application, host, and network reviews. Nish has co-authored Buffer Overflow Attacks: Detect, Exploit & Prevent and is a contributing author for Windows XP Professional Security, HackNotes: Network Security, and Writing Security Tools and Exploits. Nish has also been involved in open source projects such as YASSP and OWASP, and is the chair of the Toronto Chapter. He has also written articles for SecurityFocus and is a frequent speaker on emerging security issues.

Samuel Bucholtz is a founding member of Casaba Security, a computer security consulting firm based in Seattle, Washington. Samuel specializes in application testing, design reviews, and system/network architecture implementation. Prior to Casaba Security, Samuel worked as a security consultant for Foundstone, performing security reviews and penetration tests for Global 1000 clients, managing tests of more than one hundred web applications, and training students in network and web application security. Before Foundstone, Samuel was a security engineer responsible for building and operating multimillion-user web sites for a large Internet consulting firm. Samuel has taught at Black Hat, CSI (Computer Security Institute), and has instructed private classes for clients. He has a bachelor's degree in Computer Science and Economics from New York University and has participated in a network security internship with the Department of Defense.

David Wong is currently a manager in Ernst & Young Attack and Penetration practice. David has over seven years of security experience and has performed hundreds of attack and penetration tests for companies in the financial services, energy, telecom, and software industries. David has previously held the position of Director of Application Security at a financial services firm and started his career working on security research at Lucent Technologies. David is a Certified Information Systems Security Professional (CISSP) and graduated with a BS in Engineering from Cooper Union.

Arian Evans has spent the last eight years pondering how he fell into information security. His focus has been on application security and IDS. Arian is currently researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping clients design, deploy, and defend their applications. Arian works for FishNet Security with clients worldwide on appsec issues, and has also worked with the Center for Internet Security, FBI, and numerous commercial organizations on web application security and related hacking incident-response.

About the Technical Editor

Edward Tracy is a CISSP whose career has focused on the problem of application security, primarily within web applications. Mr. Tracy began his career with the National Security Agency, where he was exposed to advanced computer security research. He went on to co-found Aspect Security, Inc., a consulting firm that focuses on application security. While at Aspect Security, Mr. Tracy led the penetration-testing service, performed code and design reviews, consulted on security in the SDLC, and taught application security classes around the United States, including guest lecturing at Johns Hopkins University.

Mr. Tracy has been the DC Chapter lead for the Open Web Application Security Project (OWASP) and has contributed to OWASP's honeypot web application, WebGoat. He has also performed research and engineering on application scanning technologies and static code analysis. Mr. Tracy currently works with Booz Allen Hamilton, continuing to provide application security services through the firm's information assurance practice.