Reflection on Nish Bhalla
This week on reflection we have Nish Bhalla from SecurityCompass. Nish has been around the block for a long time and used to work for FoundStone before starting his own company. He is a specialist in product testing, code reviews, web application testing, host and network reviews. He has presented in various conferences, published articles, contributed and co-authored several books. He takes lectures and Webinars at Seneca College , Florida University and has also been quoted in Government Security News, InternetNews and CSO Online.
He has tremendous knowledge in webappsec space and has been involved with OWASP and YASSP. Below is his journey in WebAppSec space in his own words
“I've been interested in security since the mid 90s' pretty much right after I was exposed to UNIX. I started off by developing client / server apps around the same time and tried to hack them. Security knowledge was still considered underground hacker knowledge then and not a whole lot of information was publicly disseminated. I had the opportunity to meet with a few interesting virus writers back at school who taught me a few things about reverse engineering and Clipper the old reversing software (not the clipper programming language).
I started learning about web technologies in the late 90s when I was involved in performing host audits and building secure web servers. I had the opportunity to be involved with the rollout of an online trading company's web application. This was the time where I started getting a good understanding of web applications and how they interact with various components. I took care to understand the technologies and their underlying protocols during this time.
During the same time (in late 90's) I had the opportunity to work for Foundstone. An amazing team of security consultants taught me some new tricks on hacking web applications. I had already learnt a lot about web security when I was involved with the rollout but what these consultants taught me was to adopt a different mind set - the attacker's mind set.
The ease of exploiting of Web Applications was what got me so involved in web app sec (unlike writing buffer overflows which requires a lot more low level knowledge and skills). The code behind the various web application vulnerabilities caught my interest more than just the vulnerabilities themselves.
In 2004 after leaving Foundstone I started Security Compass, which is where I am today. We decided to develop RATS like web code auditing tool; SWAAT (Security Compass Web Application Analysis Tool) to help with doing some basic server page code auditing.
We're currently involved in doing some interesting research on web services and we'll be coming out with interesting web services tools in the near future.
I'm a big snooker/pool fan; living in Toronto provides me with the chance to meet a lot of interesting people.”
He has tremendous knowledge in webappsec space and has been involved with OWASP and YASSP. Below is his journey in WebAppSec space in his own words
“I've been interested in security since the mid 90s' pretty much right after I was exposed to UNIX. I started off by developing client / server apps around the same time and tried to hack them. Security knowledge was still considered underground hacker knowledge then and not a whole lot of information was publicly disseminated. I had the opportunity to meet with a few interesting virus writers back at school who taught me a few things about reverse engineering and Clipper the old reversing software (not the clipper programming language).
I started learning about web technologies in the late 90s when I was involved in performing host audits and building secure web servers. I had the opportunity to be involved with the rollout of an online trading company's web application. This was the time where I started getting a good understanding of web applications and how they interact with various components. I took care to understand the technologies and their underlying protocols during this time.
During the same time (in late 90's) I had the opportunity to work for Foundstone. An amazing team of security consultants taught me some new tricks on hacking web applications. I had already learnt a lot about web security when I was involved with the rollout but what these consultants taught me was to adopt a different mind set - the attacker's mind set.
The ease of exploiting of Web Applications was what got me so involved in web app sec (unlike writing buffer overflows which requires a lot more low level knowledge and skills). The code behind the various web application vulnerabilities caught my interest more than just the vulnerabilities themselves.
In 2004 after leaving Foundstone I started Security Compass, which is where I am today. We decided to develop RATS like web code auditing tool; SWAAT (Security Compass Web Application Analysis Tool) to help with doing some basic server page code auditing.
We're currently involved in doing some interesting research on web services and we'll be coming out with interesting web services tools in the near future.
I'm a big snooker/pool fan; living in Toronto provides me with the chance to meet a lot of interesting people.”
Based out of Toronto, CA, Nish is 33 years old. Below are his contributions to the community.
Articles:-
Writing Stack Based Overflows on Windows
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part1.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part2.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part3.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part4.pdf
AIX 4.3 Bastion Host Guidelines
http://www.giac.org/certified_professionals/practicals/gsec/0853.php
Building Secure Applications: Consistent Logging
http://www.securityfocus.com/infocus/1888
IIS Lockdown and Urlscan
http://www.securityfocus.com/infocus/1755
Books:-
Co-authored
Buffer Overflow Attacks
http://www.amazon.com/gp/product/1932266674/
Contributed
Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/gp/product/0072262990
HackNotes(tm) Network Security Portable Reference
http://www.amazon.com/gp/product/0072227834/
Windows(R) XP Professional Security
http://www.amazon.com/gp/product/0072226021/
Writing Security Tools and Exploits
http://www.amazon.com/gp/product/1597499978
Conferences:-
Web Service Vulnerabilities
http://www.blackhat.com/html/bh-europe-07/bh-eu-07-index.html
Application Security - Dallascon
http://www.dallascon.com/
Federations of Security Professionals
http://www.fspgroup.ca/
Binary Analysis, Finding Secret in ISAPIs - 2006
http://www.syscan.org/
Preparing for a FISMA Compliancy Audit: What IT Security Professional Needs to Know
http://www.infosecurityevent.com/App/homepage.cfm?moduleid=42&appname=100004
Finding Secrets in ISAPI
http://conference.hackinthebox.org/hitbsecconf2006kl/
Auditing Source Code
http://2005.recon.cx/
Other Contributions:-
OWASP Toronto Local Chapter
http://www.owasp.org/index.php/Toronto
SWAAT
http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
Yet Another Solaris Security Project
http://www.yassp.org/yassp/
Company working for:-
Security Compass
Email:-
nish__at__securitycompass_dot_com
Website:-
www.securitycompass.com
Companies worked for:-
Foundstone, Infotek Solutions
Education:-
Masters in Parallel Processing from Sheffield University,
Post graduation in Finance from Strathclyde University,
Bachelor in Commerce from Bangalore University
Nish is currently working on some very interesting tools and hopefully will be released soon which are definitely worth evaluating.
Last Week – Ory Segal
Next Week – Andrew Van Der Stock
No comments:
Post a Comment