Monday, April 23, 2007

Reflection on Nish Bhalla


This week on reflection we have Nish Bhalla from SecurityCompass. Nish has been around the block for a long time and used to work for FoundStone before starting his own company. He is a specialist in product testing, code reviews, web application testing, host and network reviews. He has presented in various conferences, published articles, contributed and co-authored several books. He takes lectures and Webinars at Seneca College , Florida University and has also been quoted in Government Security News, InternetNews and CSO Online.
He has tremendous knowledge in webappsec space and has been involved with OWASP and YASSP. Below is his journey in WebAppSec space in his own words

“I've been interested in security since the mid 90s' pretty much right after I was exposed to UNIX. I started off by developing client / server apps around the same time and tried to hack them. Security knowledge was still considered underground hacker knowledge then and not a whole lot of information was publicly disseminated. I had the opportunity to meet with a few interesting virus writers back at school who taught me a few things about reverse engineering and Clipper the old reversing software (not the clipper programming language).

I started learning about web technologies in the late 90s when I was involved in performing host audits and building secure web servers. I had the opportunity to be involved with the rollout of an online trading company's web application. This was the time where I started getting a good understanding of web applications and how they interact with various components. I took care to understand the technologies and their underlying protocols during this time.

During the same time (in late 90's) I had the opportunity to work for Foundstone. An amazing team of security consultants taught me some new tricks on hacking web applications. I had already learnt a lot about web security when I was involved with the rollout but what these consultants taught me was to adopt a different mind set - the attacker's mind set.

The ease of exploiting of Web Applications was what got me so involved in web app sec (unlike writing buffer overflows which requires a lot more low level knowledge and skills). The code behind the various web application vulnerabilities caught my interest more than just the vulnerabilities themselves.

In 2004 after leaving Foundstone I started Security Compass, which is where I am today. We decided to develop RATS like web code auditing tool; SWAAT (Security Compass Web Application Analysis Tool) to help with doing some basic server page code auditing.

We're currently involved in doing some interesting research on web services and we'll be coming out with interesting web services tools in the near future.

I'm a big snooker/pool fan; living in Toronto provides me with the chance to meet a lot of interesting people.”


Based out of Toronto, CA, Nish is 33 years old. Below are his contributions to the community.


Articles:-

Writing Stack Based Overflows on Windows
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part1.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part2.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part3.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part4.pdf

AIX 4.3 Bastion Host Guidelines
http://www.giac.org/certified_professionals/practicals/gsec/0853.php

Building Secure Applications: Consistent Logging
http://www.securityfocus.com/infocus/1888

IIS Lockdown and Urlscan
http://www.securityfocus.com/infocus/1755


Books:-

Co-authored

Buffer Overflow Attacks
http://www.amazon.com/gp/product/1932266674/


Contributed

Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/gp/product/0072262990

HackNotes(tm) Network Security Portable Reference
http://www.amazon.com/gp/product/0072227834/

Windows(R) XP Professional Security
http://www.amazon.com/gp/product/0072226021/

Writing Security Tools and Exploits
http://www.amazon.com/gp/product/1597499978


Conferences:-

Web Service Vulnerabilities
http://www.blackhat.com/html/bh-europe-07/bh-eu-07-index.html

Application Security - Dallascon
http://www.dallascon.com/

Federations of Security Professionals
http://www.fspgroup.ca/

Binary Analysis, Finding Secret in ISAPIs - 2006
http://www.syscan.org/

Preparing for a FISMA Compliancy Audit: What IT Security Professional Needs to Know
http://www.infosecurityevent.com/App/homepage.cfm?moduleid=42&appname=100004

Finding Secrets in ISAPI
http://conference.hackinthebox.org/hitbsecconf2006kl/

Auditing Source Code
http://2005.recon.cx/


Other Contributions:-

OWASP Toronto Local Chapter
http://www.owasp.org/index.php/Toronto

SWAAT
http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project

Yet Another Solaris Security Project
http://www.yassp.org/yassp/


Company working for:-

Security Compass


Email:-

nish__at__securitycompass_dot_com


Website:-

www.securitycompass.com


Companies worked for:-


Foundstone, Infotek Solutions


Education:-

Masters in Parallel Processing from Sheffield University,
Post graduation in Finance from Strathclyde University,
Bachelor in Commerce from Bangalore University



Nish is currently working on some very interesting tools and hopefully will be released soon which are definitely worth evaluating.

Last Week – Ory Segal
Next Week – Andrew Van Der Stock

No comments: