Monday, April 23, 2007

Reflection on Nish Bhalla

This week on reflection we have Nish Bhalla from SecurityCompass. Nish has been around the block for a long time and used to work for FoundStone before starting his own company. He is a specialist in product testing, code reviews, web application testing, host and network reviews. He has presented in various conferences, published articles, contributed and co-authored several books. He takes lectures and Webinars at Seneca College , Florida University and has also been quoted in Government Security News, InternetNews and CSO Online.
He has tremendous knowledge in webappsec space and has been involved with OWASP and YASSP. Below is his journey in WebAppSec space in his own words

“I've been interested in security since the mid 90s' pretty much right after I was exposed to UNIX. I started off by developing client / server apps around the same time and tried to hack them. Security knowledge was still considered underground hacker knowledge then and not a whole lot of information was publicly disseminated. I had the opportunity to meet with a few interesting virus writers back at school who taught me a few things about reverse engineering and Clipper the old reversing software (not the clipper programming language).

I started learning about web technologies in the late 90s when I was involved in performing host audits and building secure web servers. I had the opportunity to be involved with the rollout of an online trading company's web application. This was the time where I started getting a good understanding of web applications and how they interact with various components. I took care to understand the technologies and their underlying protocols during this time.

During the same time (in late 90's) I had the opportunity to work for Foundstone. An amazing team of security consultants taught me some new tricks on hacking web applications. I had already learnt a lot about web security when I was involved with the rollout but what these consultants taught me was to adopt a different mind set - the attacker's mind set.

The ease of exploiting of Web Applications was what got me so involved in web app sec (unlike writing buffer overflows which requires a lot more low level knowledge and skills). The code behind the various web application vulnerabilities caught my interest more than just the vulnerabilities themselves.

In 2004 after leaving Foundstone I started Security Compass, which is where I am today. We decided to develop RATS like web code auditing tool; SWAAT (Security Compass Web Application Analysis Tool) to help with doing some basic server page code auditing.

We're currently involved in doing some interesting research on web services and we'll be coming out with interesting web services tools in the near future.

I'm a big snooker/pool fan; living in Toronto provides me with the chance to meet a lot of interesting people.”

Based out of Toronto, CA, Nish is 33 years old. Below are his contributions to the community.


Writing Stack Based Overflows on Windows

AIX 4.3 Bastion Host Guidelines

Building Secure Applications: Consistent Logging

IIS Lockdown and Urlscan



Buffer Overflow Attacks


Hacking Exposed Web Applications, Second Edition

HackNotes(tm) Network Security Portable Reference

Windows(R) XP Professional Security

Writing Security Tools and Exploits


Web Service Vulnerabilities

Application Security - Dallascon

Federations of Security Professionals

Binary Analysis, Finding Secret in ISAPIs - 2006

Preparing for a FISMA Compliancy Audit: What IT Security Professional Needs to Know

Finding Secrets in ISAPI

Auditing Source Code

Other Contributions:-

OWASP Toronto Local Chapter


Yet Another Solaris Security Project

Company working for:-

Security Compass




Companies worked for:-

Foundstone, Infotek Solutions


Masters in Parallel Processing from Sheffield University,
Post graduation in Finance from Strathclyde University,
Bachelor in Commerce from Bangalore University

Nish is currently working on some very interesting tools and hopefully will be released soon which are definitely worth evaluating.

Last Week – Ory Segal
Next Week – Andrew Van Der Stock

No comments: