Sunday, May 06, 2007

Reflection on Bill Pennington

This week on reflection, we have Bill Pennington from Whitehat Security. Bill had been involved in web application security for a long time and has performed numerous web application assessments and is currently involved in research and development at Whitehat Security. He has spoken at industry events like blackhat, ISSA LA and OWASP Silicon Valley chapter and has contributed to or co-authored several books.

Bill was involved with OWASP in its early days and is currently a WASC officer. He has a very good sense of humor and is always willing to lend a helping hand. He spends his spare time with his family and kayak fishing. On his reflection, Bill shares with us how he got involved in web application security. In his own words

“I was around 16 with an Amiga 500 and a modem; I spent a lot of time exploring systems that would answer my modem. I got my first internet access in 1990 on a University of Houston machine and spent a lot of time poking around on systems that would talk to me. My roommate at the time got addicted to a MUD and I got addicted to learning about how the internet worked.

For getting into Web Application Security, I blame Caleb Sima from SPI. I was working at a start-up around 1998 doing all the IT/security/blinky light stuff when Caleb was hired to do an audit by a large company that wanted to use my company’s software. Caleb found a few issues with our web application that got me interested. I had mostly been concerned about firewalls and IDS at that point. I figured if Caleb could do it then I could do it :-) I started auditing our software at that point, found a bunch of stuff Caleb missed ;-), and the rest is history.”

Based out of San Jose, CA, Bill is 36 years old. Below are his contributions to the webappsec community


Contributed several chapters

Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios


Hacker's Challenge 2: Test Your Network Security & Forensic Skills

Hacker's Challenge 3


Challenges of Automated Web Application Scanning - ISSA

The Challenges of Automated Web Application Security – ISACA

Latest Attack Trends and Statistics – OWASP San Jose

Hacking Web Applications – Blackhat 2003

Web Application Security - "Reconnaissance, Exploitation, and Investigation" – Blackhat

Taking aim at Web Applications - Blackhat


WASC Threat Classification

WASC Threat Classification Version 2 (under progress)


WASC Officer

Company working for:-

WhiteHat Security




Companies worked for:-

EDS, RocketCash, Guardent

Bill is a very humble person and is always willing to share his knowledge with others. He mostly works behind the scenes and on a lot of ideas in the labs of whitehat security. Though he doesn’t have a blog yet but I am hoping he would start something soon.

Next Week – Caleb Sima
Last Week – Andrew Van der Stock

No comments: