Sunday, May 06, 2007

Reflection on Bill Pennington


This week on reflection, we have Bill Pennington from Whitehat Security. Bill had been involved in web application security for a long time and has performed numerous web application assessments and is currently involved in research and development at Whitehat Security. He has spoken at industry events like blackhat, ISSA LA and OWASP Silicon Valley chapter and has contributed to or co-authored several books.

Bill was involved with OWASP in its early days and is currently a WASC officer. He has a very good sense of humor and is always willing to lend a helping hand. He spends his spare time with his family and kayak fishing. On his reflection, Bill shares with us how he got involved in web application security. In his own words

“I was around 16 with an Amiga 500 and a modem; I spent a lot of time exploring systems that would answer my modem. I got my first internet access in 1990 on a University of Houston machine and spent a lot of time poking around on systems that would talk to me. My roommate at the time got addicted to a MUD and I got addicted to learning about how the internet worked.

For getting into Web Application Security, I blame Caleb Sima from SPI. I was working at a start-up around 1998 doing all the IT/security/blinky light stuff when Caleb was hired to do an audit by a large company that wanted to use my company’s software. Caleb found a few issues with our web application that got me interested. I had mostly been concerned about firewalls and IDS at that point. I figured if Caleb could do it then I could do it :-) I started auditing our software at that point, found a bunch of stuff Caleb missed ;-), and the rest is history.”


Based out of San Jose, CA, Bill is 36 years old. Below are his contributions to the webappsec community


Books:-

Contributed several chapters

Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios
http://www.amazon.com/Hackers-Challenge-Incident-Response-Scenarios/dp/0072193840

Co-Authored

Hacker's Challenge 2: Test Your Network Security & Forensic Skills http://www.amazon.com/Hackers-Challenge-Network-Security-Forensic/dp/0072226307/ref=pd_bxgy_b_img_b/104-8852387-4309541

Hacker's Challenge 3
http://www.amazon.com/Hackers-Challenge-3-David-Pollino/dp/0072263040/ref=pd_bxgy_b_img_b/104-8852387-4309541


Presentations/Conferences:-

Challenges of Automated Web Application Scanning - ISSA
http://www.sfbayissa.com/newsletters/SFBAYISSA_2004-01_Newsletter.pdf

The Challenges of Automated Web Application Security – ISACA
http://www.isacala.org/events/mtg0401.html

Latest Attack Trends and Statistics – OWASP San Jose
http://lists.owasp.org/pipermail/owasp-sanjose/2005-September/000029.html

Hacking Web Applications – Blackhat 2003
http://www.blackhat.com/html/win-usa-03/train-bh-win-03-wh.html

Web Application Security - "Reconnaissance, Exploitation, and Investigation" – Blackhat
http://www.blackhat.com/html/win-usa-03/win-usa-03-speakers.html

Taking aim at Web Applications - Blackhat
https://www.blackhat.com/presentations/bh-usa-02/bh-us-02-groves-webapps.ppt


Contributions:-

WASC Threat Classification
http://www.webappsec.org/projects/threat/

WASC Threat Classification Version 2 (under progress)


Memberships:-

WASC Officer
http://www.webappsec.org/officers.shtml#bill_pennington


Company working for:-

WhiteHat Security


Email:-

bill__at__whitehatsec_dot_com


Website:-

http://www.whitehatsec.com/


Companies worked for:-

EDS, RocketCash, Guardent


Bill is a very humble person and is always willing to share his knowledge with others. He mostly works behind the scenes and on a lot of ideas in the labs of whitehat security. Though he doesn’t have a blog yet but I am hoping he would start something soon.

Next Week – Caleb Sima
Last Week – Andrew Van der Stock

No comments: