Who am I:
What do I do at Secure Ideas:
As with the other senior consultants at Secure Ideas, I am often involved in many diverse tasks, ranging from architecture assessments or penetration tests for our clients, to talks or authoring training documentation, to system administration. As of this post I am still the newest member of the Secure Ideas team.
What is my security background in a nutshell:
The earlier years of my career were focussed primarily on Java development and system architecture – though much of that time was also peppered with Security related tasks such as designing portal integration solutions for User Management, LDAP, SSO, etc… for an enterprise portal platform. While working for a major financial institution I transitioned full time into web application security, where I rapidly became the technical lead of the team driving security solutions and remediation activities across the primary consumer banking applications. I also shared the responsibility of building out the internal ethical hacking program from the eCommerce line of business. I am passionate about security testing and best practices integrated with the SDLC.
What is my favorite attack:
This is more of a target than an attack – Web Services. I find these are often dismissed as not requiring any security because they don’t have a user interface, yet they also tend to access some of the most valuable information. Since Web Services typically do not maintain any state, they may be more susceptible to business logic flaws than modern user interface driven application logic. Also, there are classes of vulnerabilities such as XXE vulnerabilities that are all very powerful and often misunderstood.
What am I learning about now:
Every day is a new day for learning in the security field. Lately I have been focussing my time on web services, and on the mobile space. To that end I had a lot of fun designing CTF flags for the Secure Ideas MobiSec-based class that was taught at DerbyCon this year.
Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.