Tech Entrepreneur who builds security products and has the distinction of having developed DAST, SAST, IAST and RASP technologies in-house.
I have worked on DOM/JavaScript Security for over a decade and currently am focused on Magecart attack detection, Data Security and Privacy on the client-side.
I have also built Sboxr, a scanner for DOM XSS and other client-side security.
In my 15 years of professional experience I have lead Application Security practice for product development teams, been an accomplished Security Researcher, public speaker, trainer and open source tool developer.
Previously I was the founder and primary author of the IronWASP project which was Asia's largest open source security project and one of the world's best web security scanners (when in active development).
IronWASP was used by security testers, developers and administrators throughout the world to discover security issues in their websites.
A community of researchers built their own security tools as IronWASP Modules by using the API exposed by IronWASP.
Before working on the IronWASP project I worked as a Penetration Tester. During my time as a Penetration Tester I have also performed Security Research in web technologies. I speak at security conferences from time to time to present my research to the community, some of my work was covered by Forbes and IDG.
Tools Authored:
- IronWASP, Advanced Web Security Testing Platform (ironwasp.org)
- Ravan , a JavaScript based Distributed Computing System (andlabs.org)
- JS-Recon, an HTML5 based Network and Port Scanner (andlabs.org)
- Shell of the Future, an HTML5 based XSS Reverse Shell tool (andlabs.org)
- Imposter, Browser Phishing Framework (andlabs.org)
Notable Security Advisories:
- Adobe Flash Player Local File Access Information Disclosure Vulnerability (www.securityfocus.com/bid/38517)
- ModSecurity SQL Injection Rule Security Bypass Vulnerability (www.securityfocus.com/bid/35323)
Conferences Spoken At:
BlackHat, OWASP AppSec Asia, SecurityByte, Nullcon and ClubHack.
Security Research:
- Security Test Automation
- Focused primarily on HTML5 and browser-side technologies
- All hacks and techniques discovered are documented at blog.andlabs.org
- My CSRF Protection bypass technique using HPP was voted as 5th best Web Security Hack of 2010
- I maintain the HTML5 Security Resources Repository (html5security.org)
Specialties: Application Security, Secure Development, Penetration Testing, Security Research, Tool Development and Programming.