Web Hacking Exposed

Joel Scambray is Managing Principal at Cigital, the leading software security company founded in 1992. He has assisted companies ranging from members of the Fortune 50 to newly minted startups with information security challenges and opportunities over a dozen years. In addition to Hacking Exposed Windows, he is the co-author of Hacking Exposed: Network Security Secrets & Solutions, the international best-selling Internet security book that first appeared in 1999, and also lead author of Hacking Exposed Web Applications. He has spoken widely on information security to organizations including CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and government agencies, including the FBI and the RCMP.

Joel's background includes roles as an executive, consultant, and entrepreneur. He co-founded and led strategic security consultancy Consciere from 2008 to its acquisition by Cigital in 2011. He has been a Senior Director at Microsoft Corporation, where he led Microsoft's online services security efforts for three years before joining the Windows platform and services division to focus on security technology architecture. He co-founded security software and services startup Foundstone Inc. and helped lead it to acquisition by McAfee for $86M. In 2007, he helped lead US-based Leviathan Security from start-up to well-recognized boutique security consultancy. He previously held positions as a Manager for Ernst & Young, security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and Director of IT for a major commercial real estate firm. Joel's academic background includes advanced degrees from the University of California at Davis and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

Joel can be reached at: [joel at winhackingexposed dot com].

Stuart McClure is Senior Vice President & General Manager, Risk & Compliance at McAfee, where he leads an elite global security threats team fighting the most vicious cyber attacks ever seen. McAfee purchased Foundstone (a leading global enterprise risk management company) in 2004, of which Stuart was founder, president, and chief technology officer. Foundstone empowered large enterprises, including U.S. government agencies and Global 500 customers to continuously and measurably manage and mitigate risk to protect their most important digital assets and customers' private information from critical threats. Widely recognized for his extensive and in-depth knowledge of security products, Stuart is considered one of the industry's leading authorities in information security today. A well-published and acclaimed security visionary, Stuart brought over 20 years of technology and executive leadership to Foundstone with profound technical, operational, and financial experience. In 1999, he published the first of many books on computer hacking and security. His first book, Hacking Exposed: Network Security Secrets & Solutions, has been translated into over 20 languages and was ranked the #4 computer book ever sold-positioning it as one of the best-selling security and computer books in history. Stuart has also co-authored Hacking Exposed: Windows 2000 by McGraw-Hill/Osborne and Web Hacking: Attacks and Defense by Addison-Wesley.

Prior to Foundstone, Stuart held many leadership positions in security and IT management including positions within Ernst & Young's National Security Profiling Team, the InfoWorld Test Center, state and local California government, IT consultancy, and with the University of Colorado, Boulder, where Stuart holds a bachelor's degree in psychology and philosophy, with an emphasis in computer science applications. He has also earned numerous certifications including ISC2's CISSP, Novell's CNE, and Check Point's CCSE.


Chip Andrews (CISSP, MCDBA) is the head of Research and Development for Special Ops Security. Chip is the founder of the website, which focuses on Microsoft SQL Server security topics and issues. He has over 16 years of secure software development experience, helping customers design, develop, deploy, and maintain reliable and secure software. Chip has been a primary and contributing author to several books, including SQL Server Security and Hacking Exposed: Windows Server 2003. He has also authored articles focusing on SQL Server security and software development issues for magazines such as Microsoft Certified Professional Magazine, SQL Server Magazine, and Dr. Dobb's Journal. He is a prominent speaker at security conferences such as the Black Hat Briefings.

Blake Frantz has over ten years of professional experience in information security with a broad background ranging from software security research to enterprise policy development. He is currently CTO at the Center for Internet Security (CIS). Blake's prior roles have included being a Security Engineer within Washington Mutual's Infrastructure Security and Security Assurance teams where he was responsible for leading vulnerability assessments of critical financial systems.

Robert Hensing, a nine-year veteran of Microsoft, is a software security engineer on the Microsoft Secure Windows Initiative team. Robert works closely with the Microsoft Security Response Center with a focus on identifying mitigations and workarounds for product vulnerabilities that can be documented in advisories and bulletins to help protect Microsoft's customers. Prior to joining the Secure Windows Initiative team, Robert was a senior member of the Product Support Services Security team where he helped customers with incident response-related investigations.

The Toolcrypt Group ( is an internationally recognized association of professional security consultants who have contracted widely throughout Europe and the U.S. Their work has helped improve security at government agencies, multinationals, financial institutions, nuclear power plants, and service providers of all sizes in many different countries. They have been invited speakers at numerous conferences and industry forums, including Microsoft BlueHat and T2 Finland. Toolcrypt's ongoing research and tool development continues to help responsible security professionals to improve network and computer security globally.

Dave Wong manages the Ernst & Young Advanced Security Center in New York where he runs a team of dedicated attack and penetration testing professionals. Dave has over ten years of experience in attack and penetration testing and has managed and performed hundreds of assessments for financial services, government, and Fortune 500 clients. Prior to joining Ernst & Young, he gained a wide array of information security experience and previously held positions at Lucent's Bell Laboratories, Foundstone, and Morgan Stanley. Dave has taught a number of secure coding and hacking courses for public and corporate clients. He has taught courses at the Black Hat Security conferences in the U.S. and Asia and has spoken at OWASP meetings. Dave is also a Certified Information Systems Security Professional (CISSP).

Technical Reviewers

Aaron Turner is Cybersecurity Strategist for the Idaho National Laboratory (INL). In this role, he applies his experience in information security to collaborate with control systems experts, industry engineers, and homeland security/law enforcement officials to develop solutions to the cyber threats that critical infrastructure is currently facing. Before joining INL, he worked in several of Microsoft's security divisions for seven years-including as a senior security strategist within the Security Technology Unit as well as the Security Readiness Manager for Microsoft Sales, Marketing, and Services Group where he led the development of Microsoft's information security curriculum for over 22,000 of Microsoft's field staff. Prior to focusing on Microsoft's global security readiness challenge, he managed Microsoft Services' response to enterprises' needs during the aftermath of the Blaster worm. He has been an information security practitioner since 1994, designing security solutions and responding to incidents in more than 20 countries around the world.

Lee Yan (CISSP, Ph.D.) is a security escalation engineer on the Microsoft PSS Security Team, which provides worldwide security response, security products, and technology support to Microsoft customers. He has been with Microsoft for more than ten years. Prior to joining the security team about five years ago, he was an escalation engineer in developer support for Visual Studio. He authors some of the incident response and rootkit detection tools for his team. He holds a PhD in Fisheries from the University of Washington and discovered that he enjoyed working with computers by accident.

Copyright © 2008. All Rights Reserved. Designed by HTMLfx