David Bonvillain, CISSP
Vice President – Accuvant LABS -  Accuvant

David Bonvillain, Accuvant’s first employee and an industry veteran, is the Vice President of Accuvant Labs. Accuvant is a leading national security consulting organization that designs and executes strategies to address its clients’ complex information security challenges. David is responsible for providing leadership to the Accuvant Labs assessment practice area and ensures the ongoing world-class capabilities of the Accuvant Labs team.

Experience
Mr. Bonvillain has been providing security consulting services for over nine years. During that time, he has served clients in a variety of industries, including financial services, insurance, health care, retail, state and federal government, manufacturing, application service providers, global telecommunications, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, David has had a variety of consulting and managerial responsibilities, ranging from implementing security technologies and architectures to performing enterprise assessments for some of the largest multi-national corporations in the world. He has led teams of consultants in performing multi-site enterprise security assessments of some of the nation’s largest enterprise organizations. For example, he led a five-site assessment of one of the nation’s largest bank’s DMZ infrastructures, as well as a 10- site, eight-state assessment of one of the nation’s largest government contracting organizations. These assessments both culminated in presentations to over 100 executives and IT personnel. David has developed detailed security policies, disaster recovery and business continuity plans for clients in the financial and insurance industries as well as the U.S. Department of Defense, and he has performed numerous web application security assessments for a variety of financial and health care institutions, ensuring secure deployment of e-commerce infrastructures and protection of customer and user data.

Prior to joining Accuvant in early 2002, David was a senior consultant with Internet Security Systems’ X-Force professional services, where he received multiple awards for exceptional performance, including membership in the 2000 ISS presidents club. Before that, he was a senior security consultant with Netrex, where his primary responsibilities included the installation, configuration and management of CheckPoint security products and the OPSEC solutions that integrate with their perimeter software products.

Notable Accomplishments
Having presented at multiple regional and national security conferences such as BlackHat, ISSA, TRISC, CIMA and AHIA/CHAN, as well as being published in multiple publications such as CSOonline, BBB, Twin-cities business magazine, and multiple others, David is a well known and sought-after speaker on information security topics ranging from enterprise security assessment and risk mitigation to application security and penetration testing techniques. He has taught multiple security classes and presented to a wide variety of audiences, and as a result he has developed the ability to relate advanced security topics to all pertinent members of Accuvant’s client organizations, from executive vice presidents to technicians.

Since helping launch Accuvant, David has not only been responsible for executing many of the organization’s key projects, but has also built an assessment practice of as many as twenty dedicated assessors. Under David’s leadership, in the seven years since the formal inception of the dedicated assessment practice, the team has consistently seen over a 100% annual revenue increase and is the highest revenue generating group for the Accuvant services organization.

Certifications and Training
David is a Certified Information Systems Security Professional (CISSP), a Checkpoint Certified Security Engineer (CCSE), a NetScreen Certified Security Associate (NCSA), a Microsoft Certified Professional (MCP), and an ISS-Certified Engineer.

Education
David holds a Bachelor of Music degree in Business/Performance from James Madison University.

Jon Miller, CISSP
Director – Accuvant LABS – Accuvant

Jon is a Director with Accuvant Labs possessing over 12 years of experience in information security consulting; Jon provides leadership into the marketing, sales, and research and development functions of the Accuvant Labs team.

Prior to taking over his current role Jon was a Principal Consultant on the Accuvant Labs team, specializing in penetration testing and enterprise level security assessment programs. Jon provides world-class security consulting services to Accuvant clients and he provides technical leadership, direction and strategy to Accuvant’s security assessment services sales organization.

Experience
Jon has performed hundreds of penetration tests and enterprise security assessments. His experience includes wireless assessments/penetration testing, threat analysis, application assessments (web and binary), ISO compliance, Visa/MasterCard PCI/SDP, HIPAA compliance, incident response and forensics, physical security auditing, as well as network architecture design and review. His customers include many of the Fortune 500, with professional references that include Intel, T-Mobile, Sears, multiple financial services/banking institutions, multiple federal government agencies, and four of the five largest law firms in the world.

Prior to joining Accuvant, Jon served as a member of IBM Internet Security Systems’ X-Force Penetration Testing Team, where he spent 4 1/2 years as a senior consultant and manager. At IBM-ISS, Jon was responsible for managing and engaging in multiple high visibility projects.

Notable Accomplishments
A prominent figure in the information security world, Jon has been featured in multiple publications, including Information Security Magazine, PCWorld, Forbes, The New York Times, CNN.com, and the San Jose Mercury News, and he has been interviewed for television by CNN. A frequent contributor to industry conferences, Jon has also given presentations at Blackhat, Defcon, IEEE, ISSA, and Toorcon, and has even received the honor of being a Guest Lecturer at BYU.

Certifications and Training
Jon is a Certified Information Systems Security Professional (CISSP), a PCI Qualified Security Assessor (QSA), a Certified Secure Software Lifecycle Professional (CSSLP), a Certified Wireless Network Administrator (CWNA), an ISS Certified Engineer, and Certified in the Governance of Enterprise IT (CGEIT).

Alex Wheeler
Director of Advanced Research & Development – Accuvant LABS – Accuvant

Alex is the director of Advanced Research and Development with Accuvant Labs. With over ten years of experience in the information security field, Alex provides a deep knowledge of software security and reverse engineering accompanied by a strong knowledge and experience in the consulting space. Areas of expertise include binary analysis and reverse engineering, exploit development, web application security, and intrusion detection.

Experience
While focusing on vulnerability research and exploit development within the Accuvant assessment practice, Alex’s previous security consulting and engineering experience has included a variety of roles from focused reverse engineering and binary analysis to web application testing and product development. Prior to joining Accuvant, Alex was the manager of the DVLabs security research group at TippingPoint where he was responsible for developing protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications to incorporate them into that companies product sets. Prior to TippingPoint, Alex worked as the principal security researcher at IBM-ISS on the X-Force Research team as well as directly for the Office of the CTO, he has held several management and technical positions within IT security including the leadership of the vulnerability research team at a large health care organization as well as had extensive consulting experience during his four year tenure at Ernst & Young.

Notable Accomplishments
Like many other security researchers, Alex comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive static analysis of binary code in widespread security and networking technologies for vulnerabilities. Alex’s research includes code designed for x86, ARM, and MIPS based architectures. A very high-profile security researcher, he has given presentations at numerous BlackHat conferences (including the most recent BlackHat Europe event), CanSecWest in 2005, in 2008 was awarded the Pwnie award for “Best Server Side Bug” for his vulnerability discovery in Microsoft’s TCP.SYS which affected networked Microsoft systems worldwide. Wheeler received the “Pwnie” award once again for “Best Client Side Bug” for his work with the Microsoft ActiveX video control within Internet Explorer.

Alex has discovered numerous vulnerabilities in high-profile applications including:

• Microsoft TCPIP Buffer Overflow
• Microsoft Windows Media Framework Buffer Overflow
• Microsoft Protection Engine Buffer Overflow
• Novell Directory Services Buffer Overflow
• Symantec Protection Engine Buffer Overflow
• Panda Software Protection Engine Buffer Overflow
• Kaspersky Protection Engine Buffer Overflow
• Sophos Protection Engine Buffer Overflow
• ClamAV Protection Engine Buffer Overflow
• Cisco VOIP Implementation Buffer Overflow
• Computer Associates/ZoneLabs/Vet Protection Engine Buffer Overflow
• Novell ZENworks Authentication Protocol Buffer Overflow
• McAfee Protection Engine Buffer Overflow
• Trend Micro Protection Engine Buffer Overflow
• F-Secure Protection Engine Buffer Overflow
• Symantec Protection Engine Buffer Overflow

Education
Alex holds a master’s degree from University of Chicago in computer science and a bachelor’s degree from University of Wisconsin at Milwaukee in accounting.

Ryan Smith
Principal Research Scientist – Accuvant LABS – Accuvant

Ryan is a Principal Researcher with the Accuvant Labs team. Leveraging over ten years of experience in information security consulting and security research, Ryan provides consulting services to Accuvant clients and focuses on research in the areas of vulnerability discovery, exploitation techniques, reverse-compilation, and anti-anti-debugging.

Experience
While focusing on vulnerability research and exploit development within the Accuvant assessment practice, Ryan’s previous security consulting and engineering experience has included a variety of roles as both a consultant and technical lead at other major security companies, including Verisign’s iDefense Labs, ISS X-Force and Neohapsis. He has also served on the client side, working as a vulnerability assessment engineer for Allstate. In his spare time, Smith manages www.hustlelabs.com, which focuses on discovering software vulnerabilities, developing exploitation strategies, conducting general reverse engineering and designing algorithms to aid in program analysis.  He’s been credited by numerous vendors with the discovery of vulnerabilities in server software, P2P applications, Web browser technology, anti-virus software and compression programs.

Notable Accomplishments
Featured recently in multiple publications including ComputerWorld, The Register, and DarkReading, Smith, whose background is in software security and reverse engineering, has completed major research in vulnerability discovery, exploitation techniques, reverse-compilation and anti-anti-debugging. Ryan has given presentations at BlackHat conferences (including the most recent BlackHat USA event in 2009) and is a sought after speaker on complex security topics. In 2008, Smith received the “Pwnie” award for “Best Server Side Bug” for research involving a default remote compromise vulnerability in Microsoft’s IP stack, which affected Microsoft systems worldwide over IPv4 and IPv6. In 2009, Smith received the “Pwnie” award once again for “Best Client Side Bug” for his work with the Microsoft ActiveX video control within Internet Explorer.

Ryan has discovered numerous vulnerabilities in high-profile applications including:

• Microsoft Video ActiveX Control Code Execution
• Microsoft OLE Automation Code Execution
• Microsoft TCPIP Buffer Overflow
• Novell Stack-buffer overflow in eDirectory while processing HTTP
• alwil Software Buffer mismanagement in anti-virus kernel
• Tumbleweed Communications Stack-buffer overflow while processing e-mail attachments
• Rarlabs Stack-buffer overflow while processing archive files
• Novell Integer overflow while processing RPC-like messages
• Shareaza Integer overflow while processing file-sharing network messages

Jim Broome, CISSP
Director – Accuvant LABS – Accuvant

Jim Broome, an information security industry veteran with two decades of experience in the field, is a Director of Accuvant’s assessment team and also acts as the technical lead for the Accuvant Labs practice area. Jim provides world-class security consulting services to Accuvant clients while providing leadership to the Labs assessment team as a whole.

Experience
As one of Accuvant’s most seasoned assessors, Mr. Broome has performed innumerable consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments, penetration testing and wireless security assessments for a large number of Fortune 500 clients. These clients come from a variety of markets, including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Prior to joining Accuvant, Jim was a Principal Security Consultant for Internet Security Systems (ISS) and a member of the X-Force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western Region consulting practice while performing his day-to-day duties of network assessments and penetration testing. Before X-Force, he was the Director of Network Operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Notable Accomplishments
Jim is a highly sought-after consultant due to his extensive technical and managerial knowledge in most areas of security implementation and management. As one of the original authors of several training programs, including Checkpoint Software’s CCSA/CCSE program, Jim is a well regarded security/technology instructor and mentor to many administrators and IT management organizations.

Since joining Accuvant, Jim has been responsible for establishing and standardizing many of the solutions and techniques employed by the Accuvant assessment practice. This provides our clients with a level of consistency that is unparalleled in the industry and establishes Accuvant as the premiere security services company.

Certifications and Training
Jim is a Certified Information Systems Security Professional (CISSP), a Checkpoint Certified Security Engineer (CCSE), a NetScreen Certified Security Associate (NCSA), and an ISS-Certified Engineer.

Education
Jim holds a Bachelor of Science degree in Computer Information Systems from Trinity College and University.

Woodrow Brown, CISSP
Director – Accuvant LABS – Accuvant

Woodrow Brown, a security assessor with over five years of experience in the field, is a Director with Accuvant’s Assessment Practice. Mr. Brown’s role is to provide world-class security consulting services to Accuvant clients as a project leader, while also aiding in the continual development of the Accuvant Labs assessment practice through mentoring and process improvement.

Experience
Woodrow brings a wealth of knowledge as an experienced consultant who has served clients in manufacturing, telecommunications, financial services, health care and managed Internet services. His project experience has extended to all areas where security affects an organization, including policy and procedures, event monitoring, network protection, risk assessment and compliance. This experience has allowed him to develop a unique array of skills in both the deployment and assessment of security architectures. As a member of Accuvant’s security assessment team, Woodrow has extensive knowledge and skills in the areas of network assessment methodologies, vulnerability testing and web application penetration testing. Prior to joining Accuvant, Woodrow built web applications and designed network infrastructures for TheNewPush, a managed service provider based in Golden, Colorado.

Notable Accomplishments
Woodrow has helped Accuvant grow and flourish into a leader in the information security space. An early hire within Accuvant’s Consulting Practice, Woodrow has implemented a wide variety of security technologies and performed numerous assessments of client networks, applications, and wireless environments. As an implementer of technology, Woodrow has architected network- and host-based intrusion prevention systems, clustered firewalls, remote access VPNs, endpoint protection and patch management solutions.

Within the assessment and audit space, Woodrow is relied upon to lead complex engagements for Accuvant’s largest enterprise customers. With a thorough knowledge of exposures and industry best practices for remediation of vulnerabilities, Woodrow not only helps identify weaknesses in corporate networks, but also addresses how to correct the issues identified through process refinement and technology solutions. Having presented to a wide variety of audiences and at several regional security events and conferences such as ISSA, Woodrow’s strong communication skills allow him to relay the results of the work he performs in a manner that resonates with the business stakeholders of the organization. This has positioned him as a primary speaker for Accuvant-sponsored events and conferences, where he discusses current and emerging threats and defense strategies.

Certifications and Training
Woodrow is a Certified Information Systems Security Professional (CISSP), a Qualified Data Security Professional (QDSP Payment Card Industry DSS), and a Juniper Networks Certified Internet Specialist.

Education
Woodrow holds a Bachelor of Business Administration degree in Computer Information Systems from James Madison University.

Beau Shahriary, CISSP
Director – Accuvant LABS – Accuvant

Beau Shahriary, a security assessor with over a decade of experience in the field, is a Director with the Accuvant Labs assessment team. Beau’s role is to provide world-class security consulting services to Accuvant clients as a project leader, while also aiding in the continual development of the Accuvant Labs assessment practice through mentoring and process improvement.

Experience
Beau has more than a decade of experience in computer security consulting. He has performed security assessments, security remediation and strategic planning for a host of Fortune 500 companies. Beau’s primary experience is in firewalls, secure network design and implementation, Microsoft security, modem security, wireless networking, and strategic security planning. His core competency is in conducting security assessments and creating a strategy to help clients meet today’s secure network requirements based upon the HIPAA and GLBA regulations and ISO-17799 best practices.

Prior to joining Accuvant, Beau worked for Foundstone as a Consultant and later as Senior Managing Consultant and Project Manager for the professional services group. In that capacity, he managed and performed security assessments and vulnerability resolution on enterprise networks and web based applications. Before Foundstone Beau spent several years as a Consultant with ISS’ X-Force professional services where he performed services ranging from security assessments and penetration testing to enterprise security infrastructure deployment and network and process integration.

Notable Accomplishments
Due to Beau’s extensive level of knowledge in most areas of security implementation and management from both a technical and managerial level, he is a consistently sought after and in-demand consulting resource. Beau has taught many of the Foundstone Ultimate Hacking courses to both private audiences and government agencies. Since coming to Accuvant, Beau has contributed to the growing needs of Accuvant and its customers by engaging customers on large projects with unique requirements. His ability to adapt and exceed the customer’s needs has led to many return engagements. 

Certifications and Training
Beau is a Certified Information Systems Security Professional (CISSP), a Certified Checkpoint Security Administrator (CCSA), a PCI Qualified Data Security Professional (PCI-QDSP), and a Microsoft Certified Systems Engineer (MCSE). 

Kirk Greene, CISSP
Managing Principal Consultant – Accuvant LABS – Accuvant

Kirk Greene, an information security industry veteran with over ten years of experience in the field, is a Managing Principal Consultant with the Accuvant Labs assessment team. Kirk’s role is to provide world-class security consulting services to Accuvant clients as a project leader, while also serving as a mentor to newer team members.

Experience
Mr. Greene has been providing security consulting services for over a decade. During that time, Kirk has served clients in a variety of industries, including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities, ranging from developing and performing financial institution regulation audits to managing enterprise assessments for multi-national corporations. He has led teams of multiple consultants in performing multi-site enterprise security assessments of some of the nation’s largest enterprise organizations. This work has included managing and performing penetration testing of Fortune 100 insurance companies making up a majority of the United States and Canada’s personal and corporate insurance firms. These assessments both culminated in presentations to over 100 executives and IT personnel. In 2005, Kirk was the recipient of the Accuvant president’s club award for exceptional performance.

Prior to joining Accuvant in late 2004, Kirk was a principal security consultant with Internet Security Systems’ X-Force professional services, where he received multiple awards for exceptional performance. Before ISS, Kirk was a senior security consultant with The Greentree Group, where his primary responsibilities included the installation, configuration and management of the Air Force and Army Exchange Services information security infrastructure.

Notable Accomplishments
Having been involved in the initial development of the Visa Payment Card Data Security program, Kirk has been an integral part of the development and execution of both Accuvant and ISS’ Payment Card Data Security offerings, and is recognized in the industry for his extensive work in this field. He has also developed and taught security awareness training courses for law enforcement associations, city governments, and manufacturing industries.

Certifications and Training
Kirk is a Certified Information Systems Security Professional (CISSP), an ISS Certified Engineer, a PCI Qualified Data Security Professional (QDSP), and a Qualified Payment Application Security Professional (QPASP).

Education
Kirk holds a Bachelor of Business Administration degree in Management Information Systems and Finance from the University of Texas – Arlington.

John Bock
Managing Principal Consultant – Accuvant LABS – Accuvant

John Bock, a published author and information security expert with over ten years in the field, is a Principal Consultant with the Accuvant Labs assessment team. John’s role is to provide world-class security consulting services to Accuvant clients as a project leader and application security specialist, while also serving as a mentor to other team members.

Experience
John’s ten years of experience have allowed him to operate in multiple roles within the industry, from enterprise security, to network pen-testing, security product development, and application security.  John’s role as an application specialist with Accuvant has him performing application security testing that includes web applications, web services, appliances, client-server applications, and others both commercial and internally designed.  John’s duties also include serving as a trainer for the Accuvant application security classes as well as courseware designer.

Prior to joining Accuvant John was a partner with Casaba Security of Redmond Washington, which performed application security services for a Fortune 50 software company. At Casaba John performed web service testing, Win32 application testing, network protocol reverse engineering, along with network and wireless penetration testing. Before joining Casaba, John was a principal consultant and R&D engineer at Foundstone (acquired by McAfee). In his principal consultant role, he lead engagements and served as a subject matter expert for the practice in multiple areas. As an R&D Engineer on the Foundstone Enterprise product team he was responsible for researching and designing new assessment features for Foundstone Enterprise, performing competitive intelligence and reverse engineering, and creating vulnerability checks for product modules.

Before joining Foundstone, John was a consultant for Internet Security Systems (acquired by IBM). While at ISS, John performed penetration testing as well as host and network architecture reviews for Fortune 500 clients. Before working at ISS, John was a Network Security Analyst/UNIX Systems Administrator for marchFIRST, where he was responsible for performing vulnerability assessments, setting security policies, firewall/VPN administration, and network and host intrusion detection deployment and management.

Notable Accomplishments
John has been a contributing author to several well known publications including: Hacking Exposed 4th edition and Special Ops: Internal Network Security, as well as a technical editor for Hacknotes: Network Security, Hacking Exposed: Windows Server 2003, and Network Security: A Beginner’s Guide. John’s teaching credits include courses on incident response, penetration testing, and web application security given to Fortune 500 companies as well as US intelligence agencies. 

Certifications and Training
John is a Certified Information Systems Security Professional (CISSP), holds the National Security Agency’s IAM/IEM certifications, and is a PCI Qualified Data Security Professional (QDSP).

Mark Maxey, CISSP
Managing Principal Consultant – Accuvant LABS – Accuvant

Mark Maxey, a seasoned security assessor and application designer with over eight years of experience in the field, is a Managing Principal Consultant with the Accuvant Labs assessment team. Mark’s role is to provide world class security consulting services to Accuvant Labs clients, while also providing ongoing thought leadership to the Accuvant assessment practice and providing subject-matter expertise to many of Accuvant’s key and reference accounts.

As a principal level consulting resource, Mark’s focus is primarily on application security initiatives including penetration testing, code reviews, secure software design, application security training and tool development. With extensive experience in the field, Mark not only provides flawless execution to Accuvant customers, but also assists in development of methodologies, tools, training materials and serves as a lead for less seasoned members of the team.

Experience
As a member of the Accuvant Labs assessment team as an application specialist, Mark not only has a broad range of skills regarding the assessment of enterprise environments and applications, but has also been an integral component of delivering training offerings to Accuvant clients and developers across the world. Prior to joining Accuvant, Mark owned an independent security consulting firm where he performed a wide range of security services with a focus on application security focused on the BPO market. Mark has created and performed training sessions in regards to regulatory compliance issues, network and application security to a wide range of technical as well as non-technical audiences.

Notable Accomplishments
Mark is involved in several open source projects including development of the Interchange e-commerce platform. Mark is an OWASP and WASC project contributor. Mark has also made numerous presentations at security conferences such as ISSA and OWASP with a focus on application security, social engineering and emerging security threats.

Certifications and Training
Mark is a Certified Information Systems Security Professional (CISSP), VISA Qualified Data Security Professional (QDSP), and VISA Qualified Payment Application Security Professional (QPABP)

Phil Brass
Managing Principal Consultant – Accuvant LABS – Accuvant

With decades of experience in the field, Phil Brass is a very seasoned security assessor and application designer and acts as a Managing Principal Consultant with the Accuvant Labs assessment team. Phil’s role is to provide world class security consulting services to Accuvant Labs clients, while also providing ongoing thought leadership to the Accuvant assessment practice. Phil’s focus is primarily on application security initiatives including penetration testing, code reviews, secure software design and tool development. With extensive experience and ongoing thought-leadership in the industry, Phil not only provides flawless execution to Accuvant customers, but also assists in development of methodologies, tools, training materials and serves as a lead for less seasoned members of the team.

Experience
Phil has 20 years of information technology experience and has been working in information security specifically since 1998. Phil was originally hired at ISS as a Windows security expert, software engineer and team lead on the Internet Scanner 5.0 project. He also spent nearly two years managing software engineering projects at ISS.  Before joining the consulting group, Phil led the SiteProtector Security Fusion Module team as an engineering project manager, visionary, and evangelist. He is a specialist in penetration testing and application security auditing. Phil also has extensive knowledge in software engineering, programming languages, network communications protocols, relational databases and all things security as it relates to those technologies. He has conducted numerous penetration tests and application assessments for a variety of clients in financial service and other industries. Prior to joining ISS, Phil worked as an application engineer and software architect in the health care information systems sector where he focused on protocols and communications with diverse hospital systems, as well as high-level architectural design of distributed inventory management systems. Phil’s areas of specialization include: Security Code Review, Penetration Testing, Application Assessment, Secure Application Development Methodology, and Security Research.

Notable accomplishments
Phil’s extensive experience has allowed his skills to be leveraged extensively in a variety of information security disciplines. Some of his notable accomplishments include:

• Engineering team lead on Internet Scanner from v5.2 through v6.0 
• Designed and implemented the IDS event classification system used for Site Protector Security Fusion 2.0 correlated attack pattern recognition. 
• Engineering project manager for ISS Desktop Protection System and IDS multi-event correlation teams. 
• Led the X-Force Penetration Testing team in developing SQL Injection toolkit for automating injection exploitation and also developed educational materials and original research on exploiting SQL Injection. 
• Identified original vulnerabilities in a variety of high-profile technologies including:
• 1. Peoplesoft 8 – http://archives.neohapsis.com/archives/secunia/2003-q4/0326.html
  2. IBM WebSphere 2
  3. BEA WebLogic 6 and 7 – http://www.securityfocus.com/bid/7124; http://www.securityfocus.com/archive/1/315285
  4. Oracle 8i and 10g database server
  5. Sendmail MTA – https://www.sendmail.org/releases/8.13.6.html
  6. MS Windows NT 4
• Developed tools for automated identification and source code remediation of web application vulnerabilities Inventor and primary author of three of the six US patents assigned to Internet Security Systems:

- 7,178,166 “Vulnerability assessment and authentication of a computer by a local scanner”
- 7,162,649 “Method and apparatus for network assessment and authentication”
- 7,089,428 “Method and system for managing computer security information”

Robert Clugston, CISSP
Principal Consultant – Accuvant LABS – Accuvant

Robert Clugston, an information security practitioner with over ten years in the field, is a Principal Consultant with the Accuvant Labs assessment team. For the last several years, Robert has been deeply entrenched within software security testing and secure design for the likes of Microsoft and other major software development companies. As a principal consulting resource, Robert’s focus is on application security initiatives including penetration testing, code reviews, secure software design, and tool development. With extensive experience in the field, Robert not only provides flawless execution to Accuvant customers, but also assists in development of methodologies, tools and training materials and serves as a lead for newer members of the team.

Experience
Mr. Clugston specializes in network architecture reviews, threat analysis and web application reviews. Before joining Accuvant, Inc., he worked for Leviathan Security Group, Inc. and Casaba Security, LLC, performing security reviews primarily for Microsoft while working closely with the ACE team and other major software development companies.

Prior to working at Casaba Security, Robert was a Senior Consultant for Foundstone, where he performed risk assessments, network vulnerability and penetration testing, incident response and product security reviews. During that time, Robert performed security assessments and training for numerous Fortune 500 companies, defense contractors and various government entities, including public utilities and defense branches. Robert began his career as a Systems Administrator for an internet service provider, responsible for maintaining and designing business-critical systems.

Notable accomplishments
Robert has been a contributing author to the book HackNotes: Linux and UNIX Security, acted as a technical editor for several security publications including several books in the HackNotes series, and served as a technical expert for Network Security: The Complete Reference. Robert has taught Foundstone Ultimate Hacking classes to a broad range of audiences and has delivered customized network security and penetration testing to government organizations and corporate audiences nationwide. He is involved in the ongoing development of tools and methodologies to assist both Accuvant and the security community at large in web application testing and analysis.

Certifications and Training
Robert is a Certified Information Systems Security Professional (CISSP) and a Microsoft Certified Systems Engineer (MCSE).

Anthony Blakemore
Principal Security Consultant – Accuvant LABS – Accuvant

Anthony has been employed as a Security Consultant since graduating with honors from DePaul University in 2005 and is a Principal Consultant with Accuvant Labs. He began his career with a focus on web application and security tool development, and then transitioned to the dedicated application assessment team, performing application security consulting services including assessments and penetration testing. Mr. Blakemore joined the Accuvant Labs team in 2008 assuming a role that allows him to continue to focus his efforts on the application security space by performing comprehensive application assessments, code reviews and penetration testing, as well as helping augment the assessment practice’s capabilities by designing and developing security tools. 

Experience
While focusing on system, network and application assessments within the Accuvant Labs practice, Anthony’s previous security consulting experience included enterprise security posture reviews, FISAP audits, PCI QIRA investigations, information security policy creation, incident response analysis and procedural design, and hardened host configuration reviews. This broad range of experience, coupled with Anthony’s strong ability to meet required deadlines within the scope of a defined engagement has allowed him to become a sought after consultant within the assessment practice. Despite his relatively short overall tenure in the information security industry, Anthony has led and managed dozens of engagements for Fortune 500 companies primarily in the financial, manufacturing, medical, and media sectors.

Before joining Accuvant, Anthony worked as a security consultant and project lead at Neohapsis, where he conducted penetration tests, vulnerability assessments, and application assessments against business critical applications and architectures for dozens of Fortune 500 and multiple Fortune 100 companies.  

Notable Accomplishments
Mr. Blakemore has been an active member of the security community for many years, attending high-profile industry conferences, as well as delivering quarterly web application security lectures and demonstrations to DePaul University classes and speaking at regional security conferences such as Infraguard, ISSA & OWASP.

Education
Anthony holds a Bachelor of Science degree in Computer Science from DePaul University.

Marty Sells
Senior Security Consultant – Accuvant LABS – Accuvant

With 20 years in information technology under his belt and working in the security field specifically for the last 14 years, Marty is a Senior Consultant with Accuvant Labs. Although a recent addition to the Labs team, joining in late 2009, Mr. Sells has worked closely with other members of Accuvant Labs since the late 1990’s during his tenure on the ISS X-Force Penetration Testing team. Specializing in application security and penetration testing, Marty’s role is to provide world class security consulting services to Accuvant Labs clients, while also providing ongoing thought leadership to the Accuvant assessment practice.

Experience
Originally recruited by ISS founder Chris Klaus, Marty was the first developer for System Security Scanner (S3) for UNIX and worked extensively on the development of ISS security products including Internet Scanner where he was co-inventor for one of the patents issued. Marty completed his time in the engineering side of ISS with several years on the X-Force R&D team, focusing on UNIX host level research including work against early DDoS programs. Prior to joining ISS, Marty worked in Canada for a military contractor working with BBN’s ST-II, an experimental IETF QoS protocol for real-time video and audio conferencing.

Marty continues to draw on his development background as a consultant. He is a specialist in penetration testing application security auditing and secure code reviews. He has extensive knowledge in UNIX, network communications protocols, programming languages, and all things security as it relates to those technologies. He has conducted numerous penetration tests and application assessments for a variety of clients in healthcare, financial service and other industries.

Notable Accomplishments
In addition to receiving several awards during his tenure at ISS for exceptional performance, Marty’s extensive experience has allowed his skills to be leveraged extensively in a variety of information security disciplines. Some of his notable accomplishments include:

• Engineering team lead on System Scanner v1.5.
• Designed and implemented a series of in-house penetration testing tools used by the ISS penetration test team.
• Manager of ISS penetration testing lab.
• Performed many penetration tests, application assessments, and code reviews for clients in government, Fortune 50 and other sectors.  Identified critical vulnerabilities and provided customers with proof of the vulnerabilities, an idea of the potential scope of compromise, and remediation instructions. 
• Co-inventor for US patent assigned to Internet Security Systems for Internet Scanner 6.0:

- 6,907,531  Method and system for identifying, fixing, and updating security vulnerabilities

Dave Maynor
Senior Security Consultant – Accuvant LABS – Accuvant

Dave Maynor is a Senior Security Consultant with Accuvant’s assessment team and specializes in application security and penetration testing. Dave provides world-class security consulting services to Accuvant clients and ongoing research and contributions to the security community as a whole.

Experience
Mr. Maynor has a strong background in application security, reverse engineering and exploit development. Before joining Accuvant Dave cofounded Errata Security with Robert Graham, a think tank organization that specializes in rapid application development and security research. Prior to Errata, Dave was the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats and attack vectors. Before ISS Mr. Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the size and magnitude of security incidents on campus manageable. Dave has also contracted with a variety of different companies in a broad spectrum of industries and services ranging from digital TV development to security consulting and penetration testing to online banking and Internet Service Providers to securing the interfaces and infrastructure of some of the largest and most active and used sites on the Internet.

Mr. Maynor is proficient in developing applications in C/C++, Java, and Assembly including x86/x64, PowerPC, MIPS, and ARM, and IBM MI (Machine Interface), as well as auditing those technologies for security problems. At the system level, Dave has deep knowledge of system internals, development tools and techniques, and security on a number of platforms including AIX, *BSD, Linux, Windows, HPUX, Z/OS, OS/400, VxWorks, Tandem, Cray CNL. Experience comes from actively securing these platforms, application development and low level hardware analysis for systems like OpenBoot, AS/400 Hardware debugging, HP Server hardware analysis including Tandem servers as well as reverse engineering these various technologies to identify security flaws. Mr. Maynor has participated in the design or audit of a number of hardware based devices including wireless devices, System-On a-Chip devices, and the analysis of secure hardware such as HDCP. Mr. Maynor has also worked with FPGA and ASIC design from a reverse engineering and security analysis perspective and has working experience with most popular development solutions including Xilinx’s Virtex 2 and 5 along with the VHDL development tools.

Notable Accomplishments
A well recognized personality in the information security world, Dave is a popular author and has been featured in multiple publications over the last several years including Fox News, CNN, the Associated Press, Security Focus and a multitude of other information security news sources. Mr. Maynor has been both a primary and contributing author to several industry leading security books including: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Force Emerging Threat Analysis: From Mischief to Malicious, and War Driving and Wireless Penetration Testing, and writes a monthly blog for DarkReading.com called ‘HackedOff’. Dave is also the primary author of 3 upcoming books: Performance Tuning with Linux, Snow Lepoard (OSX 10.6) for Hackers, and Smelting Big Iron: The Pentesters Guide to Mainframes. Through his vulnerability research capabilities, Mr. Maynor has also published bugs and vulnerabilities on Cisco products, OSX WiFi drivers, and Bluetooth technologies. 

Dmitry Dessiatnikov, CISSP
Senior Security Consultant – Accuvant LABS – Accuvant

Dmitry Dessiatnikov, a security assessor with over seven years of experience in the field is a Senior Security Consultant with the Accuvant Labs assessment team. Dmitry’s role is to provide world class security consulting services to Accuvant clients while also providing ongoing thought leadership to the Accuvant Labs practice.

Experience
Mr. Dessiatnikov has served clients in a variety of industries including financial services, electric power and gas utility, credit reporting, health care, pharmaceutical, insurance, e-Commerce and entertainment. He has performed numerous enterprise-wide security assessments, penetration tests including web application assessments, architecture, war dialing, social engineering, host-based configuration, physical and wireless security reviews. He audited and made recommendations for improvements in the IT security posture of Fortune 500 companies in relation to the following regulatory requirements and attestations: SOX, HIPAA, FERC, NERC, GLBA, SAS 70 and S&P Credit Ratings.

Before joining Accuvant, Dmitry was a Senior Security Consultant in the Security and Technology Solutions practice at Ernst and Young, LLP. There, he was the leading penetration testing specialist in the west coast region. He performed multiple information security assessments, reviewing documented corporate IT security policies and procedures, conducting interviews with management and technical personnel, and testing security settings on internally and externally facing systems as well as network devices.

Notable Accomplishments
In 2004, Dmitry published a white paper on securing SQL connection strings that has been referenced by a number of online sources including obviex.com, thruthewire.net, dyessconsulting.com and cissecurity.net. Dmitry identified risks, tested security settings and made recommendations for improvement for multiple 802.11 wireless implementations. He reviewed the security surrounding content management processes for digital resources as they were implemented by an on-demand movie service, and presented on the strengths and weaknesses of Digital Rights Management implementations by both Microsoft and Real Networks.

Dmitry has also performed data forensics analysis for an international pharmaceutical client by gathering and correlating evidence of a security breach and, using his knowledge of Eastern European languages, identified possible suspects of unauthorized access. He also participated in multiple implementations of the eTrust Admin Access and Identity Management solution in the multi-platform environments of Fortune 50 companies and has developed hardening standards for Microsoft SQL and Oracle databases tailored to the environment of a Fortune 1000 utility company.

Certifications and Training
Dmitry is a Certified Information Systems Security Professional (CISSP), a GIAC-Certified Windows Security Administrator, and holds GIAC Security Essentials Certification.

Education
Dmitry holds a Master of Science degree in Information Systems Management from Brigham Young University, Utah.

Wayne Nichols, CISSP
Senior Security Consultant – Accuvant LABS – Accuvant

Wayne Nichols, an information security practitioner with over two decades in the field, is a Senior Security Consultant with the Accuvant Labs assessment team. Wayne has analyzed, designed and penetrated environments in nearly every industry, including government, retail, manufacturing, telecommunications and gaming. Wayne’s extremely diverse skill set allows him to focus on multiple facets of Accuvant’s service offerings, from enterprise security assessments to in-depth application testing and code reviews to delivering training offerings and development of internal methodologies and standards.

Experience
Mr. Nichols has more than 20 years of experience working in the software development and computer security industries. His experience includes high level cryptographic work for the government, development of a secure processing facility for the U.S. Air Force, design and implementation of secure networks in various industries, extensive work in analyzing and assessing security weaknesses in enterprise networks, enterprise client/servers and web applications. He has consulted with security operations in a wide range of industries to identify solutions, products, and vendors to solve complex network security problems.

Prior to joining Accuvant, Wayne performed private security consulting services for corporations and governments worldwide, and worked for Sun Microsystems as the lead on the global security team. He was integral in the development of the Trusted Solaris platform. Prior to Sun, Wayne was a lead assessor for ISS’ X-Force, which came through an acquisition of Wayne’s previous company, NJH Consulting, where his development of a web-based security management tool set positioned the company for acquisition. Wayne also served in information security roles for the Space Dynamics Laboratory through the early to mid-nineties, and served with the U.S. Army as a cryptologic mathematician for the Department of Defense.

Wayne has integration and evaluation experience with security software and hardware solutions such as Internet Security Systems, Checkpoint, Tripwire, Trusted Solaris, Sanctum products, Micromuse Netcool, and Symantec intrusion detection products to perform security assessments targeting all facets of the enterprise for customers in the financial, e-commerce, and government space.

Notable accomplishments
Mr. Nichols is currently involved in the design and development of the next generation of secure Cross Domain Solutions, a high assurance set of tools to bridge different security domains, and he recently worked on a high assurance gateway project for the U.S. Government using Trusted Solaris. He was the architect and project lead for this effort. Wayne also worked as a Network Security Architect, designing and implementing secure network solutions, assessing existing enterprise networks for security weaknesses, developing new methods, and training and mentoring the PS field in all types of security-related consulting work. He has worked with large telecommunications and health insurance companies to design and implement security architectures, helping client management and technical staffs to identify problems, architect solutions, identify technologies that meet client requirements, and implement those solutions within the enterprise. Wayne has evaluated and assessed Internet banking solutions for banks in the United States, Costa Rica, Turkey, Panama, Venezuela, Spain, and Thailand.

Wayne has experience teaching security assessment principles and providing training for security tools. He has provided training for government employees and contractors, as well as for Big 5 security audit organizations.

Certifications and Training
Wayne is a Certified Information Systems Security Professional (CISSP), a Checkpoint Certified Security Engineer (CCSE), and an ISS Certified Engineer.

Education
Wayne holds a Bachelor of Science degree in Applied Mathematics from Weber State College and a Master of Science in Statistics from Brigham Young University.

Landon Lewis, CISSP
Senior Security Consultant – Accuvant LABS – Accuvant

Mr. Lewis is a Security Consultant on the Accuvant Labs assessment team with over eight years of experience in the information security industry. Landon provides a broad knowledge of hardware, software, security, and networking technologies accompanied by a powerful combination of analysis, implementation, and support. Areas of expertise include network security, firewalls, intrusion detection and prevention, high-assurance operating system security, network design, data protection and integrity, authentication and applied cryptography both internet and embedded systems, incident analysis and recovery.

Experience
Mr. Lewis has designed, implemented, and managed many open source and commercial security solutions for companies both small and large. Prior to joining Accuvant, Landon was a SCADA Security Consultant and Researcher for Digital Bond and prior to Digital Bond Mr. Lewis worked for numerous companies including Verisign, IBM, and Midwest ISO where his team designed, implemented, and maintained the security architecture around the world’s largest energy market. Mr. Lewis has architected layers of security devices performing functions of firewalls, IDS/IPS, proxies, VPN, log management, and access control systems all within highly-available and redundant environments. He has worked as a MSSP Tier III Engineer for Check Point FW-1 (3.0b-NGX) firewall administration and configuration on multiple platforms, Nokia, Solaris, Windows, SecurePlatform while working with Verisign. He has performed forensic investigation involving chain-of-custody accompanied by commercial product experience with Encase software and has performed multiple information security assessments for large energy companies on both traditional IT networks as well as control system networks. Assessments typically included executive presentations, architecture and design review, enumeration, validation/exploitation, and recommendations. The diverse environments and broad range of projects executed during these roles allowed Landon to gain a wide variety of skills and experiences that he applies to his current role penetrating and circumventing the controls he once specialized in implementing.

Notable Accomplishments
In addition to his volume of accomplishments within his various consulting roles, and ongoing participation in the security industry with organizations such as InfraGuard, Landon was also integral in the identification and analysis of many of the known vulnerabilities within SCADA environments. During his role with Digital Bond, Mr. Lewis helped develop the SCADA IDS signatures that are deployed in most commercial Network Intrusion Detection/Prevention Systems as well as the SCADA plug-ins that are components of the Nessus vulnerability scanning tool. This experience also led Landon to be involved in the SCADA Honeynet project that adapts the Honeypot/Honeynet concept to appear to an attacker to be a popular PLC used in control systems for the purposes of collecting attack statistics and subsequently help quantify and better understand risk and attack vector exploit techniques.

Certifications and Training
Landon is a Certified Information Systems Security Professional (CISSP), an Information Systems Security Architecture Professional (ISSAP), a Certified Check Point System Engineer (CCSE), and an Arcsight Certified Security Analyst (ACSA).

Matthew Parcell
Senior Security Consultant – Accuvant LABS – Accuvant

Matthew is an Application Specialist on the Accuvant Labs assessment team with over four years of experience in the security industry. Coming from both a development as well as network and systems management background, Matthew honed much of his security testing experience while employed with SPI Dynamics, an industry leader in web application security. His extensive experience with a wide variety of web application technologies and languages and a specialization in Java/J2EE coupled with a deep understanding of static code analysis and software development allows Matthew to offer unmatched expertise when analyzing the security of Accuvant clients application environments and makes him a perfect complement to the skills in place within the Assessment Practice.

Experience
Matthew started his career at SPI Dynamics working in quality assurance, development and on later performing security assessments with the labs research department. During his tenure at SPI, Matthew developed a broad range of skills specializing in web application development, vulnerability design and analysis across a variety of software technologies as well as an intimate familiarity with the entire development life cycle. This experience with web application security, static analysis and code review provided the foundation of experience necessary to perform assessments with the SPI Labs assessment team. Joining Accuvant, Inc. in 2008, Matthew now specializes in performing penetration tests, application assessments and code reviews.

Notable Accomplishments
Matthew’s skills and abilities have afforded him opportunities to work on a variety of cutting edge and unique projects regardless of the relatively few years he has spent in the industry overall. While at SPI Dynamics and Hewlett-Packard’s Application Security Center, Matthew contributed heavily to their flagship web application auditing product, WebInspect. These contributions included everything from designing checks that the scanning engine would execute against a target application; to testing the functionality against a test bed of applications that Matthew himself had designed to contain numerous customized vulnerabilities application code and/or logic. These vulnerabilities would be implemented in a multitude of ways across all possible application vulnerability classes.

In a later role at the same employer, Matthew was a key member of the development team for the organizations static-code analysis tool, DevInspect for Java and DevInspect.NET. He designed and set requirements for the code auditing tool after researching new static analysis techniques including reflection analysis, tracing through exceptions, identifying and mapping to new sources and synchs as well as designed and refined the checks implemented in the tool to identify such issues in an applications source-code.

Certifications and Training
Matthew holds a certificate in Information Assurance and a certificate in Economics from Georgia Institute of Technology and is certified on the WebInspect product set from SPI Dynamics.

Education
Matthew holds a Bachelor of Science degree in Computer Science from the Georgia Institute of Technology.

Trackback URI |