Paid Advertising
web application security lab

Jeremiah Grossman Named One Of Top 25 CTOs

I’ve known this might be coming for a while, but I was holding my breath (didn’t want to jinx anything). But it turns out our very own Web Application Security guru Jeremiah Grossman was named one of Infoworld’s top 25 CTOs for 2007. You can click here for a direct link. This is actually really impressive to me. A year ago almost no one cared about web app sec. It was a niche inside of a niche, but what we’ve been able to accomplish as a community over that year is nothing short of remarkable. And that is in large part to Jeremiah Grossman of Whitehat Security.

I think we owe him a debt of gratitude in many ways. He’s been a public face to our issues, a punching bag for some, and all and all a really nice guy through the process. He’s got a tough job - keeping up with the technology but keeping his eye on the security industry as well. I know we take that kind of thing for granted, but I, for one, appreciate it.

8 Responses to “Jeremiah Grossman Named One Of Top 25 CTOs”

  1. Kyran Says:

    He really deserves this.
    Even just his theories have spawned projects and papers all over.
    Without the big guys like you and him, web app sec would probably be lost.

  2. Jeremiah Grossman Says:

    Hi Kyran, thank you very much, I appreciate the kind words. I think its safe to say that RSnake and I are equally grateful that others are interested in carrying our ideas forward, expounding upon them, and making code of their own. This is really how the industry is built and progress made.

  3. Ronald van den Heetkamp Says:

    Congrats Jeremiah :) , btw what does it mean Top CTO? only for a company that is in security?

    RSnake: what do you mean with: almost 1 year ago no one cared?
    As far as I see it, the webappsec world is a lot bigger then you might expect because I know plenty of people who where in it before everyone here, A wild guess is that it hasn’t grown nor shrunk, it always was there, the difference is that people started to blog about it instead keeping it for themselfs and peers, turning a new page only.

  4. RSnake Says:

    Ronald - What I mean is that a year ago people were bashing researchers who were finding these exact same types of issues. Now that doesn’t happen anymore, because people are getting that it’s an actual problem that can’t just be solved with a network device, like a firewall. I know people were in it before, and I know it’s big, but if you looked at the hacking sites, and mailing lists, it’s completely disproportionate with the people who cared about buffer overflows, network security and OS security.

    I know it’s been around for a while I’ve been involved in webappsec for 12 years. ;) I had the 135th hacking site on the internet. I know because we were all linked together because of the fringe of the web webring run by Bronc Buster, Silicon Toad, etc… - it was the second webring ever made (done as an experiment by a college kid). My old site is so old that the Internet Archive doesn’t go back far enough to show what it used to look like (for that, I’m grateful, because it had animated gifs, frames, and a whole lot of other crap that people put on their first websites). Yeah, I’ve been around for a while. ;)

    What’s changed is that we’ve finally shown how vulnerable things are if you ignore the web application piece - and not just because of SQL injection, which was the news a few years ago. SQL injection is easy to understand compared to XSS, CSRF and the other things we work on. Not that it’s less dangerous, (probably the opposite) but it also felt like a much easier solved problem in many ways to most people.

  5. Ronald van den Heetkamp Says:

    Haha yes I second that story :D

    But yeah you got a point there, that is what is happening at the moment. I’m certainly glad I jumped upon the same boat, I don’t regret it, cause this thing will float far. That’s a hunch.

    Many are downplaying this stuff, just like Wikipedia did last week.

    See my discussion with the Wikipedia folks at my blog. I found a simpe file disclosure (apparently it’s their policy to show all scripts) and they stated in a mailinglist that file disclosure, XSS, and SQL injection is script kiddie stuff.

    Next they indirectly dared me to show some vulnerabilities in, and I did. I posted an XSS and SQL injection on my blog, proving that transparent security is not an option, it only works in system that are proven to be secure, or close to complete theoretical security like certain algorithms are, because I found those flaws by sifting through their scripts, they gave me the map of the territory.

    Show I clearly see 2 camps: webapp & network, now hope those two will merge someday because it really isn’t at the moment.

  6. Mephisto Says:

    Congrats JG!

  7. Alex Says:

    Congratulations Jeremiah ! :)

  8. Jeremiah Grossman Says:

    Thanks RSnake, Ronald, Mephisto, Alex, etc.