Scott White

Practice Lead, Software Security

Experience

Scott White is a Principal Security Consultant for Cleveland-based TrustedSec. He joined TrustedSec’s founder, David Kennedy, after years of working closely with him in both corporate and consulting atmospheres. Scott’s expertise in pen testing and web application security stems from his years of unique experience ranging from web development, source code analysis, penetration testing, web application security, zero-day research, and exploit development. Scott has experience in performing penetration tests against both IBM z/OS and IBM iSeries with a focus on web applications. Having been the technical editor for several books including the popular “Metasploit: The Penetration Tester’s Guide”, holding degrees in computer science (BS with distinction) and network security (MS Summa cum Laude), he has been called upon not only academically but also professionally by the FBI and Secret Service as a subject matter expert. Scott developed several application security programs for large international companies. As the global application security team lead for a Fortune 1000 company, Scott performed several hundred web application security assessments including static code analysis, dynamic testing (grey box), and penetration testing. Scott was instrumental in developing the entire process from developer education and awareness, secure coding practices, and to final approval reviews for production.

Education & Certifications

B.S. Computer Science, Ohio Northern University M.S. Network Security, University of Advancing Technology

Professional Affiliations

Technical Editor, “Metasploit: The Penetration Tester’s Guide” Technical Editor, “The Basics of Web Hacking”

Industry Contributions

Founder/Organizer, DerbyCon CTF Trainer, DerbyCon, OWASP Top 10 and Beyond Course Defcon 16 Panel: Black vs. White: The complete life cycle of a real world breach Numerous presentations to organizations such as OWASP, ISSA, AZSPF, SWSPF, ISACA, FBI’s Infragard, and others

Passion for Security

Scott has been responsible for a number of professional accomplishments including having sole assessment responsibility for environments such as a 911 emergency network, casino, ATM kiosk and network, PCI web application for a $20 billion+ top national insurance provider, and a photo kiosk deployed in over 5,000 retail locations as a $40 million project. Scott’s assessment experience includes clients in multiple lines of business ranging from healthcare, finance, retail, manufacturing, energy, insurance, and education to software development and beyond for both public and private sectors in both government and commercial spaces. In his free time, Scott enjoys participating in bug bounty programs and has been paid for his work in several programs including the well-known “Hack the Pentagon” program.

Recent Blog Posts

TrustedSec Blogs + Articles logo

Full Disclosure: Authenticated Command Execution Vulnerability in pfSense

On 05/19/2016 Scott White of TrustedSec discovered an authenticated command injection vulnerability in pfSense. It was responsibly disclosed to pfSense ([email protected]) on 06/08/2016 and promptly fixed by the pfSense development team. TrustedSec wants to thank the pfSense team for the impressive response time and for providing a great open source project. Although the vulnerability was...
Read
TrustedSec Blogs + Articles logo

Ruby ERB Template Injection

Written by Scott White & Geoff Walton Templates are commonly used both client and server-side for many of today’s web applications.  Many template engines are available in several different programming languages.  Some examples are Smarty, Mako, Jinja2, Jade, Velocity, Freemaker, and Twig.  Template injection is a type of injection attack that can have some particularly...
Read
TrustedSec smiley icon

Full Disclosure: Adobe ColdFusion Path Traversal for CVE-2010-2861

This blog was written by Scott White, Senior Principal Security Consultant, Web Application Team Lead – TrustedSec TL;DR: A publicly undisclosed pre-auth local file disclosure path in older Adobe ColdFusion products (8.0, 8.0.1, 9.0, 9.0.1 and earlier versions) exists at /CFIDE/debug/cf_debugFr.cfm?userPage=../../etc/hosts During a recent penetration test, a web site utilizing cfm pages was identified and...
Read
View all posts from Scott

Recent Podcasts

TrustedSec Security Podcasts

Pi

November 22, 2019
Scott White

Want to work with Scott White or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us