Scott White

Director of Software Security

Experience

Scott White is a Principal Security Consultant for Cleveland-based TrustedSec. He joined TrustedSec’s founder, David Kennedy, after years of working closely with him in both corporate and consulting atmospheres. Scott’s expertise in pen testing and web application security stems from his years of unique experience ranging from web development, source code analysis, penetration testing, web application security, zero-day research, and exploit development. Scott has experience in performing penetration tests against both IBM z/OS and IBM iSeries with a focus on web applications. Having been the technical editor for several books including the popular “Metasploit: The Penetration Tester’s Guide”, holding degrees in computer science (BS with distinction) and network security (MS Summa cum Laude), he has been called upon not only academically but also professionally by the FBI and Secret Service as a subject matter expert. Scott developed several application security programs for large international companies. As the global application security team lead for a Fortune 1000 company, Scott performed several hundred web application security assessments including static code analysis, dynamic testing (grey box), and penetration testing. Scott was instrumental in developing the entire process from developer education and awareness, secure coding practices, and to final approval reviews for production.

Education & Certifications

B.S. Computer Science, Ohio Northern University M.S. Network Security, University of Advancing Technology

Professional Affiliations

Technical Editor, “Metasploit: The Penetration Tester’s Guide” Technical Editor, “The Basics of Web Hacking”

Industry Contributions

Founder/Organizer, DerbyCon CTF Trainer, DerbyCon, OWASP Top 10 and Beyond Course Defcon 16 Panel: Black vs. White: The complete life cycle of a real world breach Numerous presentations to organizations such as OWASP, ISSA, AZSPF, SWSPF, ISACA, FBI’s Infragard, and others

Passion for Security

Scott has been responsible for a number of professional accomplishments including having sole assessment responsibility for environments such as a 911 emergency network, casino, ATM kiosk and network, PCI web application for a $20 billion+ top national insurance provider, and a photo kiosk deployed in over 5,000 retail locations as a $40 million project. Scott’s assessment experience includes clients in multiple lines of business ranging from healthcare, finance, retail, manufacturing, energy, insurance, and education to software development and beyond for both public and private sectors in both government and commercial spaces. In his free time, Scott enjoys participating in bug bounty programs and has been paid for his work in several programs including the well-known “Hack the Pentagon” program.

Recent Blog Posts

Theft From Online Shopping Carts – Past and Present

By Scott White
In Application Security Assessment
Past Circa 2007, during a penetration test, I encountered an online shopping cart that exposed a variable containing a product’s price and it allowed for manipulation to lower the cart’s total. In early 2008, research was conducted to answer the question – just how many carts are vulnerable to such a trivial hack? At the...
Read
TrustedSec Blogs + Articles logo

Full Disclosure: Authenticated Command Execution Vulnerability in pfSense

By Scott White
In Penetration Testing, Security Testing & Analysis
On 05/19/2016 Scott White of TrustedSec discovered an authenticated command injection vulnerability in pfSense. It was responsibly disclosed to pfSense ([email protected]) on 06/08/2016 and promptly fixed by the pfSense development team. TrustedSec wants to thank the pfSense team for the impressive response time and for providing a great open source project. Although the vulnerability was...
Read
TrustedSec Blogs + Articles logo

Ruby ERB Template Injection

By Scott White and Geoff Walton
In Penetration Testing, Security Testing & Analysis
Written by Scott White & Geoff Walton Templates are commonly used both client and server-side for many of today’s web applications.  Many template engines are available in several different programming languages.  Some examples are Smarty, Mako, Jinja2, Jade, Velocity, Freemaker, and Twig.  Template injection is a type of injection attack that can have some particularly...
Read
View all posts from Scott

Recent Webinars

Seeing the Entire Software Security Picture

During this practical webinar, the TrustedSec Software Security Team will provide a basic introduction to modern software security and give tips to help get the most out of your organization’s next security assessment. We’ll examine how the practice of software...
Watch
View all webinars from Scott

Recent Podcasts

TrustedSec Security Podcasts

LastPass the Last Time Honest (Well Maybe)

June 05, 2023

Word Clouds, Password Clouds

June 05, 2023

How the Sausage is a Made

June 05, 2023

Want to work with Scott White or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us