Nitesh Dhanjani

Biography

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani is currently Senior Manager at Ernst & Young LLP where he leads their Application Security Services efforts. Dhanjani is responsible for evangelizing new application security service lines, ensuring current service lines stay bleeding edge, and helping enterprises develop world-class application security strategies.

Prior to E&Y, Dhanjani was Senior Director of Application Security and Assessments at Equifax where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & Threat Modeling, and managed the Attack & Penetration team. Before Equifax, Dhanjani was Senior Advisor at Foundstone's Professional Services group where, in addition to performing security assessments, he contributed and taught Foundstone's Ultimate Hacking security courses.

Dhanjani is the author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly) and "HackNotes: Linux and Unix Security" (Osborne McGraw-Hill). He is also a contributing author to "Hacking Exposed 4" (Osborne McGraw-Hill) and "HackNotes: Network Security". Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, and OSCON.

Dhanjani graduated from Purdue University with both a Bachelors and Masters degree in Computer Science.

Books

Network Security Tools
by Nitesh Dhanjani, Justin Clarke
April 2005
$34.95 USD

Articles

You need to enable JavaScript to view more than 15 articles by this author.

Google Your Site For Security Vulnerabilities
Publish Date: Oct. 7, 2004The fact that Google indexes pages you might never have known were public is both good and bad. It's good when you're searching for specialized or esoteric information. It's bad when Google indexes potential security vulnerabilities on your site. Nitesh Dhanjani demonstrates how to use the Google API to help identify your inadvertently shared secrets. Writing Nessus Plugins
Publish Date: Jun. 3, 2004Today's best vulnerability detector will be out-of-date next week unless you can somehow teach it about new exploits and vulnerabilities. Fortunately, Nessus and NASL make that easy. Nitesh Dhanjani walks through the creation of a custom Nessus vulnerability plugin. Installing and Configuring Nessus
Publish Date: Apr. 22, 2004If you're connected to the global Internet, people are already scanning your network for vulnerabilities for free. They're probably not so good about informing you of their findings. Why not get a jump on the competition by analyzing your network yourself? Nitesh Dhanjani explains how to install and configure Nessus, an open source network vulnerability scanner. Web App Security Testing with a Custom Proxy Server
Publish Date: Jan. 22, 2004Assuming users will only access your web applications as you intend may be the best way to invite abuse. Attackers have tools to build bogus responses, so why not use the same techniques to toughen your own sites? Nitesh Dhanjani demonstrates how a custom proxy server can help you test the security of your web apps.

Blog

Safari Carpet Bomb

May 14 2008

I let Apple know that I'd like to discuss the 2 issues they won't be fixing with the security community and they let me know they are fine with it. read more

Amazon's Elastic Compute Cloud [EC2]: Initial Thoughts on Security Implications

April 27 2008

Based on my recent experience with Amazon's EC2, here are some initial thoughts (with bias on security). read more

Interview With [IN]Secure Magazine

April 22 2008

Issue 16 of [IN]Secure Magazine is available. Mirko Zorz interviewed me in this edition (Page 41). If you decide to read it, I'd be delighted to hear your thoughts and feedback. The magazine edition of the interview is much better looking and highly recommended (as are the other articles), but… read more

Be Secure, and You'll be Compliant

April 16 2008

Don't let a requirement like PCI drive your overall strategy. Understand your goals and needs, aim to be secure, and you will be compliant. Try the formula the other way around, and your strategy will be flawed, your security budget won't be big enough, you will struggle to keep up… read more

Black Hat Europe 2008

April 01 2008

I presented Bad Sushi: Beating Phishers at their Own Game (with Billy) at Blackhat Europe (Amsterdam) 2008 last week. I always enjoy doing this talk, and the feedback was quite positive. For more information, check out Nate's coverage of the conference... read more

The iPhone SDK Press Conference

March 09 2008

Apple may have a difficult time auditing applications to ensure they meet their criteria. What is the absolute definition of malicious in the given context? Malicious to whom? The end user, Apple, or AT&T? Perhaps all of the above. Now, how does Apple go about obtaining assurance whether a given… read more

Black Hat Briefings 2008 (Washington DC)

February 26 2008

I presented Bad Sushi: Beating Phishers at their Own Game with Billy Rios last week at the Black Hat Briefings in DC. The best part of the experience was the opportunity to talk to people in the audience after the presentation, and to hear their perspectives on the subject. read more

Bad Sushi: Beating Phishers at their Own Game

January 28 2008

Help Net Security has posted an interview with me and Billy Rios titled Spies in the Phishing Underground. If you enjoyed the interview, and if you want more details and screen-shots, check out our talk at the Federal Black Hat Briefings 2008 [February 20]. The title of the talk is Bad… read more

What Have You Changed Your Mind About? Why?

January 20 2008

I think it is extremely important for an organization to account for the reality of doing business (Risk based approach compared to the purist mentality of securing everything) when strategizing an information security plan. It is true that an individual who has a habit of perceiving security issues as purely… read more

Illogical Arguments in the Name of Alan Turing

November 12 2007

The Halting Problem described by Alan Turing in 1936 states that is impossible to come up with a general algorithm that can compute if a given algorithm will terminate (for all possible input pairs). In other words, the only way to generally determine how a program will behave is to… read more

hack.lu 2007

October 14 2007

I’ll be speaking at the hack.lu 2007 security conference in Luxembourg on October 20, 2007. My talk is titled Breaking and Securing Web Applications. The conference agenda is here. read more

Yahoo! Susceptible to Cross Site Request Forgery (XSRF) Attacks

October 10 2007

Many organizations offer Mobile and WAP enabled flavors of their web applications. These applications may appear to have restricted functionality, but a security vulnerability in these applications can allow malicious users to launch attacks whose implications may propagate to the main applications. For example, a persistent XSS issue that may… read more

[IN]Secure Magazine, Issue 13

September 25 2007

Issue 13 of [IN]Secure Magazine is now available. It contains my article: Social Engineering Social Networking Services: A LinkedIn Example (originally a blog post, but now with cool graphics). Download it here. read more

Social Engineering Social Networking Services: A LinkedIn Example

August 28 2007

The term Identity Theft is usually assumed to be related to a malicious entity abusing someone’s credit information to commit financial fraud. This continues to be a big problem, but I’d like to extend the problem of identity theft in the social-networking aspects of so-called Web 2.0 applications. I feel… read more

This Blog is Susceptible to Persistent Cross Site Scripting (XSS)

August 22 2007

It is no secret that XSS is the leading high-risk vulnerability affecting web applications today. I’ve discussed the impact of XSS during my conference speeches as well as in my books and articles. I’ve also blogged about it right here on O’Reilly numerous times: Repeat After Me: Lack of _Output Encoding_… read more

Biography

Books

Articles

Blog

Buy Direct and Save