09 April, 2013

Who We Are: Jason Wood

Who We Are: Jason Wood
Jason Wood
Author: Jason Wood
The goal of these posts is for you to learn more about us. So reach out to us via email or twitter. We’d love to get to know you. 

Who am I:

Jason Wood, Senior Security Consultant at Secure Ideas.

What do I do at Secure Ideas:
Like James, I end up doing just about anything.  As a sysadmin by background, I am usually the one who gets asked to do something on the servers.  I spend quite a bit of time working on client engagements doing penetration testing or architecture reviews.  I’m also responsible for coordinating speaking opportunities.  So if you would like someone at Secure Ideas to speak at your event, please let me know.

What is my security background in a nutshell:
I started out as a systems administrator and bounced back and forth between Windows, FreeBSD and Linux.  My experience was heavy in infrastructure and operating large web applications.  Somewhere along the way I got interested in security and looking for chances to take on those responsibilities.  Fortunately, I was one of the few interested in the topic, so I got lots of work to do.  A major turning point was when I wrote Reconnoiter because of an argument over appropriate controls on a system.  I found myself meeting and learning from a lot of folks in the security field.  While I’m on the offensive end of things right now, I’m still very interested in defense.  Hence, the reason why Tactical Security Operations is being written right now.

What is my favorite attack:
Cross Site Request Forgery (CSRF) is one of my current favorite attacks right now.  It’s one that is more difficult to explain to folks, but can do some really damaging stuff.  Usually my attacks involve abusing the business logic of an app in some way, but it’s very cool when you can use it to embed Cross Site Scripting into an app and hook your victims with BeEF.

What am I learning about now:
I’m spending a lot of time reading and thinking about defense.  I’m pretty firm believer that an attacker will find a way in if they really want to, so we need to have the capabilities to detect and respond to them.  It isn’t enough to stand up basic defenses and passively wait for one of them to send us an alert.  We need to be out there hunting down systems and issues in our networks.  Don’t wait for the bad guy to find them first.

Reaching me:

email: jason@secureideas.com


Jason Wood is a Senior Security Consultant with Secure Ideas.  If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the  Secure Ideas – Professionally Evil site for services provided.

Join the professionally evil newsletter

Related Resources