Interview with Saumil Shah, Security Researcher
by Mirko Zorz

Saumil Shah is a security researcher and is one of the authors of Web Hacking: Attacks and Defense.

How did you gain interest in computer security?

My interest in computer security goes a long way back. In my late teens, I used to dig through DOS viruses, disassemble them, and build anti-virus programs. During my graduate studies, I had been a research assistant at Purdue University's COAST labs (now called the CERIAS department), working with Prof. Gene Spafford.

What are your favourite security tools and why?

Out of the plethora of security tools, my choice as the favourite tool goes to Netcat. Netcat is more of a network tool, rather than a security tool. It is a simple TCP/UDP connection tool, which can be used to connect to network services, or set up as a listener. Web Hacking is the art of simplicity combined with a powerful mindset. Netcat embodies just that - a very simple tool, which can be used to connect to web servers and test them however one pleases.

In your opinion what are the most important things an administrator has to do in order to keep a network secure?

There are two lines of thought when answering this question. First and foremost, an administrator has to have thorough knowledge of the network being administered. A well maintained network inventory, architecture and resources delivered on the network are key to keeping a network secure. One of the most important principles of information security is the "Principle of least privilege". Knowing the network better helps an administrator to apply the principle of least privilege across various resources hosted on the network. Secondly, procedurally speaking, a well defined network maintenance procedure helps in keeping the network secure. Procedures defined for periodic system updates with the latest security patches should be put in place.

What was it like to be a co-author of "Web Hacking: Attacks and Defense"?

To me I felt as if finally I am able to convey all the excitement in my mind about the art of web hacking to the rest of the world. Web hacking is unlike other attacks. Web hacking draws heavily upon creativity and imagination and uses very simple tools to carry out these attacks. Upon seeing the first copies of the book, I felt a sense of satisfaction to see all my thoughts and efforts take shape!

What books, articles, whitepapers would you recommend to people that are starting to learn about computer security?

Two books that are an excellent introduction to computer security are "Practical Unix and Internet Security" by Gene Spafford and Simson Garfinkel, and "Applied Cryptography" by Bruce Schneier. A few websites which provide excellent tutorials and up-to-date information about the present state of network security are Security Focus, PacketStorm Security and Security Tracker.

What are your future plans?

Professionally speaking, one of the items in my future plans agenda is to build a city-wide wireless network for my home city, Ahmedabad, more from a hobby and a community perspective rather than a commercial venture. Personally, I am thinking of embarking on a photography trek in the upper slopes of the Himalayas.