About Joshbw ~ If you are looking for gritty, personal details about me, like for example the details the average MySpace user gives out at the drop of a hat, you are sadly going to need to look elsewhere.  While I may not be doing a great deal to prevent you from tracking down information about my person, obviously using a variation of my actual name rather than my typical pseudo-anonymous handle I use elsewhere on the net, I am not going out of my way to give up personal information. 

From a professional standpoint I am an Application Security analyst working at an international Fortune 500 company to secure internally developed applications, develop secure development guidelines and standards, create a secure development lifecylce, audit source code and perform penetration testing, and hold training seminars to help instill a sense of security among developers and testers. I am essentially in charge of all of these efforts.  Prior to my current job I worked for FedEx with a team of like minded Application Security folks, leading the charge to secure the application layer of the enterprise. I have also worked Microsoft where I had a love of the Secure Development Lifecycle thrust upon me like a shotgun wedding, but hey, there is a reason they have a fraction of the vulnerabilities these days relative to their competitors.  My obsession with Threat Modeling can obviously be traced back to my experiences with the company.  .Net is my weapon of choice when given the option but these days I seem to spend more time in Java and PHP; I’ve pretty much done every type of development possible from minute embedded applications to distributed enterprise applications, with a fair bit of thick clients in between, so there is very little in the application space I am not intimately familiar with.

From a personal standpoint the key to understanding me, and thus what I write, is to realize that I tend to be sarcastic about most everything which isn’t generally a sign that I lack respect for whatever is in question.  It just happens to be how I am.  Granted I am also quite sarcastic when something pisses me off, so distinguishing between my “for amusement” sarcasm and my “quite annoyed with something” sarcasm can sometimes be challenging.  I also hate emoticons, so very rarely will I use them to give connotation to which form of sarcasm I am employing at a given moment; readers are left to their own wits to ferret out my intentions.

About this site ~ This is my playground to post musings about application security, point out nifty tools and techniques to my friends and fellows, rant about technology in general, and sometimes talk about the occasional offtopic geek fest.  General security concerns will be discussed here, as well as flaws disclosed elsewhere, but specific vulnerabilities are not likely to be disclosed here.  Updates are sporadic and at my whim, likely to come in bursts when I am bored or something is on my mind, and likely to be scarce when work owns my soul.  If I ever finish the security tools I am working on I will also make them generally available here, but I have a great deal vying for my time.  Comments are encouraged so long as they are not overly inflammatory, and spam will be deleted immediately.  Comments are subject to review.

 About Analytical Engine~ The name is homage to what is regarded as the first artificial computer, a mechanical contraption programmed via punchcards, designed by Charles Babbage in the 19th century, anticipating the design of early computers by a century.  Ada Lovelace composed a program to calculate a sequence of Bernoulli numbers using the analytical engine and thus is considered the first programmer.  The Ada language was named in her honor but poor Chuck Babbage is stuck with this website as a tribute.