:::: MENU ::::
Browsing posts in: null

Akash Mahajan :: Interview

Some time back (when i was still procrastinating my way through life and looking for inspiration), a new (ok, don’t look at me like that, it is new for me even though it had existed way before i was born) idea hit me – What if i pester some of the brightest people i know and ask them for an interview (i am not high and this is not my hubris talking; i meant me taking their interview, not the other way round!)? If i pester them enough, maybe they’ll give me their time of the day and i would get to learn some things.

So here’s the first one.

Now, here’s is someone who started working in this field without fulfilling any checkpoint in a standard HR recruitment checklist. Yeah, no certification (Gods must be crazy!), However, he is famous not just for his involvement with NULL, Bengaluru (look ma, constitutionally correct pronunciation!) but also is an entrepreneur. The name – Akash Mahajan (AM).

ME – What is your online handle / real name (depending on your preferences)?

AM – Usually I use makash, in some places I use akashm. But mostly googling for Akash Mahajan will return most of the results about me.

 

ME – What do you do for a living?

AM – I help small and medium companies become secure. It starts with me supporting them in making their web apps, mobile apps secure, building internal app sec capability, usually extends to me making sure their servers and cloud networks are secure. Sometimes companies take my help in charting out long term strategy about their security choices.  For a long time I worked as a freelancer in this field but since last year I registered as a private limited.

 

ME – Can you describe your journey?

AM – So I was on my way to becoming a java programmer. Not particularly a good one. While working on java related projects there was a massive network outage in my company. The internet was basically not working for a week because of malware outage. I wasn’t affected personally because I was using a linux box. When the infection reached the team subnet I was in my project lead allowed me to take a look. I was able to isolate the malware and remove it from the system fairly quickly. Once that was done, I shared my solution with the IT team and realized that I had a lot of fun doing this. Definitely more fun than writing java code. That is what started my infosec journey. I quit my job and joined a security products company. While working there learnt a lot about network security, application security, python scripting and virtual machine automation. One day in the month of June of 2008, I decided that I should try being a freelance security consultant for all the hundreds of companies in Bangalore.

 

ME – What were the challenges in your journey & how did you overcome them?

AM – I am not an engineer. Initially I never thought about going on my own. I got rejected by a bunch of companies for not being an engineer or not having a security certification. I got myself a Certified Ethical Hacker certification because companies started demanding it. Once I had a certification it was easier.

In our industry a bigger challenge is to keep yourself updated about latest security techniques etc. I did struggle with that a lot at the beginning. Then one day on twitter I posted about asking for security communities in India and Aseem responded. They had started null – The Open Security Community sometime back in Pune and were looking for people to grow it to other cities.

Having a community full of seriously talented people doing security day in and day out makes it far easier to know what is happening in this field. Not only that we have so many folks who are doing original research, so in some cases we get to see the newer stuff even before it becomes public.

 

ME – What are the most important things that you want to focus on in coming years?

AM – Building and taking null to every state in India. Build my company to doing high quality security research and offering testing services for various levels. Personally I would like to try adventure sports. 🙂

 

ME – What, in your opinion, will be most in-demand things from a security standpoint?

AM – Automation of security testing, deployments(devsecops), user data privacy and figuring out ways on how to trust 3rd party software and services.

 

ME – What, in your opinion, should the industry focus on?

AM – Industry as a whole needs to focus on building quality solutions. Also while profits are important industry should understand that in the knowledge economy a well trained work force is not only an asset but the returns from such a work force can be exponential.

 

ME – Where do you see the security industry heading to?

AM – More automation, instrumentation of solutions, deployments. Also more and more systems will be in the cloud.

 

ME – How can one become an expert in your field (not security in general, but the work that you are doing currently)?

AM – Practice, collaborate, publish, solicit feedback. Wash rinse repeat.

 

ME – Do you think bug bounties help?

AM – Bounties do help. At the very least bounties offer a short term incentive for more people to spend their quality time in finding bugs. And humans tend to love competition. The indirect benefits of bounties are that when more and more people starting bug hunting seriously they also get serious about collaboration, sharing of knowledge and it always helps when a group of people are focused towards a common objective.

 

ME – What is your vulnerability disclosure policy (ignore if not applicable)?

AM – I don’t disclose bugs.

 

ME – In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

AM – Internet usage will not decline. But yes it is possible that companies will spring up trying to get customers based on nationality etc. Governments tend to work towards exclusivity and sometimes inefficiencies get hidden due to the nature of how they operate. This will make sure that some parts of the world will be working with substandard software which if taken positively can mean better competition or a clear competitive disadvantage.

 

ME – What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

AM – Nothing at the moment. I am just trying to build the null security community, which sometimes is more hectic than even paid work that I do.

 

ME – What do you advice the newcomers who want to hop on to the information security bandwagon?

AM – There are enough and more avenues to learn, enough documentation, learning resources. What is required is that they take up a topic and get some indepth practice in that. For most things that you need to practice all you need is a virtual machine, some software and good documentation. Get started with that and they can quickly build capability in this field.

I usually tell newcomers to learn the following to get started.

1. Linux and Windows

2. TCP/IP basics

3. HTTP

4. HTML/ JavaScript

5. BASH, Python, Ruby, Java


ISO 27001 : A Business View

Hi People,

I am back after a strong lethargic break. Before i go back to hibernation (i can promise that i will be regular from now onward, but people who know me will differ – and i don’t blame them, either – but i digress), let me share a presentation that i did for a NULL meeting (what? You don’t know NULL? Shame on you!, go back and Google; on second thoughts, read this please and then go back, coz i am not sure if you will come back!).

Please visit this Google Presentation and share the feedback. My take is:-

ISO 27001 is a standard which provides a structured and step-by-step approach in solving many security problems , most of which do not involve technology.

I have tried to take some examples to illustrate some events that technology will need some years to solve. However, using a methodology such as ISO 27001 helps us in securing, and maintaining the same, the information and infrastructure supporting it.



null Chapter started in Hyderabad

I had a chance to be a part of the first meeting of hyderabad chapter of null (29th August ’10, Sunday, 16:30 – 18:30), and i must say, it was not without some apprehension that i started for it. For one, i had a humbling experience with local OWASP chapter as it is in its second month of inactivity (do include me if you plan to blame someone, for i had a small part to play – by not doing anything, that is). However, i had been following these people for quite some time, and must say, have learned a lot just by reading the mailing list, and i was not disappointed. Though it is too early to say, but i think null will survive the inertial forces that tend to take over any new initiative.

The meeting started with Prajwal (one of the moderators of the hyderabad chapter) giving a nice presentation on w3af (Web Application Attack and Audit Framework). He also presented Matriux, a distro dedicated to security professionals. The co-founders of null|con have come by the time Prajwal finished, and they took it on from there. Oh, lest i forget, let me tell you that some OWASP members were also spotted (including yours truly).

Further, i have decided to talk, in the next-to-next meeting (mind you, meetings will be monthly, so that makes it october’10), on ISO 27001 (coz that’s what my limited knowledge is limited to!). But before that, i guess there will be some more talks on vulnerability assessments and other stuff.

All in all, nice thing that they have started a chapter in my karmabhoomi; i hope i learn new things and share with everyone through this medium (do i see enough eyeballs to quit my job and turn full-time blogger!).