Infosec has always fascinated me. After i wake up from my occasional slumber, i always look around to see if i can identify someone to admire (maybe it is the hero-worshipper in me). Off late, i have focussed on identifying people whom i like in infosec. I, then, pester them till they agree to give me an interview. I then post them questions over email, and they, well, respond over email. That’s how it works.
Today’s interview is with @ajinabraham.
I like Ajin Abraham because he hasn’t wasted much of his time in identifying his field of choice. Maybe that is the reason his body of work is so impressive (and he is young, so he has time on his side as well). So, without further ado, let’s talk to Ajin.
1. What is your online handle / real name (depending on your preferences)?
My online handles are ajinabraham or xboz in the dark past :).
2. What do you do for a living (company name not required, role / nature of work is preferred)
I am freelance security engineer, I do security engineering that includes developing security tools, security algorithms, pentesting mobile and web apps, code reviews etc. Apart form these I do applied security research and publish the outcomes at multiple security conferences. Also, I run an e-learning platform called OpSecX for security education and once in a while I do hands on live security trainings at security conferences.
3. Can you describe your journey in application security so far?
During school days, I was always curious on how games, software and os works. A teacher at school understood my fascination with computers and she taught me VB.NET. Unlike many others, I never started in C/C++ but instead in VB.NET and Microsoft Frontpage. I feel good about that now. At that age, everyone found C very boring and primitive. .NET and Frontpage offered great GUI experience and you could build a real application than printing fibonacci series.
It was applied programming that allowed me to create things that I imagine with ease. I could have never done anything better with C at that time and understand the beauty of application development if it was not for .NET. Eventually my curious mind took me to the internals of the applications where I started with reversing to understand the inner workings. The more I understand how applications work, the more I was able to use them in ways they are not intended to work. Later with the help of Google and StackOverflow, I learnt a great deal of things in Security and Engineering. I wrote security tools and published my research in the 2nd year of my Bachelors. Over years I found that there is a career that is in align with my passion and later got hired as an Application Security Engineer during the final year of B.Tech.
4. What were the challenges in your journey & how did you overcome them?
Today there are active community and security folks to guide someone in the security field. It was not like that when I started. The only help I had was Google and later StackOverflow. It was difficult for me to understand the concepts as I directly jumped into something before grabbing the fundamentals. Over time and experience I learned that I have to make my basics strong and clear. Thats when I started to learn everything from the fundamentals. It helped me a lot to understand things in depth.
5. What are the most important things that you want to focus on in coming years?
* Travel and explore the world and cultures.
* I am a petrol head, I love any thing that revs. More Drives and Rides.
* Keep my security knowledge updated. This is a rapidly changing field.
* Write more open source security tools, maintain the existing ones
* Do more application security research.
* Share what I have learned through trainings.
6. What, in your opinion, will be most in-demand things from an application security standpoint?
Skilled personnel. We have everything in large quantity but the quality is not that great. Even though I am not a fan of AI, it seems like Machine Learning and AI promises a lot of advancements in this field. But we need skilled persons to implement this at the first place. In India, Application Security is always viewed from a Job perspective and most people doesn’t give importance to Applied Research and the Academics side of it.
7. What, in your opinion, should the industry focus on?
Hire people based on skills over years of experience and certifications. Also make opportunities to build up quality resource over quantity. Promote application security research and develop that culture right from college or school.
8. Where do you see the application security industry heading to?
Application Security is fairly new compared to other branches of Security domain. I don’t know what we will have in the coming future but as more and more things move to cloud, we need solutions to defend them. Eventually we will have huge data sets which will definitely help the machine learning solutions to perform better with higher accuracy. I am also excited as you are, lets wait and watch.
9. How can one become an expert in your field (not security in general, but the work that you are doing currently)?
Rule 1: Passion or Interest is what keep you forward. (Don’t start if you don’t have it)
Rule 2: Give it Time and Patience
Rule 3: Always start with the fundamentals
Rule 4. Always learn, unlearn and relearn
10. Do you think bug bounties help?
I don’t personally like bug bounties as for me I found it a waste of time.
But it has couple of sides.
The good thing is it helps companies to save a lot on their budget for security, spend less but get applications tested by a large crowd.
For the participants it’s a good way to make money.
In the security industry, there is a new bread who claim themselves as bug hunters/ security researchers/ experts by finding few low hanging vulnerabilities in web applications. Some of them don’t even know how applications work. They don’t even know how the vulnerability occurs, how to fix it or how to report it professionally. Some of the bug bounty reports are hilarious (http://bugbounty.fail/).
I really admire and appreciate those 1% bug hunters who do real nice job, the guys who know their stuff. But others are pure disgrace to the industry. I am sorry to say it, but that’s the truth. This is what google says about their bug bounty program “Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security,”.
11. What is your vulnerability disclosure policy (ignore if not applicable)?
I use to do aggressive full disclosures in the past but currently follows a 30 days disclosure policy with few exceptions.
12. In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?
I don’t think the usage will decline. The interesting fact is, most Indians don’t really care about Personally Identifiable Information (PII). I haven’t seen that culture of defending privacy in India much.
13. What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?
14. What do you advice the newcomers who want to hop on to the information security bandwagon?
Start form the basics and fundamentals, learn how things work.
Always try to learn things by self. Ask only when you are really stuck. There is a great difference in learning and understanding by self and some one explaining it to you.
Use Google and StackOverflow.
Explore for there is no limits.