Interview of Akash Mahajan

My interview obsession started before Ajin Abraham. My first interview was with someone who defied quite a few stereotypes in making his…

My interview obsession started before Ajin Abraham. My first interview was with someone who defied quite a few stereotypes in making his mark on the india infosec scene.

Now, here’s is someone who started working in this field without fulfilling any checkpoint in a standard HR recruitment checklist. Yeah, no certification (Gods must be crazy!), However, he is famous not just for his involvement with NULL, Bengaluru (look ma, constitutionally correct pronunciation!) but also because he is an extraordinary presenter. The thing to look for is his style of presentation. The name - Akash Mahajan

So without much ado, here’s it.

ME — What is your online handle / real name (depending on your preferences)?

AM — Usually I use makash, in some places I use akashm. But mostly googling for Akash Mahajan will return most of the results about me.

ME — What do you do for a living?

AM — I help small and medium companies become secure. It starts with me supporting them in making their web apps, mobile apps secure, building internal app sec capability, usually extends to me making sure their servers and cloud networks are secure. Sometimes companies take my help in charting out long term strategy about their security choices. For a long time I worked as a freelancer in this field but since last year I registered as a private limited.

ME — Can you describe your journey?

AM — So I was on my way to becoming a java programmer. Not particularly a good one. While working on java related projects there was a massive network outage in my company. The internet was basically not working for a week because of malware outage. I wasn’t affected personally because I was using a linux box. When the infection reached the team subnet I was in my project lead allowed me to take a look. I was able to isolate the malware and remove it from the system fairly quickly. Once that was done, I shared my solution with the IT team and realized that I had a lot of fun doing this. Definitely more fun than writing java code. That is what started my infosec journey. I quit my job and joined a security products company. While working there learnt a lot about network security, application security, python scripting and virtual machine automation. One day in the month of June of 2008, I decided that I should try being a freelance security consultant for all the hundreds of companies in Bangalore.

ME — What were the challenges in your journey & how did you overcome them?

AM — I am not an engineer. Initially I never thought about going on my own. I got rejected by a bunch of companies for not being an engineer or not having a security certification. I got myself a Certified Ethical Hacker certification because companies started demanding it. Once I had a certification it was easier.

In our industry a bigger challenge is to keep yourself updated about latest security techniques etc. I did struggle with that a lot at the beginning. Then one day on twitter I posted about asking for security communities in India and Aseem responded. They had started null — The Open Security Community sometime back in Pune and were looking for people to grow it to other cities.

Having a community full of seriously talented people doing security day in and day out makes it far easier to know what is happening in this field. Not only that we have so many folks who are doing original research, so in some cases we get to see the newer stuff even before it becomes public.

ME — What are the most important things that you want to focus on in coming years?

AM — Building and taking null to every state in India. Build my company to doing high quality security research and offering testing services for various levels. Personally I would like to try adventure sports.

ME — What, in your opinion, will be most in-demand things from a security standpoint?

AM — Automation of security testing, deployments(devsecops), user data privacy and figuring out ways on how to trust 3rd party software and services.

ME — What, in your opinion, should the industry focus on?

AM — Industry as a whole needs to focus on building quality solutions. Also while profits are important industry should understand that in the knowledge economy a well trained work force is not only an asset but the returns from such a work force can be exponential.

ME — Where do you see the security industry heading to?

AM — More automation, instrumentation of solutions, deployments. Also more and more systems will be in the cloud.

ME — How can one become an expert in your field (not security in general, but the work that you are doing currently)?

AM — Practice, collaborate, publish, solicit feedback. Wash rinse repeat.

ME — Do you think bug bounties help?

AM — Bounties do help. At the very least bounties offer a short term incentive for more people to spend their quality time in finding bugs. And humans tend to love competition. The indirect benefits of bounties are that when more and more people starting bug hunting seriously they also get serious about collaboration, sharing of knowledge and it always helps when a group of people are focused towards a common objective.

ME — What is your vulnerability disclosure policy (ignore if not applicable)?

AM — I don’t disclose bugs.

ME — In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

AM — Internet usage will not decline. But yes it is possible that companies will spring up trying to get customers based on nationality etc. Governments tend to work towards exclusivity and sometimes inefficiencies get hidden due to the nature of how they operate. This will make sure that some parts of the world will be working with substandard software which if taken positively can mean better competition or a clear competitive disadvantage.

ME — What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

AM — Nothing at the moment. I am just trying to build the null security community, which sometimes is more hectic than even paid work that I do.

ME — What do you advice the newcomers who want to hop on to the information security bandwagon?

AM — There are enough and more avenues to learn, enough documentation, learning resources. What is required is that they take up a topic and get some indepth practice in that. For most things that you need to practice all you need is a virtual machine, some software and good documentation. Get started with that and they can quickly build capability in this field.

I usually tell newcomers to learn the following to get started.

1. Linux and Windows

2. TCP/IP basics

3. HTTP

4. HTML/ JavaScript

5. BASH, Python, Ruby, Java