Tag Archives: Interview

Interview of Akash Mahajan

My interview obsession started before Ajin Abraham. My first interview was with someone who defied quite a few stereotypes in making his mark on the india infosec scene.

Now, here’s is someone who started working in this field without fulfilling any checkpoint in a standard HR recruitment checklist. Yeah, no certification (Gods must be crazy!), However, he is famous not just for his involvement with NULL, Bengaluru (look ma, constitutionally correct pronunciation!) but also because he is an extraordinary presenter. The thing to look for is his style of presentation. The name – Akash Mahajan

So without much ado, here’s it.

ME — What is your online handle / real name (depending on your preferences)?

AM — Usually I use makash, in some places I use akashm. But mostly googling for Akash Mahajan will return most of the results about me.

ME — What do you do for a living?

AM — I help small and medium companies become secure. It starts with me supporting them in making their web apps, mobile apps secure, building internal app sec capability, usually extends to me making sure their servers and cloud networks are secure. Sometimes companies take my help in charting out long term strategy about their security choices. For a long time I worked as a freelancer in this field but since last year I registered as a private limited.

ME — Can you describe your journey?

AM — So I was on my way to becoming a java programmer. Not particularly a good one. While working on java related projects there was a massive network outage in my company. The internet was basically not working for a week because of malware outage. I wasn’t affected personally because I was using a linux box. When the infection reached the team subnet I was in my project lead allowed me to take a look. I was able to isolate the malware and remove it from the system fairly quickly. Once that was done, I shared my solution with the IT team and realized that I had a lot of fun doing this. Definitely more fun than writing java code. That is what started my infosec journey. I quit my job and joined a security products company. While working there learnt a lot about network security, application security, python scripting and virtual machine automation. One day in the month of June of 2008, I decided that I should try being a freelance security consultant for all the hundreds of companies in Bangalore.

ME — What were the challenges in your journey & how did you overcome them?

AM — I am not an engineer. Initially I never thought about going on my own. I got rejected by a bunch of companies for not being an engineer or not having a security certification. I got myself a Certified Ethical Hacker certification because companies started demanding it. Once I had a certification it was easier.

In our industry a bigger challenge is to keep yourself updated about latest security techniques etc. I did struggle with that a lot at the beginning. Then one day on twitter I posted about asking for security communities in India and Aseem responded. They had started null — The Open Security Community sometime back in Pune and were looking for people to grow it to other cities.

Having a community full of seriously talented people doing security day in and day out makes it far easier to know what is happening in this field. Not only that we have so many folks who are doing original research, so in some cases we get to see the newer stuff even before it becomes public.

ME — What are the most important things that you want to focus on in coming years?

AM — Building and taking null to every state in India. Build my company to doing high quality security research and offering testing services for various levels. Personally I would like to try adventure sports.

ME — What, in your opinion, will be most in-demand things from a security standpoint?

AM — Automation of security testing, deployments(devsecops), user data privacy and figuring out ways on how to trust 3rd party software and services.

ME — What, in your opinion, should the industry focus on?

AM — Industry as a whole needs to focus on building quality solutions. Also while profits are important industry should understand that in the knowledge economy a well trained work force is not only an asset but the returns from such a work force can be exponential.

ME — Where do you see the security industry heading to?

AM — More automation, instrumentation of solutions, deployments. Also more and more systems will be in the cloud.

ME — How can one become an expert in your field (not security in general, but the work that you are doing currently)?

AM — Practice, collaborate, publish, solicit feedback. Wash rinse repeat.

ME — Do you think bug bounties help?

AM — Bounties do help. At the very least bounties offer a short term incentive for more people to spend their quality time in finding bugs. And humans tend to love competition. The indirect benefits of bounties are that when more and more people starting bug hunting seriously they also get serious about collaboration, sharing of knowledge and it always helps when a group of people are focused towards a common objective.

ME — What is your vulnerability disclosure policy (ignore if not applicable)?

AM — I don’t disclose bugs.

ME — In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

AM — Internet usage will not decline. But yes it is possible that companies will spring up trying to get customers based on nationality etc. Governments tend to work towards exclusivity and sometimes inefficiencies get hidden due to the nature of how they operate. This will make sure that some parts of the world will be working with substandard software which if taken positively can mean better competition or a clear competitive disadvantage.

ME — What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

AM — Nothing at the moment. I am just trying to build the null security community, which sometimes is more hectic than even paid work that I do.

ME — What do you advice the newcomers who want to hop on to the information security bandwagon?

AM — There are enough and more avenues to learn, enough documentation, learning resources. What is required is that they take up a topic and get some indepth practice in that. For most things that you need to practice all you need is a virtual machine, some software and good documentation. Get started with that and they can quickly build capability in this field.

I usually tell newcomers to learn the following to get started.

1. Linux and Windows

2. TCP/IP basics

3. HTTP

4. HTML/ JavaScript

5. BASH, Python, Ruby, Java

Interview of Ajin Abraham

Infosec has always fascinated me. After i wake up from my occasional slumber, i always look around to see if i can identify someone to admire (maybe it is the hero-worshipper in me). Off late, i have focussed on identifying people whom i like in infosec. I, then, pester them till they agree to give me an interview. I then post them questions over email, and they, well, respond over email. That’s how it works.

Today’s interview is with @ajinabraham.



I like Ajin Abraham because he hasn’t wasted much of his time in identifying his field of choice. Maybe that is the reason his body of work is so impressive (and he is young, so he has time on his side as well). So, without further ado, let’s talk to Ajin.

1. What is your online handle / real name (depending on your preferences)?

My online handles are ajinabraham or xboz in the dark past :).

2. What do you do for a living (company name not required, role / nature of work is preferred)

I am freelance security engineer, I do security engineering that includes developing security tools, security algorithms, pentesting mobile and web apps, code reviews etc. Apart form these I do applied security research and publish the outcomes at multiple security conferences. Also, I run an e-learning platform called OpSecX for security education and once in a while I do hands on live security trainings at security conferences.

3. Can you describe your journey in application security so far?

During school days, I was always curious on how games, software and os works. A teacher at school understood my fascination with computers and she taught me VB.NET. Unlike many others, I never started in C/C++ but instead in VB.NET and Microsoft Frontpage. I feel good about that now. At that age, everyone found C very boring and primitive. .NET and Frontpage offered great GUI experience and you could build a real application than printing fibonacci series.
It was applied programming that allowed me to create things that I imagine with ease. I could have never done anything better with C at that time and understand the beauty of application development if it was not for .NET. Eventually my curious mind took me to the internals of the applications where I started with reversing to understand the inner workings. The more I understand how applications work, the more I was able to use them in ways they are not intended to work. Later with the help of Google and StackOverflow, I learnt a great deal of things in Security and Engineering. I wrote security tools and published my research in the 2nd year of my Bachelors. Over years I found that there is a career that is in align with my passion and later got hired as an Application Security Engineer during the final year of B.Tech.

4. What were the challenges in your journey & how did you overcome them?

Today there are active community and security folks to guide someone in the security field. It was not like that when I started. The only help I had was Google and later StackOverflow. It was difficult for me to understand the concepts as I directly jumped into something before grabbing the fundamentals. Over time and experience I learned that I have to make my basics strong and clear. Thats when I started to learn everything from the fundamentals. It helped me a lot to understand things in depth.

5. What are the most important things that you want to focus on in coming years?

* Travel and explore the world and cultures.

* I am a petrol head, I love any thing that revs. More Drives and Rides.

* Keep my security knowledge updated. This is a rapidly changing field.

* Write more open source security tools, maintain the existing ones

* Do more application security research.

* Share what I have learned through trainings.

6. What, in your opinion, will be most in-demand things from an application security standpoint?

Skilled personnel. We have everything in large quantity but the quality is not that great. Even though I am not a fan of AI, it seems like Machine Learning and AI promises a lot of advancements in this field. But we need skilled persons to implement this at the first place. In India, Application Security is always viewed from a Job perspective and most people doesn’t give importance to Applied Research and the Academics side of it.

7. What, in your opinion, should the industry focus on?

Hire people based on skills over years of experience and certifications. Also make opportunities to build up quality resource over quantity. Promote application security research and develop that culture right from college or school.

8. Where do you see the application security industry heading to?

Application Security is fairly new compared to other branches of Security domain. I don’t know what we will have in the coming future but as more and more things move to cloud, we need solutions to defend them. Eventually we will have huge data sets which will definitely help the machine learning solutions to perform better with higher accuracy. I am also excited as you are, lets wait and watch.

9. How can one become an expert in your field (not security in general, but the work that you are doing currently)?

Rule 1: Passion or Interest is what keep you forward. (Don’t start if you don’t have it)
Rule 2: Give it Time and Patience
Rule 3: Always start with the fundamentals
Rule 4. Always learn, unlearn and relearn

10. Do you think bug bounties help?

I don’t personally like bug bounties as for me I found it a waste of time.

But it has couple of sides.

The good thing is it helps companies to save a lot on their budget for security, spend less but get applications tested by a large crowd.

For the participants it’s a good way to make money.

In the security industry, there is a new bread who claim themselves as bug hunters/ security researchers/ experts by finding few low hanging vulnerabilities in web applications. Some of them don’t even know how applications work. They don’t even know how the vulnerability occurs, how to fix it or how to report it professionally. Some of the bug bounty reports are hilarious (http://bugbounty.fail/).

I really admire and appreciate those 1% bug hunters who do real nice job, the guys who know their stuff. But others are pure disgrace to the industry. I am sorry to say it, but that’s the truth. This is what google says about their bug bounty program “Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security,”.

11. What is your vulnerability disclosure policy (ignore if not applicable)?

I use to do aggressive full disclosures in the past but currently follows a 30 days disclosure policy with few exceptions.

12. In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

I don’t think the usage will decline. The interesting fact is, most Indians don’t really care about Personally Identifiable Information (PII). I haven’t seen that culture of defending privacy in India much.

13. What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

I do a lot of open source work, you can find it here: https://github.com/ajinabraham
Also I occasionally blogs about my research outcomes here:
https://ajinabraham.com/

14. What do you advice the newcomers who want to hop on to the information security bandwagon?

Start form the basics and fundamentals, learn how things work.

Always try to learn things by self. Ask only when you are really stuck. There is a great difference in learning and understanding by self and some one explaining it to you.
Use Google and StackOverflow.
Explore for there is no limits.

{ctrl+z} My Interview :: Here’s what I should have said

So, after a long time, i finally broke my jinx of not updating my blog! I hope to keep updating it more often now.

Life is a collection of memories. If you don’t have memories, you don’t have a life (which means you are dead. That is why Shiva — the lord of death — is also called “smarahara”. “smara” incidentally, is sanskrit word which has two meanings. One, it refers to kaamdeva — the god of love. It also means memories. Amazing language, isn’t it? But i digress). My information security career has also gifted me with many memories, one of which is this interview. I didn’t like one of my responses during the interview and i kept going back to it, for some reason.

I finally got the reason (or so i think). This LinkedIn post is an introspective attempt to articulate that reason. Please find a reproduction of the same below: –

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Being a thick skinned guy that I am, I usually don’t like to admit mistakes. Scratch that, I NEVER like to admit mistakes. However, there are instances when one, during introspective phases (I know, it is a big word, yipee-ka-yay — MS Word 2013), identifies his/her mistakes and what he could have done instead of how-could-I-do-it and wish-he-forgets-it type of things.

So, during one of those ‘aha’ moments, I realized a mistake that I happened to commit during one of my interviews.

The Question

Around the end of an interview, one of the interviewer asked me this question

“If you had unlimited budget, what would you have done to improve your organization’s security posture?”

Now, on the face of it, this is a pretty open ended question that allows you to articulate some of the key controls / strategies that you think would add value to an organization’s security posture. This question also allows an interviewer to probe the mind of the person who is being interviewed to gauge his priorities. AND, this is also the sort of question, the response of which, will open you up to scrutiny.

My Answer

When I faced the interviewer, I was on the way from a normal ISMS professional to a higher plane (by establishing a SOC or Security Operations Center). I was then struggling with handling incidents with limited resource and skill (more on skills and competencies in a later post), so my response was a reflection of my struggles:-

“Given unlimited budget, I would like to invest in a tool / technology / process which ensures that infected machines are isolated as soon as they are identified. Also, I would like to be able to analyze them faster”.

How wrong I was!

An organization’s security posture is dependent on the following 3 Ps:-

People, Process, Technology

People — The most important thing in the triad. If people

(a) don’t have an understanding of the information that they have and its value and

(b) don’t want to secure it (due to different reasons, and surprisingly, deliberate espionage doesn’t feature till the end of the list), you will not be secure no matter how many processes and technical measures you have.

Think of all the passwords that have been shared, all the intellectual properties lost due to people and you will get the drift of what I am trying to write here. Awareness sessions on information security DO’s and DON’Ts, communicating all and any process changes to all relevant people, assessments (both online and behavioral) to gauge how people treat information security when no one is watching are some of the things that an organization can do to ensure that people act their part to keep information secure while handling. All information security branding related activities would also come here. The branding activities could include posters, quizzes that includes giveaways, etc.

Process — I can never tire of saying this “The way you handle information will dictate how secure you can make it”. Please refer to this post to know more about my thoughts on this.

Technology — All technical gadgets worth their salt (e.g., DLP, SIEM, IDS / IPS, Firewall, etc.).

So, while technology is important, information security is inherently a people and business problem. It is perfectly possible to implement a cost-effective ISMS that is aligned to the business and it is equally easy to botch it by blindly implementing “best practices”.

What I should have said

“Given unlimited budget, I would invest in security awareness at all levels, coupled with good detection tools, a superb DLP tool, and a capable incident response team”.

Now that would be a better answer, don’t you think?